SWAG Reverse-proxy : can't pass login page

Hi !
I’ve installed a Swag reverse-proxy in a docker container on an Intel NUC Server (@IP port 443)
I have HAOS running on a Raspberry Pi 4 (@IP port 8123).
I use swag witch DuckDNS and Let’s Encrypt for certificates.

My problem is that I can get to my HA server through my reverse-proxy from the internet using https://homeassistant.mydomain.duckdns.org but it works just for the login page.
As soon as I try to authenticate with my login/password, I get a page with HA logo and message “Unable to connect to Home Assistant. Retrying in XX seconds…”.

What I can see in SWAG Error log (multiple lines like this) :

2024/03/20 12:03:32 [error] 429#429: *13 homeassistant could not be resolved (3: Host not found), client:, server: ha-serverseb.*, request: "GET /api/websocket HTTP/1.1", host: "ha-serverseb.mydomain.duckdns.org"

My SWAG homeassistant.subdomain.conf

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name ha-serverseb.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;


    location ~ ^/(api|local|media)/ {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

In my HA config.yaml

  use_x_forwarded_for: true

This seems wrong.

Look in the HA error log for the correct setting. I know means all possible IP4 addresses, but don’t know if HA accepts it.

Hi francisp,

I looked in my HA log and here is what I get :

Enregistreur: homeassistant.components.http.ban
Source: components/http/ban.py:128
intégration: HTTP (documentation, problèmes)
S'est produit pour la première fois: 14:31:30 (4 occurrences)
Dernier enregistrement: 14:35:04

Login attempt or request with invalid authentication from ( Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36)

I check the Http HA doc wich says :

trusted_proxies string | list (optional)
List of trusted proxies, consisting of IP addresses or networks, 
that are allowed to set the X-Forwarded-For header. 
This is required when using use_x_forwarded_for because 
all requests to Home Assistant, regardless of source, 
will arrive from the reverse proxy IP address. 
Therefore in a reverse proxy scenario, this option should 
be set with extreme care. If the immediate upstream proxy 
is not in the list, the request will be rejected.
If any other intermediate proxy is not in the list, 
the first untrusted proxy will be considered the client.

But I can’t figure what I need to do.
I trieds this :


But still the same result



Could it be that is added in the ip_bans.yaml as a banned address?

I finbally find what was wrong.

In the second “location” block, I wrote “homeassistant” instead of the ip address :face_with_peeking_eye:

1 Like