Open Aqui1us opened 5 months ago
Hi, di
Hi I'm running Homeassistant as well as Authentik and nginx as Docker containers and want so acces Homeassistant via the nginx reverse proxy using the authentik Auth.
When I use hass2.mysdomain.com (wich is set up in nginx) i get redirected to the Authentik login. So far so good. After Signing in I get redicrectet to Homeassistant where this error pops up.
The Homeassistant log states:
Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'
Homeassistant Log:2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] <CIMultiDictProxy( 'X-authentik-username': 'test', 'X-authentik-name': 'test', 'X-authentik-uid': '1ae74557218bb98d96b177878660de63d1848a2830c26c35afbad47ff9ecb851', 'Host': '192.168.178.101:8123', 'Connection': 'close', 'Content-Length': '129', 'sec-ch-ua': '"Not A(Brand";v="99", "Brave";v="121", "Chromium";v="121"', 'sec-ch-ua-platform': '"Windows"', 'sec-ch-ua-mobile': '?0', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36', 'Content-Type': 'text/plain;charset=UTF-8', 'Accept': '*/*', 'sec-gpc': '1', 'Accept-Language': 'de-DE,de;q=0.6', 'Origin': 'https://hass2.mydomain.com', 'sec-fetch-site': 'same-origin', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', 'Accept-Encoding': 'gzip, deflate, br', 'Cookie': 'authentik_proxy_3r6W7vF2=SFORLJB5QA7PQ3QFU2ARAH5COBD3IV76G7S7T4ZHS756WOCWKQUDQVVRLBDO3KBE7XOOIWMGMPPWIOTSK3AYLSLWQ5VCOSGF5ZUT5FI')> 2024-01-27 18:45:35.157 DEBUG (MainThread) [custom_components.auth_header] Got actual IP 192.168.178.101 2024-01-27 18:45:39.405 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36)
192.168.178.101 is the Local Network IP of my Server wich is running all 3 docker containers 'test' is set up as a username in Authentik as well as Homeassistant
in my config.yaml i have added:
http: use_x_forwarded_for: true trusted_proxies: - 192.168.178.0/24 auth_header: username_header: X-authentik-username logger: default: info logs: custom_components.auth_header: debug
The custom configuration for the Proxy Host in Nginx is:
# Increase buffer size for large headers # This is needed only if you get 'upstream sent too big header while reading response # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # authentik-specific config auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { proxy_pass http://192.168.178.101:9000/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; # required for POST requests to work proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; }
Any help on how to tackle this problem would be appreciated, I suspect Homeassistant doesn't like the way Authentik hands over the auth_header? Do i need to add or modify the '/auth/token' somewhere?
did you get it working? I#m having the same issue.
nope, I shelved the project for now.
Solution is to add:
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
to the config https://github.com/BeryJu/hass-auth-header/issues/236
Hi I'm running Homeassistant as well as Authentik and nginx as Docker containers and want so acces Homeassistant via the nginx reverse proxy using the authentik Auth.
When I use hass2.mysdomain.com (wich is set up in nginx) i get redirected to the Authentik login. So far so good. After Signing in I get redicrectet to Homeassistant where this error pops up.
The Homeassistant log states:
Login attempt or request with invalid authentication from 192.168.178.101 (192.168.178.101). Requested URL: '/auth/token'
Homeassistant Log:192.168.178.101 is the Local Network IP of my Server wich is running all 3 docker containers 'test' is set up as a username in Authentik as well as Homeassistant
in my config.yaml i have added:
The custom configuration for the Proxy Host in Nginx is:
Any help on how to tackle this problem would be appreciated, I suspect Homeassistant doesn't like the way Authentik hands over the auth_header? Do i need to add or modify the '/auth/token' somewhere?