I wanted to share my findings on an issue which took me a while to figure out.
Installation of Home Assistant via docker on my home server, configured behind an NGINX reverse proxy with domain name and SSL certificate installed.
After a few weeks of all working fine, access to the home assistant frontend stopped working.
Even after clearing all cached data, from the browser side, no useful logs at all:
- Browser displaying a generic error: “Unable to connect to Home Assistant.”
- Browser debugging tools just showing a generic error with no details:
WebSocket connection to 'wss://domain.com/api/websocket' failed:
Direct connection via IP address in HTTP was working fine - only access via DNS name was failing.
Activating the HASS debug logs and neither HASS or NGINX logs were explaining the issue.
-
NGINX logs:
"GET /api/websocket HTTP/1.1" 101 51 "-"
So NGINX showing the server agreed to the request to switch protocol - then no sign of life -
HASS logs:
DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection] [140705615395808] Connected from XXX.XXX.XXX.XXX
DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection] [140705615395808] Sending {"type": "auth_required", "ha_version": "2022.2.2"}
INFO (MainThread) [homeassistant.components.websocket_api.http.connection] [140705615395808] Connection closed by client
DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection] [140705615395808] Disconnected
I looked on the various forum post about the recommendations and all I found were already implemented on my configuration or having no effect.
I finally realized that the IP HASS was claiming the connection was coming from in the logs: XXX.XXX.XXX.XXX - was not my computer local IP address (my computer and my server were connected on the same LAN so this looked fishy).
Quick search on the source IP made me realized that the computer I was using was actually protected by Netskope (IP was identified as ASN Netskope Inc) - all traffic from this computer was going through Netskope and Netskope re-route it to my server.
And most likely Netskope see the websocket as a threat and blocks it: browser tries to connect to the websocket, server reply positively to websocket request, but Netskope being a man in the middle in the connection detects the Websocket connection change and close the connection.
Tried from another computer not protected by Netskope and it works like a charm!
I can’t/don’t plan to deactivate Netskope from this computer so I would just use another computer to connect to HASS.
I wanted to share in case someone would face the same issue than me and would hence take less time to identify the root cause of this issue thanks to the steps I followed!