Unable to connect to Home Assistant - Nginx

Configuration
1

I have nginx with a reverse proxy installed to access my HA frontend. Unfortunately, I’m getting an error when trying to login, no matter if using trusted networks or username and password I can’t connect. Accessing the frontend directly and skipping nginx via https://hass.router.lan:8123 works as expected (hass.router.lan gets resolved to the internal IP address). I have searched for this problem of course and have implemented everything like described in the numerous threads, but it’s still not working.

My nginx.conf:

map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

upstream hass {
  server localhost:8123;
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name hass.router.lan;
  ssl_session_cache shared:SSL:32k;
  ssl_session_timeout 64m;
  ssl_certificate /mnt/data/certs/hass-server/hass-server.crt;
  ssl_certificate_key /mnt/data/certs/hass-server/hass-server.key;
  location / {
    proxy_pass https://hass;
    proxy_set_header HOST $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
  }
}

My configuration.yaml:

# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:

# No login needed if connected from internal lan
homeassistant:
  auth_providers:
    - type: homeassistant
    - type: trusted_networks
      trusted_networks:
        - 127.0.0.1
        - ::1
        - 192.168.3.0/24
      allow_bypass_login: true

# Text to speech
tts:
  - platform: google_translate

# Certificate for https access
http:
  ssl_certificate: /certs/hass-server/hass-server.crt
  ssl_key: /certs/hass-server/hass-server.key
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1

group: !include gruops.yaml
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

I’m getting two different errors in the log:

2021-06-06 12:37:59 ERROR (MainThread) [aiohttp.server] Unhandled exception,
Traceback (most recent call last):,
  File "/usr/local/lib/python3.8/asyncio/base_events.py", line 1152, in _sendfile_fallback,
    read = await self.run_in_executor(None, file.readinto, view),
asyncio.exceptions.CancelledError,
,
During handling of the above exception, another exception occurred:,
,
Traceback (most recent call last):,
  File "/usr/local/lib/python3.8/site-packages/aiohttp/web_protocol.py", line 485, in start,
    resp, reset = await task,
  File "/usr/local/lib/python3.8/site-packages/aiohttp/web_protocol.py", line 440, in _handle_request,
    reset = await self.finish_response(request, resp, start_time),
  File "/usr/local/lib/python3.8/site-packages/aiohttp/web_protocol.py", line 591, in finish_response,
    await prepare_meth(request),
  File "/usr/local/lib/python3.8/site-packages/aiohttp/web_fileresponse.py", line 241, in prepare,
    return await self._sendfile(request, fobj, offset, count),
  File "/usr/local/lib/python3.8/site-packages/aiohttp/web_fileresponse.py", line 96, in _sendfile,
    await loop.sendfile(transport, fobj, offset, count),
  File "/usr/local/lib/python3.8/asyncio/base_events.py", line 1131, in sendfile,
    return await self._sendfile_fallback(transport, file,,
  File "/usr/local/lib/python3.8/asyncio/base_events.py", line 1161, in _sendfile_fallback,
    await proto.restore(),
  File "/usr/local/lib/python3.8/asyncio/base_events.py", line 263, in restore,
    self._transport.resume_reading(),
  File "/usr/local/lib/python3.8/asyncio/sslproto.py", line 344, in resume_reading,
    self._ssl_protocol._transport.resume_reading(),
AttributeError: 'NoneType' object has no attribute 'resume_reading',
2021-06-06 12:41:52 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36),

What could be the issue?

2

I think the log is telling you this. ( last line)

3

Educated guess: You use use_x_forwarded_for, so your trusted_networks is matched against the actual (internet?) ip of the calling device, and it’s rejected.

4

And how would I fix that? The error is not a wrong password etc.

5

Im trying to login from my internal network so I have IP e.g. 192.168.3.48 which is in trusted_network. That is not the issue here (as it is working when I access the port directly which then also has my actual ip). Also, even when not using trusted network but username and password, its still not working.

6

For debugging, I’d suggest to remove the trusted_networks and assess the behaviour.
You have a single user, right?
Are you presented with the login page, when going through the proxy?

1 Like
7

I have removed trusted network for now, it’s unrelated to this issue anyway. I only have a single user, I am presented with the login screen when going through the proxy. If I login with username password I get the message as described above and a retry button which leads back to the login screen.

8

Ok. Next, disable https in HA.

  • Remove “ssl_” in configuration.yaml
  • Set your “proxy_pass” to http in nginx
1 Like
9

Ok, I have changed my nginx.conf:

server {
  # listen 443 ssl;
  # listem [::]:443 ssl;
  listen 80;
  listen [::]:80;
  server_name hass.router.lan;
  # ssl_session_cache shared:SSL:32k;
  # ssl_session_timeout 64m;
  # ssl_certificate /mnt/data/certs/hass-server/hass-server.crt;
  # ssl_certificate_key /mnt/data/certs/hass-server/hass-server.key;
  location / {
    proxy_pass https://hass;
    proxy_set_header HOST $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
  }
}

And I have modifed my configuration.yaml accordingly:

# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:

# No login needed if connected from internal lan
homeassistant:
  auth_providers:
    - type: homeassistant
    # - type: trusted_networks
    #   trusted_networks:
    #     - 127.0.0.1
    #     - ::1
    #     - 192.168.3.0/24
    #   allow_bypass_login: true

# Text to speech
tts:
  - platform: google_translate

# Certificate for https access
http:
  # ssl_certificate: /certs/hass-server/hass-server.crt
  # ssl_key: /certs/hass-server/hass-server.key
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1

group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

I restarted both nginx and HA and now getting a 502 :confused:
Setup looks right to me? Did I forget to change something?

10
  1. The point was not to remove the nginx ssl config, only the ha one.
  2. In nginx, you basically changed everything besides what I said:) Now it tries to reach HA in https while you disabled it
1 Like
11

I understand, I have changed the configuration of nginx so it works now.

server {
  listen 443 ssl;
  listem [::]:443 ssl;
  server_name hass.router.lan;
  ssl_session_cache shared:SSL:32k;
  ssl_session_timeout 64m;
  ssl_certificate /mnt/data/certs/hass-server/hass-server.crt;
  ssl_certificate_key /mnt/data/certs/hass-server/hass-server.key;
  location / {
    proxy_pass http://hass;
    proxy_set_header HOST $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
  }
}

I can login now, so I guess that’s good :smiley: Trusted networks works as well. How do I now set up https? Do I even need to set that up, it’s just localhost anyway? But I guess better safe than sorry so better to encrypt even if not necessary…

12

You don’t really need to enable ssl on HA if you do it in nginx for outside access, imho. I don’t.
No actual clue on the root cause of the issue, tbh.

1 Like
13

OK, at least it’s working now, so that’s a start. Thanks for the help so far.