use_x_forwarded_for: True
Using reverse proxy - Bypassed Login
Without reverse proxy - Bypassed Login
Test2:
use_x_forwarded_for: False
Using reverse proxy - Bypassed Login
Without reverse proxy - No bypass
Test3:
No use_x_forwarded_for in configuration file at all
Using reverse proxy - Bypassed Login
Without reverse proxy - No bypass
The bypass is caused when using reverse proxy (which most users configure in order to secure connection with SSL)
The documentation is vague (for a non-technical user):
trusted_networks (Optional): List of trusted networks, consisting of IP addresses or networks, that are allowed to bypass password protection when accessing Home Assistant. It should be noted that if you use a reverse proxy, all requests to Home Assistant, regardless of source, will arrive from the reverse proxy IP address. Therefore in a reverse proxy scenario this option should be used with extreme care.
I am sorry but this is vague and it should be highlighted in BOLD RED with an exclamation mark as a warning
So it seems that if you are using reverse proxy you should not enable trusted networks.
You should only enable this in a trustworthy network environment, as clients passing that header could easily spoof their source IP address. Defaults to False.
Which is the exact opposite of what you’re saying, @NightRanger?
If you are using trusted networks you must add the “use_x_forwarded_for” to your configuration in order to prevent someone from spoofing your trusted network.
The documentation is confusing and not explaining the security risks properly it’s just a side note.
Without the use_x_forwarded_for setting in the config file i was able to bypass the login by spoofing the IP of a trusted network in the X-Forwarded-For header well maybe it should be false but it worked with true as well strange…
Anyway I’ll do some more tests and will update this post
That’s why I edited my post, it looks like it behaves differently when using reverse proxy so maybe that’s why I was able to login to my HASS instance without a password from a different network with spoofed address.
I’ll do more tests without the reverse proxy later and will post the results
use_x_forwarded_for: True
Using reverse proxy - Bypassed Login
Without reverse proxy - Bypassed Login
Test2:
use_x_forwarded_for: False
Using reverse proxy - Bypassed Login
Without reverse proxy - No bypass
Test3:
No use_x_forwarded_for in configuration file at all
Using reverse proxy - Bypassed Login
Without reverse proxy - No bypass
So basically it matches the documentation and I was mistaken, the bypass is caused when using reverse proxy (which most users configure in order to secure connection with SSL)
The documentation is vague (for a non-technical user):
trusted_networks (Optional): List of trusted networks, consisting of IP addresses or networks, that are allowed to bypass password protection when accessing Home Assistant. It should be noted that if you use a reverse proxy, all requests to Home Assistant, regardless of source, will arrive from the reverse proxy IP address. Therefore in a reverse proxy scenario this option should be used with extreme care.
I am sorry but this is vague and it should be highlighted in BOLD RED with an exclamation mark as a warning
So it seems that if you are using reverse proxy you should not enable trusted networks.