What is wrong with the http module since the auth changes have went into effect?

frustrated · February 13, 2019, 7:28pm

I thought this was resolved with 0.85.x as for a glorious few weeks everything just worked, but now it’s back with a vengeance. My web interface is inaccessible, and I don’t know why, and really that’s about all the information I can give you to request your help with. I’m at my wits end. If I can’t get this resolved I’m going to need to find another platform. Not being able to control my devices for extended periods of time is not good, and it really upsets the W.A.F.

There are no errors in my log file, and ‘debug’ output on http is laughable. I have an nginx proxy configured on another machine that most of my stuff goes through but I don’t think that is my problem, as the problem existed prior to me adding it, and again for a few weeks during 0.85.x everything worked perfectly. I could restart HA and everything would come back without a hitch. I just restarted it last night and it had an uptime of 90 days.

When this occurs it, it happens after I restart HA after a configuration change, it then takes 5-15 restarts / maybe a day before it decides to come back, with absolutely no change since the initial restart. I’m currently on restart 30 and it’s not happening.

I’m running an up to date hassbian install on a pi 3b+. my mariadb lives on another server to reduce load / speed up HA (which it does dramatically). if I access https://myha.domain.com I get a variety of results, either 502s, the ha login screen that goes to the retry screen, and pressing retry just keeps looping. Currently if I got to http://raspberry:8123 I get “ERR_EMPTY_RESPONSE”

#user  nobody;
worker_processes  1;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
error_log  /var/log/nginx/error.log;
#

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    # Update this line to be your domain
    server_name myha.domain.com;

    # These shouldn't need to be changed
    listen [::]:80 default_server ipv6only=off;
    listen [::]:81 default_server ipv6only=off;
    return 301 https://$host$request_uri;
    proxy_buffering off;

    location / {
        proxy_pass http://x.x.x.114:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

}

server {
    # Update this line to be your domain
    server_name myha.domain.com;

    # Ensure these lines point to your SSL certificate and key
    # Use these lines instead if you created a self-signed certificate
    ssl_certificate /usr/local/etc/nginx/ssl/cert.pem;
    ssl_certificate_key /usr/local/etc/nginx/ssl/key.pem;

    # Ensure this line points to your dhparams file
    ssl_dhparam /usr/local/etc/nginx/ssl/dhparams.pem;


    # These shouldn't need to be changed
    listen [::]:443 default_server ipv6only=off http2;
#    listen [::]:444 default_server ipv6only=off http2;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl on;
    ssl_protocols TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    proxy_buffering off;

    location / {
        proxy_pass http://x.x.x.114:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}
}

Here are the relevant parts of my configuration.yaml. It’s a disaster thus I’m not posting the whole thing. I need to clean it up / separate it out.

homeassistant:
  # Name of the location where Home Assistant is running
  name: Home
  # Location required to calculate the time the sun rises and sets
  latitude: !secret home_lat
  longitude: !secret home_long

  # Impacts weather/sunrise data (altitude above sea level in meters)
  elevation: 8.8392
  # metric for Metric, imperial for Imperial
  unit_system: imperial
  # Pick yours from here: http://en.wikipedia.org/wiki/List_of_tz_database_time_zones
  time_zone: America/Los_Angeles
  # Customization file
  customize: !include customize.yaml

  auth_providers:
   - type: homeassistant
   # Uncomment next line if you want to enable legacy API password support
#   - type: legacy_api_password

#service: logger.set_level
#  data:
#  homeassistant.components: warning
#    homeassistant.components.http: debug
#    homeassistant.components.websocket_api: debug

# Logging settings
logger:
  default: warn # default logging level
  logs:
    homeassistant.components.shell_command: debug
    homeassistant.components.media_player.plex: debug
    homeassistant.components.http: debug
    homeassistant.components.websocket_api: debug

# Enable the auth component
auth:

# Show links to resources in log and frontend
#introduction:

# Enables the frontend
frontend:

# Enables configuration UI
config:

http:
  # Secrets are defined in the file secrets.yaml
  api_password: !secret http_password
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  base_url: https://myha.domain.com
  use_x_forwarded_for: true
  trusted_proxies:
    - x.x.x.50
#   - ipv6 address
  ip_ban_enabled: true
  login_attempts_threshold: 5
  trusted_networks:
    - 127.0.0.1
    - ::1
    - x.x.x.0/24
    - y.2.y.0/24
    - z.168.z.0/24

# Checks for available updates
# Note: This component will send some information about your system to
# the developers to assist with development of Home Assistant.
# For more information, please see:
# https://home-assistant.io/blog/2016/10/25/explaining-the-updater/
updater:
  # Optional, allows Home Assistant developers to focus on popular components.
  # include_used_components: true

# Discover some devices automatically
discovery:

# Allows you to issue voice commands from the frontend in enabled browsers
conversation:

# Enables support for tracking state changes over time
history:

# View all events in a logbook
logbook:

# Enables a map showing the location of tracked devices
map:

recorder:
  db_url: !secret db_connect_string

# Track the sun
sun:

# iOS
ios:

lovelace:
  mode: yaml

Here’s the log

2019-02-13 11:23:13 DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection.1695024560] Connected
2019-02-13 11:23:13 DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection.1695024560] Sending {‘ha_version’: ‘0.86.4’, ‘type’: ‘auth_required’}
2019-02-13 11:23:13 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/token to x.x.x.106 (auth: False)
2019-02-13 11:23:13 DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection.1695024560] Disconnected
2019-02-13 11:23:19 INFO (MainThread) [homeassistant.components.http.view] Serving /api/websocket to x.x.x.106 (auth: False)
2019-02-13 11:23:19 DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection.1695143152] Connected
2019-02-13 11:23:19 DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection.1695143152] Sending {‘ha_version’: ‘0.86.4’, ‘type’: ‘auth_required’}
2019-02-13 11:23:19 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/token to x.x.x.106 (auth: False)
2019-02-13 11:23:19 DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection.1695143152] Disconnected
2019-02-13 11:23:25 INFO (MainThread) [homeassistant.components.http.view] Serving /api/websocket to x.x.x.106 (auth: False)
2019-02-13 11:23:25 DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection.1694380656] Connected
2019-02-13 11:23:25 DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection.1694380656] Sending {‘ha_version’: ‘0.86.4’, ‘type’: ‘auth_required’}
2019-02-13 11:23:25 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/token to x.x.x.106 (auth: False)
2019-02-13 11:23:25 DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection.1694380656] Disconnected

I’ve deleted the ip_bans.yaml and restarted, and it hasn’t reappeared.

So what does these logs mean? does auth: False mean it doesn’t need to authenticate since it’s on a trusted network? or does it mean it failed authentication? if so, why? and if so, why is it that restarting 5+ times will randomly make it start working again?

Also this is what I use to restart HA:
systemctl restart [email protected] && tail -F home-assistant.log

How do I fix this and make it reliable so that I’m not fearful of restarting HA?

Please help

Frustrated

finity · February 14, 2019, 1:08am

Since you are having such an issue with this it might be time to get all the way back to the basics.

Do you have a way to access and edit your configuration files on your HA machine?

If you do then I would rename the current configuration.yaml file to configuration.yaml.old and then restart your HA. It should automatically create a new default configuration.yaml. Then try to log in to HA on Local_RPi_IP:8123.