search

home-assistant / core

:house_with_garden: Open source home automation that puts local control and privacy first.
https://www.home-assistant.io
Apache License 2.0
68.78k stars 28.11k forks source link

Strict connection mode not allowing authenticated session #116151

Open TyzzyT opened 1 week ago

TyzzyT commented 1 week ago

The problem

I'm not using the NGINX reverse proxy, but using the ssl_certificate & ssl_key option under http When setting the strict_connection to either static_page or drop_connection, I can't access the webpage anymore via the public URL (https://subdomain.mydomainname.com:8124), but I can only access it via the local url (https://192.168.2.250:8124). Is this expected behavior? I assumed that it would allow access, because I was already authenticated via the public domain URL.

Or is the strict_connection mode only available in combination with a reverse proxy? I don't prefer the reverse proxy, because when using the proxy it still shows a webpage (502 Bad Gateway) instead of a real drop and not responding at all.

What version of Home Assistant Core has the issue?

2024.5.0b0

What was the last working version of Home Assistant Core?

never

What type of installation are you running?

Home Assistant OS

Integration causing the issue

http

Link to integration documentation on our website

https://rc.home-assistant.io/integrations/http/#strict-connection-mode

Diagnostics information

No response

Example YAML snippet

http:
  server_port: 8124
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  strict_connection: drop_connection

Anything in the logs that might be useful for us?

No response

Additional information

No response

home-assistant[bot] commented 1 week ago

Hey there @home-assistant/core, mind taking a look at this issue as it has been labeled with an integration (http) you are listed as a code owner for? Thanks!

Code owner commands Code owners of `http` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign http` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

(message by CodeOwnersMention)

http documentation http source (message by IssueLinks)

edenhaus commented 1 week ago

Please enable debug logs for the http integration and add the logs here. It should also work without a reverse proxy. For testing please use guard_page as you will get feedback. Do you see the guard_page, when you try to access the ha instance from a device, which is already logged in?

hoferbeck commented 6 days ago

I have a similar issue but i'm using the NGINX Home Assistant SSL proxy addon (for internal HTTPS access/Lets Encrypt) and cloudflare tunnel(for external access).

I was trying to access my Home Assistant via Firefox and App from my Android, both failed, but were logged in few minutes before(internal everything works).

I enabled the debug logs for the http integration, and got this message:

2024-04-29 10:32:50.655 DEBUG (MainThread) [homeassistant.components.http.auth] Perform strict connection action for 41.66.xxx.xxx (public IP of my Phone)

When i created a temporary link and i entered it into Firefox i was able to access it but i'm still unable to access it via the Android APP

mtielen commented 6 days ago

I have the similar issue but with NGINX addon in front. Internal it works (which goes direct). External it doesn't. Using the mobile app to test it gives the Guard page when I connect over the cellular network but on internal wifi it works . Externally I use HTTPS (SSL) via NGINX, internally I use HTTP.