SWAG Reverse-proxy : can't pass login page

sebastien4444 · March 20, 2024, 11:22am

Hi !
I’ve installed a Swag reverse-proxy in a docker container on an Intel NUC Server (@IP 192.168.1.101 port 443)
I have HAOS running on a Raspberry Pi 4 (@IP 192.168.1.200 port 8123).
I use swag witch DuckDNS and Let’s Encrypt for certificates.

My problem is that I can get to my HA server through my reverse-proxy from the internet using https://homeassistant.mydomain.duckdns.org but it works just for the login page.
As soon as I try to authenticate with my login/password, I get a page with HA logo and message “Unable to connect to Home Assistant. Retrying in XX seconds…”.

What I can see in SWAG Error log (multiple lines like this) :

2024/03/20 12:03:32 [error] 429#429: *13 homeassistant could not be resolved (3: Host not found), client: 192.168.1.254, server: ha-serverseb.*, request: "GET /api/websocket HTTP/1.1", host: "ha-serverseb.mydomain.duckdns.org"

My SWAG homeassistant.subdomain.conf

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name ha-serverseb.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.200;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ ^/(api|local|media)/ {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

In my HA config.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 0.0.0.0/0

francisp · March 20, 2024, 11:33am

This seems wrong.

Look in the HA error log for the correct setting. I know 0.0.0.0/0 means all possible IP4 addresses, but don’t know if HA accepts it.

sebastien4444 · March 20, 2024, 1:40pm

Hi francisp,

I looked in my HA log and here is what I get :

Enregistreur: homeassistant.components.http.ban
Source: components/http/ban.py:128
intégration: HTTP (documentation, problèmes)
S'est produit pour la première fois: 14:31:30 (4 occurrences)
Dernier enregistrement: 14:35:04

Login attempt or request with invalid authentication from 192.168.1.254 (192.168.1.254). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36)

I check the Http HA doc wich says :

trusted_proxies string | list (optional)
List of trusted proxies, consisting of IP addresses or networks, 
that are allowed to set the X-Forwarded-For header. 
This is required when using use_x_forwarded_for because 
all requests to Home Assistant, regardless of source, 
will arrive from the reverse proxy IP address. 
Therefore in a reverse proxy scenario, this option should 
be set with extreme care. If the immediate upstream proxy 
is not in the list, the request will be rejected.
If any other intermediate proxy is not in the list, 
the first untrusted proxy will be considered the client.

But I can’t figure what I need to do.
I trieds this :

trusted_proxies:
    - 192.168.1.0/24

But still the same result

francisp · March 20, 2024, 1:57pm

Try

trusted_proxies:
  - 192.168.1.254

fleskefjes · March 20, 2024, 1:58pm

Could it be that 192.168.1.254 is added in the ip_bans.yaml as a banned address?

sebastien4444 · March 20, 2024, 4:42pm

I finbally find what was wrong.

In the second “location” block, I wrote “homeassistant” instead of the ip address

sebastien4444:

location ~ ^/(api|local|media)/ {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app homeassistant; <-- replaced by @ip
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }