Subnet as trusted proxies?

torpi · November 29, 2019, 7:00pm

Hello everyone,

I followed carefully the documentation here to configure my nginx for HA (https://www.home-assistant.io/docs/ecosystem/nginx/).

The problem I have is that I have nginx running in containers in a swarm. Basically, I have 5 nodes running nginx in containers.

BTW, HA is also running in my swarm (if anyone need information on that I can help with the macvlan or how to discover the server or register the IP in DNS leveraging Bonjour).

HA works solid when accessing it with its IP. Through NGINX, outside or inside my LAN (hairpin for inside) I got a lot of 502 responses. After some investigations I understood that it might be because I need to whitelist the NGINX proxy in HA configuration.

Did that with the 5 IPs (my 5 nginx). Situation is pretty better. Still have some 502 here and then but pretty rare. Still have some issues sometime between LTE and Wifi but I guess this is tied to the tokens, not sure. seems better with recent releeases).

The problem: those IPs (ngninx proxy) are not fixed. In swarm I may run one or more ngninx server per node and even if just one per node it gets its IP dynamically.

The situation is even worst when there is a redirection from the ingress network.

QUestion is: can we whitelist a complete subnet instead of a list of IPs? Or is there another way to allow any proxy? Or do you have any suggestion appart from installing another ngninx proxy somewhere else in the network?

Any help would be appreciated!
Thank you and have a nice we,

Torpi

bbrendon · November 30, 2019, 7:14pm

Helpful?

torpi · December 20, 2019, 1:54am

So, I was finally able to do a quick hack before I propose a PR. I changed the real_ip.py file here:
Instead of:

and any(
                    connected_ip in trusted_proxy for trusted_proxy in trusted_proxies
                )

I did a hack to check if the IP is part of the subnet.
An even more dirty hack if you want to validate it on your side is to comment those 3 lines.

Initial:

# Only use the XFF header if enabled, present, and from a trusted proxy
        try:
            if (
                use_x_forwarded_for
                and X_FORWARDED_FOR in request.headers
                and any(
                    connected_ip in trusted_proxy for trusted_proxy in trusted_proxies
                )
            ):
                request[KEY_REAL_IP] = ip_address(
                    request.headers.get(X_FORWARDED_FOR).split(", ")[-1]
                )
        except ValueError:
            pass

The last problem I have is the first connection with the mobile app. I got 502 bad gateway when I try to connect for the first time. Connecting inside the network with the IP of HA works and then I can change the config to connect though nginx and it works like a charm. Not sure what is done at the first connection but will investigate later.