Turning on DNS Proxy stops access to site

What is the name of the domain?

homeassistant.mydomain.org

What is the issue you’re encountering

Unable to connect to site when DNS Proxy is enabled.

What steps have you taken to resolve the issue?

I have two servers on my LAN – a raspberry pi, which I use for hosting a web app, and recently I have added a virtual machine (running on an Ubuntu host) which runs the Home Assistant Operating System.

I have setup my router to forward incoming requests on port 443 to the raspberry pi, and requests on port 2053 to the Home Assistant server.

The raspberry pi uses a letsencrypt script to obtain a certificate (my-pi.mydomain.org) and I have installed the Letsencrypt Add On on the HA server (homeassistant.mydomain.org).

My DNS is hosted with Cloudflare. Both sub-domains point to the same external IP address using ‘A’ records.

With the DNS Proxy turned on for the raspberry pi, everything is working as it should (and has done for many years). And if I turn the DNS proxy off for the HA, I can also access the server fine, using https://homeassistant.mydomain.org:2053 However, when I turn the Cloudflare DNS Proxy on for the HA server, the connection stops working – the App simply says connection lost and a web browser says 400 Bad Request. (One frustrating thing I have found is that it takes up to 10 minutes before a Cloudflare change takes effect, which has caused quite a bit of confusion and makes things slow to test).

So in my mind, there must be a problem with Cloudflare connecting to the HA server. The SSL/TLS setting is set to Full (strict).

As far as I can tell, port 2053 is supported by Cloudflare – (new user – so can’t add link)

I have cleared the cookies in the browser, and I have cleared the Cloudflare cache.

I’ve been using the Trace tool. If I run a trace to my-pi site I get a HTTP Status Code of 200 OK. But if I run a trace to my homeassistant site, I get a HTTP 526 error. I have followed the suggestions on the page for this error (new user – so can’t add link) The curl command in idea 1. Returned a 200 OK (and it has only just been created). I don’t really understand idea 3 (but I don’t have any CNAME records).

If I run the SSL checker at sslshopper (new user – can’t add link) it returns success. I have uninstalled the HA Letsencrypt addon and re-installed it with the same result.

How can I tell what the problem is (so that I can then take steps to fix it)?

What feature, service or problem is this related to?

DNS records

May I ask if you’ve added Cloudflare IPs to the Trusted Proxies in your HA setup? :thinking:

On the below link, there is also a way to add Cloudflare Origin CA SSL certificate to the HomeAssistant.

I’ve used HA on a virtual machine for my work at school for a “smart classroom” which was connected to the HDL devices, sensors, etc…, but my setup was via the cloudflared tunnel.

Cloudflare IPs:

Thank you for the suggestion - I had not configured the http: section for reverse proxy, and I had not listed the Cloudflare IP addresses. All done now, and it is all working. I eventually realised that the error details were in the HA log, accessed by an SSH session, not by the UI.

I wonder what will happen if Cloudflare starts to use a different IP address? Is there any way to keep this list dynamically updated I wonder?

1 Like

Actually, it does get updated, however I’d say it’s not that frequent so you’d get some issues, or being blocked. On the link above, there is a Update History where those changes can be tracked.

Using the Cloudflare API, it could be a way to check those links for IPv4 and IPv6 and parse out the text file, e.g. once in a month, therefore via some kind of a cron job and a script re-add if needed to the application or either a config file which we’re using.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.