I will start off by saying I’m not really a network guy so I’m probably saying some of this incorrwrongly. What I know about this is mostly due to several hours of reading dozens of related posts and web pages.
I am trying to access my Home Assistant from my work laptop, which uses ZScaler VPN.
I have HA set up with NGINX Home Assistant SSL proxy and DuckDNS.
(No, I am not going to join / install agent on my work laptop to ZeroTier or some other non-work sanctioned VPN.)
- In Edge and Chrome, the login screen shows the error: “Unable to fetch auth providers” instead of showing the username/password boxes.
- In Firefox, I get the HA “house” logo but no text and no login boxes.
Looking in Chrome’s console and network trace…
- Several errors with setting cookies (probably the most important one related to “providers”) with “This attempt to set a cookie was blocked because its Domain attribute was invalid with regards to the current host url.”
Headers:
Accept: */*
Host: mydomain.duckdns.org
Set-Cookie: […]domain=.duckdns.org[…] - Also have No Access-ControlAllow-Origin header is present for the following redirects
mydomain.duckdns.org- /auth/providers
- /static/translations/page-authorize/en-gobbledygook.json
- /static/locale-data/intl-displaynames/en.json
Headers for these:
Accept: */*
Host: mydomain.duckdns.org
Origin: null
Looking in Firefox’s console and network trace…
- Issues with cookies similar to what I saw on Chrome
- CORS Failed when redirecting https://gateway.zscloud.net/auD?origurl=https:mydomain.duckdns.org/frontend_latest/(core|app).somestuff.js?wexps=1&ordtok=sometoken
Headers:
Accept: */*
Host: gateway.zscloud.net
Origin: https://mydomain.dns.org - CORS Missing Allow-Origin when attempting to get various things (browser_mod.js, card-mod.js, iconset.js, Roboto-Medium.woff2, Roboto-Regular.woff2)
Back in Home Assistant…
Here’s what I have in the http section of configuration.yml, I had added the zscaler domain (and several others that were mentioned in various posts).
http:
cors_allowed_origins:
- https://mydomain.duckdns.org
- https://gateway.zscloud.net
- http://localhost:8123 # extraneous?
- http://127.0.0.1:8123 # extraneous?
use_x_forwarded_for: true
trusted_proxies:
- 172.xx.xx.0/24 # my ISP IP
- 192.168.1.0/24 # Home Asssistant LAN
- (a whole slew of IPs for ZScaler, see https://config.zscaler.com/zscaler.net/hubs)
I added a hello.txt file in the www folder and was able to load it on my work laptop using https://mydomain.duckdns.org/local/hello.txt (so things are coming through when authentication is not needed).
On my Android phone (no VPN), the login screen loads fine in 4G mode (Firefox, Chrome and whatever the Samsung browser is). It’s not an easy password to enter on a phone, so I’m just going to assume it would work because the login screen looks fine.
I regularly use the HA app on my phone remotely via DuckDNS (no VPN).
I use HA all the time on my LAN using various browsers and types of machines.
I have a feeling that some header or something could be added to nginx_proxy_default.conf (or config in a server folder?) to fix this, but what exactly to add, I don’t know.
Thanks for any help I can get on this.