Home Assistant, Websockets 404

Traefik Traefik v2 (latest)
1

Hi All,

Just fumbling my way through migrating from v1.7.6 to 2.0 and I cannot get the connection to home assistant to work. Any help would be amazing!

1.7.6 Config (working)
----> traefik.toml

debug = true
logLevel = "DEBUG" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
InsecureSkipVerify = false
sendAnonymousUsage = true
passHostHeader = true
#defaultEntryPoints = ["http", "https"]
defaultEntryPoints = ["http", "https","ws", "wss"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

----> HomeAssistant.toml

[frontends]
  [frontends.home-assistant]
  backend = "home-assistant"
  [frontends.home-assistant.headers]
  SSLRedirect = true
  STSSeconds = 315360000
  browserXSSFilter = true
  contentTypeNosniff = true
  forceSTSHeader = true
  SSLHost = "mydomain.com"
  STSIncludeSubdomains = true
  STSPreload = true
  frameDeny = false
  passHostHeader = true
  customFrameOptionsValue = "sameorigin"

[backends]
  [backends.home-assistant]
    [backends.home-assistant.servers]
      [backends.home-assistant.servers.server1]
      url = "http://192.168.13.88:8123"
      weight = 1

traefik 2.0
----> traefik.yml

log:
  level: DEBUG
  filePath: "/logs/traefik.log"

accessLog:
  filePath: "/logs/access.log"
  bufferingSize: 100

api: {}

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    watch: true
  file:
    directory: /etc/traefik/dynamic/

entryPoints:
  web:
    address: ":80"
  web-secure:
    address: ":443"

----> home-assistant.yaml

http:
  middlewares:
    sslheader:
      headers:
        sslRedirect: true
        stsSeconds: 315360000
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        sslHost: "mydomain.com"
        stsIncludeSubdomains: true
        stsPreload: true
        frameDeny: false
        customFrameOptionsValue: "sameorigin"
        customRequestHeaders:
          X-Forwarded-Proto: "https"
  routers:
    # Home Assistant
    ha-router:
      rule: "Host(`home.mydomain.com`)"
      entryPoints:
     - web-secure
      middlewares:
      - sslheader
      service: ha-service
  services:
    ha-service:
      loadBalancer:
        passHostHeader: true
        servers:
        - url: "http://localipaddress:8123"
2

Oh error I get is this

VM63:1 POST https://home.mydomain.com/auth/token 404
core.6e4a9dd6.js:1 WebSocket connection to 'wss://home.mydomain.com/api/websocket' failed: Error during WebSocket handshake: Unexpected response code: 404
lovelace:1 Uncaught (in promise) 1
manifest.json:1 GET https://home.mydomain.com/manifest.json 404
manifest.json:1 Manifest: Line: 1, column: 5, Unexpected data after root element.
A bad HTTP response code (404) was received when fetching the script.
3

Hi @Unthred,

Could you please provide us the full docker-compose file you are using and the full log of your treafik instance.

4

Hi @michael thanks for responding

I realise I should have explained more about my setup if I have any chance of getting help :yum:
Hopefully this will make sense!

Home Assistant its running on a seperate machine behind the server traefik is running on, the config for it is loaded from the home-assistant.yaml file and its ip address is 192.168.13.88
I get the initial title bar of the home assistant screen afore it fails

My traefik docker has successfully proxied the traefik gui working and a whoami test docker.

I am using an unraid server so I dont use docker-compose files
Here is the command unraid uses to create the traefik docker

/usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name='traefik' \
--net='bridge' \
--log-opt max-size='10m' --log-opt max-file='2' \
-e TZ="Europe/London" -e HOST_OS="Unraid" \
-e 'CF_API_EMAIL'='redacted' -e 'CF_API_KEY'='redacted' \
-l 'traefik.enable'='true' \
-l 'traefik.docker.network'='frontend' \
-l 'traefik.http.routers.dashboard.rule'='Host(`traefik.yeradonkey.com`)' \
-l 'traefik.http.routers.dashboard.entrypoints'='web-secure' \
-l 'traefik.http.routers.dashboard.tls.certresolver'='default' \
-l 'traefik.http.routers.dashboard.tls.domains[0].main'='yeradonkey.com' \
-l 'traefik.http.routers.dashboard.tls.domains[0].sans'='*.yeradonkey.com' \
-l 'traefik.http.routers.dashboard.service'='api@internal' \
-l 'traefik.http.routers.dashboard.middlewares'='auth@file' \
-p '80:80/tcp' -p '443:443/tcp' -p '8080:8080/tcp' \
-v '/mnt/user/appdata/traefik/':'/etc/traefik':'rw' \
-v '/mnt/user/appdata/traefik/logs/':'/logs':'rw' \
-v '/mnt/user/appdata/traefik/data/':'/data':'rw' \
-v '/var/run/docker.sock':'/var/run/docker.sock':'rw' \
'traefik'

traefik.log
access.log

6

I am running into issues with migrating my hass.io install (https://github.com/home-assistant/hassio-installer ) to 2.0 as well.

My setup for 1.7 was fairly simple:

  • Traefik 1.7 and other containers via docker-compose
    • containers proxied with labels on the docker compose yaml w/ cloudflare and sub-domain wildcards per container
    • traefik configured via toml file
  • hassio installed in docker
    • install command curl -sL https://raw.githubusercontent.com/home-assistant/hassio-installer/master/hassio_install.sh | bash -s -- -m qemux86-64 -d /home/USERNAME/docker/hassio
    • used a rules.toml to proxy traefik:
[backends]
  [backends.backend-homeassistant]
    [backends.backend-homeassistant.servers]
      [backends.backend-homeassistant.servers.server-homeassistant-ext]
        url = "http://192.168.1.111:8123"
        weight = 0
[frontends]
  [frontends.frontend-homeassistant]
    backend = "backend-homeassistant"
    passHostHeader = true
    [frontends.frontend-homeassistant.routes]
      [frontends.frontend-homeassistant.routes.route-homeassistant-ext]
      rule = "Host:SUD.DOMAIN.COM"

Now on 2.0 I have the docker-compose.yml containers working.

Traefik + exp container portion of docker-compose.yaml:

  traefik:
    hostname: traefik
    image: traefik:latest
    container_name: traefik
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${USERDIR}/docker/traefik:/etc/traefik
      - ${USERDIR}/docker/shared:/shared
    ports:
      - "80:80"
      - "443:443"
    networks:
      default:
      traefik_proxy:
        ipv4_address: 172.19.0.99
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - CF_API_EMAIL=${CF_API_EMAIL}
      - CF_API_KEY=${CF_API_KEY}
      - TRAEFIK_ACCESSLOG=true

    command:
      - "--api=true"
      - "--api.dashboard=true"
      - "--global.sendanonymoususage=false"
      - "--log.level=WARN"
      - "--serverstransport.insecureskipverify"
      - "--providers.docker=true"
      - "--providers.docker.network=traefik_proxy"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.filename=/etc/traefik/dynamic_conf.toml"
      - "--providers.file.watch=true"
      - "--providers.rest=true"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.https.address=:443"
      - "--certificatesresolvers.cloudflare.acme.dnsChallenge=true"
      - "--certificatesresolvers.cloudflare.acme.dnsChallenge.provider=cloudflare"
      - "--certificatesresolvers.cloudflare.acme.email=${CF_API_EMAIL}"
      - "--certificatesresolvers.cloudflare.acme.storage=/etc/traefik/acme.json"

    labels:
      traefik.enable: true
      traefik.docker.network: traefik_proxy
      traefik.http.routers.traefik.entrypoints: https
      traefik.http.routers.traefik.tls.certresolver: cloudflare
      traefik.http.routers.traefik.rule: Host(`traefik.${DOMAINNAME}`)
      traefik.http.routers.traefik.middlewares: secureheaders, basicauth
      traefik.http.routers.traefik.service: api@internal
      traefik.http.routers.http.entrypoints: http
      traefik.http.routers.http.rule: HostRegexp(`${DOMAINNAME}`, `{subdomain:[a-z]+}.${DOMAINNAME}`)
      traefik.http.routers.http.middlewares: redirectscheme
      traefik.http.middlewares.redirectscheme.redirectscheme.scheme: https
      traefik.http.middlewares.basicauth.basicauth.users: user:passwd
      traefik.http.middlewares.secureheaders.headers.stsSeconds: 15552000
      traefik.http.middlewares.secureheaders.headers.framedeny: true
      traefik.http.middlewares.secureheaders.headers.sslForceHost: true
      traefik.http.middlewares.secureheaders.headers.sslRedirect: true
      traefik.http.middlewares.secureheaders.headers.stsIncludeSubdomains: true
      traefik.http.middlewares.secureheaders.headers.browserXssFilter: true
      traefik.http.middlewares.secureheaders.headers.contentTypeNosniff: true
      traefik.http.middlewares.secureheaders.headers.forceSTSHeader: true
      traefik.http.middlewares.secureheaders.headers.stsPreload: true
      traefik.http.middlewares.secureheaders.headers.customResponseHeaders.X-Robots-Tag: none
      traefik.http.middlewares.secureheaders.headers.customFrameOptionsValue: SAMEORIGIN


  portainer:
    image: portainer/portainer
    container_name: portainer
    restart: always
    command: -H unix:///var/run/docker.sock
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${USERDIR}/docker/portainer/data:/data
      - ${USERDIR}/docker/shared:/shared
    environment:
      - TZ=${TZ}
      - PUID=${PUID}
      - PGID=${PGID}
    networks:
      - traefik_proxy
    ports:
      - "9000:9000"
    labels:
      traefik.enable: true
      traefik.docker.network: traefik_proxy
      traefik.http.routers.portainer.entrypoints: https
      traefik.http.routers.portainer.tls.certresolver: cloudflare
      traefik.http.routers.portainer.rule: Host(`portainer.${DOMAINNAME}`)

I cannot figure out how to replicate what I had in my rules.toml for 2.0 yet though. I have read most all the documentation and I think I need a dynamic_conf.toml. So far I have:

[http.routers]
  [http.routers.hassio]
  entrypoints = ["http"]
  rule = "Host(`SUB.DOMAIN.COM`)"
  service = "hassio-docker"
  [http.routers.hassio.tls]
    certResolver = "cloudflare"

[http.services]
  [http.services.hassio-docker.LoadBalancer]
     [[http.services.hassio-docker.LoadBalancer.servers]]
        url = "http://192.168.1.111:8123"

Does using a file config not pickup on the CLI commands I passed in docker-compose? Is it possible to not use the toml at all for this?

Also with how hassio is setup, it contains addons, that are docker containers. They do some ingress stuff (not familiar w/ ingress), and it is mainly managed by the hassio supervisor container. Is it possible to setup traefik to proxy those containers?

EDIT: Solved the frontend / backend issue.
edited docker-compose to have a command for "--providers.file.filename=/etc/traefik/dynamic_conf.toml" instead of dynamic_conf.toml.

Added a rules.yaml with:
rules.yml:

http:
  routers:
    hass:
      entryPoints:
        - http
        - https
      rule: "Host(`hass.DOMAIN.XYZ`)"
      service: hass
      tls:
        certResolver: "cloudflare"
        domains:
          - main: "DOMAIN.XYZ"
            sans:
              - "*.DOMAIN.XYZ"
  services:
    hass:
      loadBalancer:
        servers:
          - url: "http://192.168.1.111:8123"
        passHostHeader: true
7

Hi @Unthred,

Thanks for the configuration, log files and the explanation.

Unfortunately I am not able to reproduce your issue on my side.

Has you fixed your issue?