Trusted networks allowed into HA from non trusted IP

RobDYI · September 5, 2018, 6:51pm

I have upgraded to 77.3 and set my trusted networked as per below. I also use NGINX to handle SSL to my two HA instances. I used my cell to log off from wifi and use my cell data to get a non trusted ip. (it was a ip6 ip when I checked) When I go to my SSL HA url, I can use trusted network and my user to login without a password.

Any help would be appreciated as I need SSL HA exposed to google / amazon.

http:
  server_port: 8123
  api_password: !secret api_password
  cors_allowed_origins:
    - https://google.com
    - https://home-assistant.io
  trusted_networks:
    - 127.0.0.1
    - 192.168.2.0/24
    - 192.168.0.0/24

anon43302295 · September 5, 2018, 6:55pm

Your ngnix server is presumably on either 192.168.2.x or 192.168.0.x, which means all incoming connections via ngnix will be from the trusted network.

RobDYI · September 5, 2018, 7:03pm

Thanks. I confirmed that is the reason. I removed the trusted network where nginx runs and it gave the old HA screen. This might be noted somewhere as if I didn’t check, my HA would have been exposed with 77.0 upgrade,

Any suggestions on how to change my trusted networks so nginx is excluded but not the rest of the ip? I guess I want to trust all 192.168.0.0 (my nginx) except port 443.

rhodges · September 5, 2018, 7:04pm

Don’t use trusted networks. Use the api_key in the header. Change your nginx config to add the header when it calls HA.

RobDYI · September 5, 2018, 7:06pm

Thanks for pointing in the right direction