Unable to log in remotely (no issues accessing login page)

I’ve set up home assistant to be able to log in from the internet but whenever I try to login I keep getting this:

You’re about to give https://pitangui.amazon.com/ access to your Home Assistant instance.
Logging in with Home Assistant Local .

followed by a Start Over button

Log:

WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 162.158.xx.xxx (162.158.xx.xxx) (Mozilla/5.0 (Linux; Android 9; SM-G950U1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.93 Mobile Safari/537.36)

configuration.yaml for http:

http:
  ssl_certificate: /home/homeassistant/.homeassistant/fullchain.pem
  ssl_key: /home/homeassistant/.homeassistant/privkey.pem
  ip_ban_enabled: false

Additional details:

  • Version 2021.1.4
  • Logging in from LAN works fine. When logging in from the internet I get the login page and when I submit username and password I get the warning message in the log.
  • Android App works fine when first logged in from home and then accessing it remotely from the cloud.
  • Tries with both ip_ban enabled and dsiabled but I get the same WARRNING in the log.
  • This worked a while back since I was able to link my account with Alexa Smart Home skill (come to think of it - it did not work right away but eventually it did).
  • Now unable to link Alexa skills (I get the same log message every time I try to do the linking).
  • Yes, I double/triple checked when typing in the password.
  • There are no ip_bans file in the config directory.

Please help, this is very frustrating.

I was able to get around this by adding the following:

use_x_forwarded_for: true
trusted_proxies:
  x.y.0.0/16
  a.b.0.0/16

With this in place I was able to do the Alexa skill account linking, once linked I removed these entries and all appears to be Ok. Not sure if these entries will need to be re-added when some cookie/token times out. I had to pick /16 networks since the incoming address from AWS varied widely.
While this work around has got me going for now, why won’t this work without having to explicitly open up large subnets? I mean if I am logging in from IP address a.b.c.d whether through a proxy or not why not let me log in as long as I have the userid and password? As for the proxy itself I’m using cloud flare which proxies my dns name to protect my home server.