Calling Home Assistant from NSPanel Manager - resolved

CORE User Integrations
#1

I’m trying to install and configure NSPanel Manager (https://nspanelmanager.com) so that it works with Core, MQTT and the recently enabled and configured HA setup. Code now available via GitHub - NSPManager/NSPanelManager: Sonoff NSPanel custom firmware for responsive and intuitive use

Due to HA not being configured to allow ADD-ONs, I’ve resorted to installing the NSPanel Manager software as a Docker container on my Mac (fine for now).

NSPanel Manager runs fine - is configured to connect to MQTT (on the Core) and that works great. The reflashed NSPanel also works and can be seen by the manager.

What I can’t get to work is the NSPanel Manager connecting to HA.

I’ve been working with the developer to understand why. Initially, he had no support for self-signed certs. He has asked for me to try the following with the expectation that JSON is returned - but it isn’t.

curl https://192.168.3.106:18443/api/states -H "Authorization: Bearer HA-TOKEN" -H "content-type: application/json"

What is returned is:

<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.18.0</center>
</body>

So what could be causing this? HA config missing? (I have added api: to the configuration.yaml file - didn’t make a difference). A proxy thing?

Any assistance gratefully received. @markus @RRodman @april.brandt

1 Like
#2

Was hoping to hear from the “Core” team?

Anyone able to provide some assistance with this one? I think once that call to HA is configured to work and return JSON, I think I should be sorted.

Thanks!

#3

If I issue the curl command with the flag -L, it allows curl to follow the 302 redirect. It appears that I’m being taken to the SSO login screen (that’s the HTML that is being returned) - so it looks like HA API calls being made outside of Core are hitting the SSO login page as opposed to being ignored.

How do I fix that? @markus ?

#4

HELLO @markus @april.brandt @RRodman ??

Would appreciate an acknowledgement and some feedback on my query please. SSO appears to be interfering with calling HA via the API. See above.

Thank you!

#5

@nutcracker sorry, missed this, checking the config (/etc/nginx/sites-available/homeassistant) for port 18443, the SSO isn’t in the way:

server {
    ## Localhost configuration
    ##
    listen 127.0.0.2:18443;

    ## Include shared defaults for all top-level sites on CORE
    include snippets/shared.conf;

    location / {
        ## Set environment variables for use with SSO
        set $service_unit "podman-homeassistant";
        set $service_name_pretty "Home Assistant";

        proxy_pass http://127.0.0.1:8123/;
    }
}

How does your section in that config file look like?

#6

Thanks @markus for coming back to me!

Here’s my configuration:

server {
    ## These shouldn't need to be changed
    listen 18080;
    return 302 https://$host$request_uri;
}

server {
    ## SSL configuration
    ##
    listen 18443 ssl;
    
    ## certificate.conf is a symlink pointing to the actual cert-config
    ## The default certificate is a self-signed one
    include snippets/certificate.conf;
    include snippets/ssl-params.conf;
    
    ## Include shared defaults for all top-level sites on CORE
    include snippets/shared.conf;

    include sso/portal.conf;

    location / {
        ## Set environment variables for use with SSO
        set $service_unit "podman-homeassistant";
        set $service_name_pretty "Home Assistant";

        proxy_pass http://127.0.0.1:8123/;

        include sso/auth.conf; # Activates SSO for specified route/location
    include sso/proxy.conf; # Reverse proxy configuration
    }
}

server {
    ## Localhost configuration
    ##
    listen 127.0.0.2:18443;
    
    ## Include shared defaults for all top-level sites on CORE
    include snippets/shared.conf;

    location / {
        ## Set environment variables for use with SSO
        set $service_unit "podman-homeassistant";
        set $service_name_pretty "Home Assistant";

        proxy_pass http://127.0.0.1:8123/;
    }   
}
# code: language=nginx insertSpaces=true tabSize=4

See post 1 above that shows the output from the CURL command which when I add the -L switch (post 3) I’m seeing HTML being returned that looks like the login screen.

<!DOCTYPE html>
<html lang="en">
<head>
  <base href="https://192.168.3.106/sso/" />
  <meta property="csp-nonce" content="xxxxxxxxxxxxxxxxxxx" />
  <meta charset="utf-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <meta name="theme-color" content="#000000" />
  <meta name="description" content="Collective CORE SSO Portal" />
  <link rel="manifest" href="./manifest.json" />
  <link rel="icon" href="./favicon.ico" />
  <title>Login - CORE SSO</title><link rel="stylesheet" href="/public/authelia/css/override.css"><script type="module" crossorigin src="/public/authelia/js/index.js"></script>
  <script type="module" crossorigin src="./static/js/index.a0a1478a.js"></script>
  <link rel="stylesheet" href="./static/css/index.61dd7128.css">
</head>

<body
    data-basepath="/sso"
    data-duoselfenrollment="false"
    data-logooverride="false"
    data-rememberme="true"
    data-resetpassword="false"
    data-resetpasswordcustomurl=""
    data-theme="dark"
>
  <noscript>You need to enable JavaScript to run this app.</noscript>
  <div id="root"></div>
  
</body>
</html>
#7

To disable SSO in your config, comment out the above and run:

sudo systemctl reload nginx
#8

Ok… of course would like to have SSO… so is it not possible to reconfigure either SSO and/or HA API calls to allow them to work side by side? The HA API calls are already passing a token.

#9

you can, you could just exclude the api part:

location /api {
proxy_pass http://127.0.0.1:8123/api;
}
#10

Just need to add that config into the same /etc/nginx/sites-available/homeassistant file?

I will take a look.

Many thanks!

#11

Yes, in this section:

server {
    ## SSL configuration
    ##
    listen 18443 ssl;
    
    ## certificate.conf is a symlink pointing to the actual cert-config
    ## The default certificate is a self-signed one
    include snippets/certificate.conf;
    include snippets/ssl-params.conf;
    
    ## Include shared defaults for all top-level sites on CORE
    include snippets/shared.conf;

    include sso/portal.conf;

location /api {
proxy_pass http://127.0.0.1:8123/api;
}

    location / {
        ## Set environment variables for use with SSO
        set $service_unit "podman-homeassistant";
        set $service_name_pretty "Home Assistant";

        proxy_pass http://127.0.0.1:8123/;

        include sso/auth.conf; # Activates SSO for specified route/location
    include sso/proxy.conf; # Reverse proxy configuration
    }
}
1 Like
#12

Thank you @markus, will have a play.

1 Like
#13

Have restarted… but now unable to launch Home Assistant. Using: https://192.168.3.106:18443/lovelace

image
image502×562 19.3 KB

(the CURL command now works and returns JSON)

@markus

#14

Hmm… might be that it needs to be able to use the API with the login.

you could create an additional section on another port, like 19443, and keep 18443 as it was.

if that doesn’t work I can check tomorrow, have left my computer for the day.

#15

I’m now walking into unfamiliar territory and don’t want to change anything unless I break it further.

I’ll await for you to come back to this @markus for further guidance/detailed instructions as to what I would need to change here.

Thanks again.

#16

I commented out the /api config changes you suggested and went ahead with disabling SSO. That broke things too.

image
image734×386 20.3 KB

I’ve now undone the changes and back to where I was before you responded today - so at least I have a working system. @markus

#17

Try putting the API on a separate port, like 19443:

server {
    ## SSL configuration
    ##
    listen 19443 ssl;
    
    ## certificate.conf is a symlink pointing to the actual cert-config
    ## The default certificate is a self-signed one
    include snippets/certificate.conf;
    include snippets/ssl-params.conf;
    
    ## Include shared defaults for all top-level sites on CORE
    include snippets/shared.conf;

    include sso/portal.conf;

    location /api {
      proxy_pass http://127.0.0.1:8123/api;
    }
}

This may not be the ideal way of doing it, but it should work. There may exist a standard way to do this with HomeAssistant together with SSO, but I’m not a HA user so not sure where I’d find that information.

#18

Thanks, will take a look at this.

Am I adding this config to what is already there?

Is there anything else I need to change to then start using this new configuration?

#19

@markus so I’ve added the above as a new section and restarted nginx and I think its working. I can connect to HA via SSO with no issues and I can issue the CURL command (without -L) against the new 19443 port and I’m seeing JSON being returned.

I’m still having issues with NSPanel Manager being able to connect to HA using the new port. I presume this config would also allow wss web sockets against this setup?

Connecting to Home Assistant at wss://192.168.3.106:19443/api/websocket

I’ll feedback to the author of NSPanel Manager to see what they have to say.

#20

The websocket forwarding probably requires a bit of additional entries to the nginx config, since that is an upgraded connection. From memory I think this is what would need to be added on port 19443 for the api section:

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;