This morning I wake up and I’m missing my normal notifications and I couldn’t pull up my HA instance.
I restarted the container from my phone but that didn’t solve the issue. I then checked it via the LAN IP and it was working fine. So this made me poke around nginx logs to see if I could find the issue. I couldn’t.
After 15 minutes I opened up my config directory in finder and noticed that one of the files there was modified today at 12:26 AM. The file was called
ip_bans.yaml and contained the IP
172.19.0.3. Deleting this file and restarting the docker solved my access issue.
I then tried login with incorrect credentials and got this message. It turns out, my NGINX was not forwarding the external IP to my HA instance, so when HA decided to block the ip, it had blocked the LetsEncrypt docker IP so I could no longer access HA through the reverse proxy.
I then went into my NGINX config and confirmed I had the
X-Forwarded-For header included, and it was. It turns out, my issue was not declaring the use_x_forwarded_for and trusted_proxies properties in the
http block. To add these, I first moved my container to a new network that I created only for this container. This is done via
docker network create nginx and then using
docker network inspect nginx to view the network details. Finally, I added these properties as follows:
Testing the system again reveals the true IP of the client:
I need to look into whether this IP for the LetsEncrypt/NGINX container will change upon reboot.