Unable to Login to Home Assistant via Apache Reverse Proxy

mblasco · October 17, 2023, 3:53pm

I have read through this guide, but am still having issues.

I have an Apache server handling reverse proxy for several internal servers, and all is working as expected. When accessing Home Assistant through the proxy, I can reach the login screen, but login fails with “Unable to connect to Home Assistant”.

Any help would be appreciated!

The following appears in the logs:

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:80
Integration: HTTP ([documentation](https://www.home-assistant.io/integrations/http), [issues](https://github.com/home-assistant/core/issues?q=is%3Aissue+is%3Aopen+label%3A%22integration%3A+http%22))
First occurred: October 16, 2023 at 11:36:02 AM (10 occurrences)
Last logged: 11:26:57 AM

* Login attempt or request with invalid authentication from 163.116.249.34 (163.116.249.34). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36)
* Login attempt or request with invalid authentication from 99-121-115-212.lightspeed.gdrpmi.sbcglobal.net (99.121.115.212). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36

Here is the http block in my configuration.yaml:

http:
  ssl_certificate: /config/certs/<domain>.com/fullchain.pem
  ssl_key: /config/certs/<domain>.com/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - <proxy server ip>
    - 127.0.0.1

And here is the relevant entry in my apache config file:

<VirtualHost *:443>
SSLEngine on
ServerName hass.<domain>.com
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On
ProxyRequests off
ProxyPass / https://<homeassistant_ip>:8123/
ProxyPassReverse / https://<homeassistant_ip>:8123/
ProxyPass /api/websocket ws://<homeassistant_ip>:8123/api/websocket
ProxyPassReverse /api/websocket ws://<homeassistant_ip>:8123/api/websocket

RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*)  ws://<homeassistant_ip>:8123/$1 [P,l]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*)  https://<homeassistant_ip>:8123/$1 [P,l]

SSLCertificateFile /etc/letsencrypt/live/<domain>.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<domain>.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

arretx · October 18, 2023, 3:34am

Are you using Virtualmin with Webmin in Ubuntu? That config file looks familiar.

In my configuration, my http section looks like this, and it’s working:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.200 #This is my Apache box/Webmin/Virtualmin
  ip_ban_enabled: false
  login_attempts_threshold: 5

mblasco · October 18, 2023, 4:47pm

Thanks for the response @arretx, I am not running Virtualmin/Webmin on this box, but I did wind up figuring out the issue.

The fix was to replace all instances of “ws://” in my Apache config file with “wss://”.