-
-
Save gaieges/936bdf91e01e4cc782eb047e5873089b to your computer and use it in GitHub Desktop.
| version: '2.1' | |
| services: | |
| homeassistant: | |
| restart: always | |
| image: homeassistant/raspberrypi3-homeassistant | |
| expose: | |
| - 8123 | |
| ports: | |
| - "8123:8123" | |
| devices: | |
| - /dev/ttyACM0 | |
| volumes: | |
| - ./config:/config | |
| network_mode: host | |
| labels: | |
| - "traefik.enable=true" | |
| - "traefik.http.routers.hahttp.rule=Host(`MY_DOMAIN`)" | |
| - "traefik.http.routers.ha.rule=Host(`MY_DOMAIN`)" | |
| - "traefik.http.routers.ha.tls=true" | |
| - "traefik.http.routers.ha.tls.certresolver=le" | |
| - "traefik.http.routers.ha.tls.domains[0].main=MY_DOMAIN" | |
| - "traefik.http.services.homeassistant.loadbalancer.server.port=8123" | |
| traefik: | |
| restart: always | |
| image: traefik:v2.2 | |
| command: | |
| - "--api.dashboard=true" | |
| - "--api.insecure=true" | |
| - "--accesslog=true" | |
| - "--providers.docker" | |
| - "--providers.docker.exposedbydefault=false" | |
| - "--entryPoints.web.address=:80" | |
| - "--entrypoints.websecure.address=:443" | |
| - "--certificatesresolvers.le.acme.tlschallenge=true" | |
| - "--certificatesresolvers.le.acme.email=MY_EMAIL" | |
| - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json" | |
| ports: | |
| - 80:80 | |
| - 8080:8080 | |
| - 443:443 | |
| volumes: | |
| - "/var/run/docker.sock:/var/run/docker.sock:ro" | |
| - "./letsencrypt:/letsencrypt" | |
| extra_hosts: | |
| - host.docker.internal:172.17.0.1 | |
If you want to avoid adding a "magic" IP address you can use
extra_hosts:
- "host.docker.internal:host-gateway"
make sure you are using linux and docker >v20.10.
If you receive "400 Bad Request" error, you need to whitelist the IP of the docker proxy in home assistant.
Check the Home Assistant logs. You should see something like:
2024-03-30 22:28:57.467 ERROR (MainThread) [homeassistant.components.http.forwarded] Received X-Forwarded-For header from an untrusted proxy XXX.XXX.XXX.XXX
Add the XXX.XXX.XXX.XXX IP in you home assistant configuration.yml file.
http:
use_x_forwarded_for: true
trusted_proxies:
- ::1
- 127.0.0.1
- XXX.XXX.XXX.XXX
This IP changes if you destroy your traefik container / network.
You can allow the CIDR 172.16.0.0/12 so it will be always allowed whatever IP it takes... But it's less secure of course.
@matitalatina That solved it for me. I was configuring Syncthing behind Traefik, while keeping it in host mode for broadcasting to work. Thank you.
This IP changes if you destroy your traefik container / network. You can allow the CIDR
172.16.0.0/12so it will be always allowed whatever IP it takes... But it's less secure of course.
I got around the insecurity by creating the traefik docker network such that it has an IP range for containers (10.0.0.0/22) that excludes the IP range I assigned traefik, but it is still within the same subnet (10.0.0.0/21):
Create docker network
docker network create \
--driver=bridge \
--gateway=10.0.0.1 \
--subnet=10.0.0.0/21 \
--ip-range=10.0.0.0/22 \
traefik
Traefik compose.yaml
services:
traefik:
...
networks:
traefik:
ipv4_address: 10.0.4.2
Hey folks
I'm also having issues.
I added:
extra_hosts:
- "host.docker.internal:host-gateway"
To the traefik compose file to avoid magic ips even though it returns the 172.17.0.1
I have the:
expose:
- 8123
to HA compose file
Also have the trusted_proxies pointing to the subnet of my custom traefik proxy network
But I'm stuck on this page
with a traefik log 504 Gateway Timeout error="dial tcp 172.17.0.1:8123: i/o timeout"
Any tips anyone?
everything is here: https://github.com/lukanvanderlinde/ubuntu-home-server
Hey folks
I'm also having issues.
I added:
extra_hosts:
- "host.docker.internal:host-gateway"
To the traefik compose file to avoid magic ips even though it returns the 172.17.0.1
I have the: expose: - 8123 to HA compose file
Also have the trusted_proxies pointing to the subnet of my custom traefik proxy network
But I'm stuck on this page
with a traefik log 504 Gateway Timeout error="dial tcp 172.17.0.1:8123: i/o timeout"
Any tips anyone?
everything is here: https://github.com/lukanvanderlinde/ubuntu-home-server
504 Gateway Time Out usually means that Traefik cannot reach the backend. Are you sure Traefik and HA are on the same network?
Hey @xZero707 thanks for helping out. Nope, traefik is on it's own network
Traefik container file is using:
networks:
traefik-proxy:
name: traefik-proxy
driver: bridge
ipam:
config:
- subnet: 172.18.0.0/16
With the
extra_hosts:
- host.docker.internal:host-gateway
HA is network_mode: host
What I found weird is that traefik is recognizing the labels in HA, it's pointing to the right URL, it's displaying the HA can't connect but I receive different errors.
On the console log I get the one above (504 Gateway Timeout error="dial tcp 172.17.0.1:8123: i/o timeout"), on the browser I get:
HA is network_mode: host
What I found weird is that traefik is recognizing the labels in HA, it's pointing to the right URL, it's displaying the HA can't connect but I receive different errors.
I also ran into this issue when I set up HA, although I don't quite remember what I did to resolve it. What does your HA config look like? Here's mine:
configuration.yaml
# Loads default set of integrations. Do not remove.
default_config:
# Load frontend themes from the themes folder
frontend:
themes: !include_dir_merge_named themes
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
homeassistant:
external_url: "https://ha.domain.com"
internal_url: "http://serverip:8123"
http:
use_x_forwarded_for: true
trusted_proxies:
- 10.0.4.2
The important parts being external_url and internal_url as well as the http section. I think what I did to get it to work was hardcode the traefik container's IP under trusted_proxies. This was an issue, as described above, which I found a workaround for.
I also remember having an issue with getting traefik pointed to the right IP address using labels, but I think this was an unrelated issue, but I'll include below in case it's related:
For HA, which I have running in host mode, I have it configured via a config file, config.yaml, which is in the same directory as traefik.yaml. Note that you would need to include this file as a provider in your traefik.yaml. All of my other containers are configured via labels, and I remember this being significant at the time, but I don't remember if it was the fix to this specific issue or not. Here is how mine is configured:
traefik.yaml
providers:
file:
directory: /etc/traefik
watch: true
config.yaml
http:
routers:
homeassistant:
entryPoints:
- web
- websecure
rule: "Host(`ha.domain.com`)"
service: homeassistant
tls: {}
services:
homeassistant:
loadBalancer:
servers:
- url: "http://serverip:8123"
This took me hours to find - thanks for the help my man! :D