HomeAssistant - Failed to connect via external connection

schattenmann · April 18, 2021, 2:59pm

Hey.

I just realised today - thank you covid! - that I can’t connect to my HA instance externally via HomeRemote.

I have external access controlled via NGINX and can access just fine via browser or the official HA app (both need http and websocket access)

Via HomeRemote I get a Failed to connect to XXXX, Cannost access a disposed object. Object name: System.Net.Websockets.ClientWebSocket

It seems to be that a websocket connection can’t be established.

If it helps, this is my redacted nginx config:

server {
  set $forward_scheme http;
  set $server         "192.168.1.3";
  set $port           8123;

  listen 80;
listen [::]:80;

  server_name xxxxxxxxxxxxxx;

  # Block Exploits
  include conf.d/include/block-exploits.conf;
  access_log /data/logs/proxy_host-10.log proxy;

  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_pass       http://192.168.1.3:8123;
    # Authorization
	#auth_basic            "Authorization required";
	#auth_basic_user_file  /data/access/2;
	#proxy_set_header Authorization "";
	#
	proxy_http_version 1.1;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";

  }

  location /api/websocket {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_pass       http://192.168.1.3:8123/api/websocket;
    # Authorization
	#auth_basic            "Authorization required";
	#auth_basic_user_file  /data/access/2;
	#proxy_set_header Authorization "";
	#
	proxy_http_version 1.1;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";

  }
  
  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

A simple ws = new WebSocket(‘ws://xxxxxx/api/websocket’) seems to work fine from anywhere too

bill · April 18, 2021, 5:36pm

Would you mind adding a temporary account for me so I can attempt to access it? I can troubleshoot it later today to find out if there is a bug or why it’s failing.

You can private message me or email support@thehomeremote.com. I’m going to be out much of the afternoon but can test this evening sometime.

schattenmann · April 18, 2021, 7:25pm

Email sent.
Funny thing, garage remote run out of battery, HomeRemote wasn’t working, thank **** the old imperihome was still up lol

bill · April 18, 2021, 10:39pm

I’m found the issue. I’ve fixed it on my PC. It’ll be included in the next release 4.1.5. Should be out late this week or maybe early next week. You can go ahead & remove my access. Thanks for allowing me to connect & troubleshoot.

schattenmann · April 19, 2021, 7:04am

Great news @bill thanks for letting me know

Let me know once it’s published

schattenmann · April 29, 2021, 8:09am

hey @bill any update when this version will be published?

bill · April 29, 2021, 4:38pm

Sorry, it’s taking a little longer than I expected to wrap up some of the other parts of this release. Sometime next week. If I haven’t finished these other updates I can probably do a service update with only the HA fix.

schattenmann · April 29, 2021, 5:33pm

That would be great given I still need to use Imperihome when I’m outside

bill · April 29, 2021, 5:36pm

For the time being, just set your Internal URL to your external one. That way it will work so long as you have internet. External URL is just a fallback URL to to use. There’s nothing preventing you from using that as your internal one.

schattenmann · April 29, 2021, 8:19pm

Thank you @bill, that does work so at least I have a workaround in place.

One thing I’ve noticed though is that it doesn’t seem to support basic authentication. I normally add basic authentication on every individual address behind Nginx as an extra layer of protection.

It seems THR does not pass basic auth data in ws headers?

bill · April 30, 2021, 6:31pm

The Home Remote does not support Basic Authentication for HA. It only uses HA’s OAuth authentication.

schattenmann · May 10, 2021, 5:59pm

Hey Bill.

Wondering if you have any further news when we can expect 4.1.5 release?

bill · May 10, 2021, 6:00pm

Should be later this week.

schattenmann · May 10, 2021, 6:24pm

Thanks, fingers crossed then

schattenmann · May 22, 2021, 11:19am

Hey @bill

Thank for the update! Any chance you’d reconsider adding basic authentication support?

I hate having to have HA open to the world. Sure HA has their builtin authentication but I reckon that basic authentication would be yet another security layer, at least would stop people to even see what was behind that URL

bill · May 23, 2021, 3:16am

I don’t know. I’m really not sure that you are getting any benefit from this. Home Assistant’s built-in OAuth authentication is far superior to Basic Auth. Adding that on top just seems to me a bit unnecessary:)

Also, not sure I like the idea of not having to store your credentials. With OAuth everything is access token & refresh token based so the Home Remote only needs to store & track those tokens. You never actually give your credentials to HR. You only give them to the web browser when you initially link it to HR & from that those tokens are generated. I’ve got a pretty clean HA integration. I’m just not too wild about editing that code to include this. It is something that would really only be for you.

bill · May 23, 2021, 5:34am

I was thinking a little bit more about this. What I could probably do is allow you to do is specify those credentials in the existing InternalUrl & ExternalUrl properties so you could do something like:

http://username:password@192.168.1.100:8123

That way I wouldn’t need to have any new properties. If credentials are in the URLs, it’ll then add the appropriate Basic Authentication header. This should be a pretty easy thing that I can squeeze into the next release.

schattenmann · May 23, 2021, 10:02am

Hey @bill

Thanks for the answer. I understand basic authentication would be redundant. It wouldn’t bring anything new to HR and it’s “security” is far from ideal.
The only benefit I see in using it is that if someone finds my HA instance URL (which is now public and it has to be unless I start using a VPN) it would just get annoyng login popup and wouldn’t even know what’s behind it if that makes sense.

As to how that would be implemented yeah my idea would be just adding plain text username:password to the URL

On a similar note I did some testing yesterday. I’ve removed basic authentication from the websockets URL but left it on Http. I could then HR to connect to HA, refresh devices and get status updates but was unable to control any device.

Am I right to asume then that status updates are done via websockets where as actions are via http post?

bill · May 23, 2021, 3:27pm

No. It uses WebSocket for both status updates & actions. It’s strange that one would work & not the other.