Mannu
4fc7893d28
- home-assistant/: HA Core + matter-server, host networking (home box, not Dokploy) - ha-proxy/: nginx reverse-proxy, ha.manohargupta.com -> home HA over Tailscale - dual-homed (dokploy-network ingress + bridge egress), mirrors n8n pattern
18 lines
890 B
YAML
18 lines
890 B
YAML
# configuration.yaml SNIPPET -- paste into ./config/configuration.yaml on the HOME box
|
|
# ----------------------------------------------------------------------------
|
|
# WHY this is required:
|
|
# HA refuses proxied requests by default (anti-spoofing). When ha-proxy forwards
|
|
# from Hetzner over the tailnet, the request reaches HA with a SOURCE IP equal to
|
|
# the Hetzner node's tailnet IP (after the host masquerades it out tailscale0).
|
|
# You must whitelist that IP, or every page load fails with HTTP 400
|
|
# "received from untrusted proxy / IP address not allowed".
|
|
#
|
|
# If you hit a 400, check the HA log -- it prints the exact rejected IP. Put THAT
|
|
# IP in trusted_proxies (it should be 100.75.128.45, your Hetzner tailnet IP).
|
|
|
|
http:
|
|
use_x_forwarded_for: true
|
|
trusted_proxies:
|
|
- 100.75.128.45 # Hetzner (manohar-ubuntu) tailnet IP = the proxy's source
|
|
- 127.0.0.1
|
|
- ::1
|