Homeassistant Apache Httpd Proxy Configuration

Mar 13, 2024 | 400 words — 2 minutes | homeassistant apache httpd

I spent some time getting the Apache httpd (Apache/2.4.57 (Red Hat Enterprise Linux)) reverse proxy config for HomeAssistant (2024.3.0) just right, so I thought I’d document it for future use.

httpd.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<VirtualHost *:80> (1)
    ServerName homeassistant.your.domain
    CustomLog /var/log/httpd/homeassistant_80_access.log combined
    ErrorLog /var/log/httpd/homeassistant_80_error.log
    Redirect permanent / https://homeassistant.your.domain
</VirtualHost>

<VirtualHost *:443> (2)
    ServerName homeassistant.your.domain
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live.your.domain/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live.your.domain/privkey.pem"
    SSLCipherSuite HIGH:!aNULL:!MD5
    CustomLog /var/log/httpd/homeassistant_443_access.log combined
    ErrorLog /var/log/httpd/homeassistant_443_error.log

    <Location /api/webhook> (3)
    </Location>

    <Location /> (4)
        <If "%{HTTP:X-Auth-Token} != 'some_arbitrary_password'"> (5)
            #Allow specific User Agents to skip authentication (6)
            BrowserMatchNoCase HomeAssistant noauth=1
            BrowserMatchNoCase Home Assistant noauth=1
            BrowserMatchNoCase Home%20Assistant noauth=1
            BrowserMatchNoCase AppleWebKit noauth=1 (7)
            #Allow Google PubSubHubbub to access /feed/webhook/v1 to push notifications  (https://github.com/iv-org/homeassistant/blob/master/config/config.example.yml#L424)
            SetEnvIf Request_URI "/api/webhook" noauth=1 (8)
            Order Allow,Deny
            Allow from env=noauth (9)

            AuthType openid-connect
            Require claim "email:allowed@email.address"
            Require claim "email:another@allowed.email.address"

            Satisfy any
        </If>
    </Location>
    ProxyPass /api/websocket ws://127.0.0.1:8123/api/websocket (10)
    ProxyPassReverse /api/websocket ws://127.0.0.1:8123/api/websocket
    ProxyPass / http://127.0.0.1:8123/
    ProxyPassReverse / http://127.0.0.1:8123/

    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)  ws://127.0.0.1:8123/$1 [P,L]
    RewriteCond %{HTTP:Upgrade} !=websocket [NC]
    RewriteRule /(.*)  http://127.0.0.1:8123/$1 [P,L]

    ProxyPreserveHost on
    ProxyRequests off
</VirtualHost>

Git: Automatically moving a tag using a custom command

Feb 18, 2019 | 200 words — 1 minute | git bash script

Ever find yourself moving a git tag to a new commit? You’ll probably know this procedure consists out of three steps;

Removing the existing tag from your origin
Manually moving the tag (using -f to allow moving)
Pushing the tag back your origin

Since this procedure is more cumbersome that it could be, behold, a quick and easy life hack to automate this process into a single custom command.

Puppet: Calculating average catalog compilation times

Mar 9, 2015 | 300 words — 2 minutes | puppet bash linux oneliner

Just a quick post with the oneliner of the day.

When you are debugging catalog compilation issues or other puppet performance issues in general, it is good to know exactly which catalogs are slow to compile. Knowing which catalogs are substantially slower than others allows you to focus on those catalogs and the modules they contain.

Git: The difference between lightweight and annotated tags

Feb 12, 2015 | 1400 words — 7 minutes | git

I was reviewing some pull requests at work today. One of the PR’s had an updated composer.lock file. We usually check if the reference matches the version for this update, to see if that commit is actually released on the module’s master branch:

Example of an updated composer.lock

"name": "company/module_name",
- "version": "0.11.0",
+ "version": "0.12.0",
"source": {
	"type": "git",
	"url": "ssh://git@stash.company.net/packages/module_name.git",
-	"reference": "19ecfcb286052457697caad3359d7817e2dfa2f5"
+	"reference": "2c539864d72baede7f169f15eec8c3317e26c1bc"
 },
- "time": "2014-10-08 11:12:23"
+ "time": "2014-11-18 16:47:02"

Usually, this reference matches the hash of the commit we’ve tagged as this version. In this particular case however, the hash mentioned in reference was nowhere to be found in the commit log. So what’s going on here?

Bacula: Cancelling all jobs that are currently writing

Feb 9, 2015 | 200 words — 1 minute | backup bacula linux oneliner

Just a quick post with the oneliner of the day.

Scenario: after a bacula director restart a couple of jobs were stuck on the FD with message:

Bacula File Director Error

Running Jobs:
Writing: Incremental Backup job node.cluster.company.com JobId=8702 Volume=""
    pool="bacula.director.company.com:pool:default.incremental" device="DefaultFileStorage" (/mnt/bacula/default)
    spooling=0 despooling=0 despool_wait=0
    Files=0 Bytes=0 AveBytes/sec=0 LastBytes/sec=0
FDSocket closed

There were a couple of these jobs that were stuck, preventing all other jobs from running, because those were waiting for a free slot on the FD.

Bacula: Purging and deleting old volumes

Jan 15, 2015 | 600 words — 3 minutes | bacula backup linux

I’ve been using bacula for a couple of months now in conjunction with puppet to make automated backups of all servers that are managed by puppet. My bacula setup labels a volume for every job it runs with a unique name:

Bacula Label Format

Label Format = "${Job}.${Year}${Month:p/2/0/r}${Day:p/2/0/r}.${Hour:p/2/0/r}${Minute:p/2/0/r}"

These volumes are automatically purged once the retention of all files contained on the volume expires (which is configured per-pool). Due to the unique names however, the volumes cannot be recycled. The result of this is that the volumes that have been marked as purged in the catalog remain as-is on the disk. After some time this ultimately resulted in a full disk, thus halting all backups performed on that pool. Not good. Not good at all.

Music: End Of The Year Mix 2014

Jan 14, 2015 | 100 words — 1 minute | music

Need some fresh tunes? Enjoy my End Of The Year Mix for 2014.

Gentoo: Running a Minecraft 1.8 server

Nov 28, 2014 | 2100 words — 10 minutes | gentoo linux minecraft

Running a dedicated Minecraft server can be a challenging job. You have to find a balance between performance and usability using “server software” that doesn’t seem to be designed to provide for long running, resilient services.

Being a first-time Minecraft server operator I had to tackle various challenges in order to come up with a way to provide a stable and reliable service to my players. The following article is a recollection of the things I implemented and scripts I wrote in order to run a Minecraft 1.8 server. The scripts mentioned are specific to Gentoo Linux, but could also be used on most other Linux flavours, albeit with some modifications to match that platform’s init.d scripts.

Git: Moving a repository to a new server

Jun 10, 2014 | 200 words — 1 minute | Git

The quick, easy and complete way:

Fixing 'Error opening terminal: screen-256color.'

Jun 6, 2013 | 100 words — 1 minute | Linux tmux screen

If you’re using tmux or screen as a wrapper for your terminal sessions (such as when using the Text Triumvirate), chances are that you are presented with the following error when you invoke a command that uses 256 color mode (such as multitail or htop):

Error opening terminal: screen-256color.