Ok, so I am doing something rather crazy. I wasn’t satisfied with the authentication mechanisms of most of the apps I have running on my server, so I decided I wanted to put a reverse proxy in front of them
then It thought, maybe I should put up an oauth proxy for kicks
so here we are
oauth_proxy->nginx->Home-Assistant
If I set up oauth2_proxy -> Home-Assistant it works great. I get SSL and I sign in by authenticating my gmail account.
If I set up nginx -> Home-Assistant it works great. Works exactly as expected (no SSL enabled on nginx)
The moment I stack them together, I get the immediate “Connection Lost. Reconnecting” message from hass, which typically means it can’t connect through websocket (I know, I had to find a branch of oauth2_proxy that had websocket support patched in)
Firefox console gets: Firefox can’t establish a connection to the server at wss://example.net/api/websocket. core-5dfb2d3e567fad37af0321d4b29265ed.js:3:31926
uncaught exception: 1
Does anyone have any idea where I could start troubleshooting this? I am ready to share configurations and ideas.
Alternatively, you could help me get multiple upstreams to work properly in oauth2_proxy, then I wouldn’t need nginx.
Yes, It works correctly when using nginx alone. I realize now that my efforts to Proxy twice were misguided. Instead I am using auth_request with nginx to ask oauth2_proxy to authenticate rather than passing through both proxies with the traffic.
So instead of hitting oauth2_proxy, then upstream to nginx, then upstream to the application, it just hits nginx, nginx asks for auth from oauth2_proxy, then once confirmed it proxies to the internal resource.
I am still digging through it to see how good it actually is, because I have no idea how that handles duration (how does nginx know when the cookie expires?) and some other things. If anyone has any input on it, that would be great. Once I actually know what is going on and am not just guessing from configurations I pieced together from the internet, I might do a write-up about it.
You could use your Github account to sign into your Home-Assistant installation!
Most of the time, when I load webapp1 or webapp2, it starts to load the hass UI, never gets any further than a loading icon, blue bar at the top or the tile with the password box (which of course doesn’t work).
I always have to ctrl+refresh the page to get the actual webapp to load.
Could this be because Hass is aggressively telling the browser to cache its content? because I don’t have any caching turned on in my reverse proxy to avoid just this issue.
Ok. One more dilemma. Putting hass behind this reverse proxy with the Google Auth layer presents a challenge for the API. How would I authenticate third party access to the API, like IFTTT Maker, and the Push Notification registration?
I was thinking about making the Proxy skip the google Auth for requests to the /api folder, but I am not sure enough about the backend structure to be sure that would work.
You should be able to create another “location” for the API folder under the HA “Server” in Nginx that bypass OAuth.
Not sure how to do this personally but sure it can be done.
I was able to resolve the API thing with some regex in the nginx configuration. The Oauth2 integration for ifttt is for your own service that integrates with ifttt, which is a lot more involved than just using IFTTT Maker to send the request to the API.
Would like to see what you did if you still have it.
edit: never mind, got it working. For anyone looking in the future: I disabled basic auth thru nginx for the subdomain hosting home assistant (home.example.com)… this is the url that proxies to home assistant for me. So now I am just leaving the http authentication enabled thru home assistant as my authentication and not doing it thru nginx.
