Add HAProxy in front of Home Assistant
Posted on 2022-17-02
HAProxy is a widely used HTTP reverse proxy and I use it at home to give access to various internal services I need. At home, I also use home assistant to manage my heaters and my aquarium. Both solutions are open source and I guess many people will use them together at some point.
Because HAProxy operates as a reverse proxy, it uses (by default) an IP address from the local machine to get connected to the server (home assistant in our case). When doing so, home assistant will see all clients coming from the same IP address. The problem is that Home assistant can be configured to block IPs which are failed too many login attempts.
Warning
This means that if HAProxy IP address got banned, then nobody will be able to use Home assistant anymore!
In order to avoid this situation, we want to properly configure HAProxy and home assistant together.
First, let's update HAProxy's configuration to send a X-Forwarded-For HTTP header which contains the end user client IP address:
backend b_homeassistant [...] http-request set-header x-forwarded-for %[src] [...]
Now, on home assistant side, just configure it to tell it there is an HAProxy in front of it and it must trust the X-Forwarded-For header sent by it:
http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.A.B # Reverse proxy / HAProxy IP address
When somebody fails on login, you'll see a notification like this:
This shouldn't be the HAProxy address, but the address of the mobile phone / laptop who performed this attempt!
Tweet