Ingress and webrtc connections not working on non-standard port.

[calisro]

I am running the latest beta: 0.1-beta.1

I've tried a few ways to connect from within home assistant through ingress. Each time it fails with similar messages in the supervisor logs:

ERROR (MainThread) [supervisor.api.ingress] Ingress error: 403, message='Invalid response status', url=URL('http://172.30.32.1:1984/api/ws?src=xxxx

and my go2rtc logs:

16:45:57.049 ERR [api.ws] upgrade error="websocket: request origin not allowed by Upgrader.CheckOrigin"
16:46:30.592 ERR [api.ws] upgrade error="websocket: request origin not allowed by Upgrader.CheckOrigin"

From within the UI it tells me 'bad gateway' not matter what (via ingress)

If I hit the URL directly, it works fine: http://ha.local:1984/

[AlexxIT]

How do you open web UI? This link should works fine (but change to your Hass IP):
http://192.168.1.123:8123/hassio/ingress/a889bffc_go2rtc

"Open Web UI" or/and "Show on Sidebar"

[calisro]

Hi. I can now get to the UI page. Once I am there, however, none of the webrtc/mse/frame/ commands work. So this is progress as the info dialogs now work.

Should the stream links work within the ingress proxy? Any idea why I am seeing these though?

ERROR (MainThread) [supervisor.api.ingress] Ingress error: 403, message='Invalid response status', url=URL('http://172.30.32.1:1984/api/ws?src=xxxx

16:45:57.049 ERR [api.ws] upgrade error="websocket: request origin not allowed by Upgrader.CheckOrigin"
16:46:30.592 ERR [api.ws] upgrade error="websocket: request origin not allowed by Upgrader.CheckOrigin"

All of my go2rtc webrtc streams are working correctly externally and internally on my network. Its all working pretty well. I'd like to be able to proxy through HA through ingress though for a few reasons if possible.

EDIT: I just discovered those links work when I access via a http://ha.local:8123/hassio/ingress/a889bffc_go2rtc but not through a nginx proxied https://ha.local:18123/hassio/ingress/a889bffc_go2rtc

I wonder what I am missing. This sounds like a config problem on my side but I am at a loss.

[calisro]

I don't believe this is my setup that's the issue. Is this supposed to work from within a https home assistant through ingress to access the actual streams via the links in the UI?

essentially this through a nginx proxy:

https://hass.xxxxxx.org/api/hassio_ingress/xxxxxxxxxxxxxxxxxxxxxxxxxxx/webrtc.html?src=backyard_main

Looking at the code its only allowed the same origin. so I don't think it can work in its current state but maybe I am reading it wrong :) ) I think we need the ability to allow origins besides the same one.

websocketServer := websocket.New(
	gorilla.Upgrader(gorillaWs.Upgrader{CheckOrigin: func(*http.Request) bool{return true}}),
	serverEvents)

(esphome/issues#372)

[AlexxIT]

How your nginx config looks like? Do you have nginx on same server with Hass?

[calisro]

Yes. I use nginx proxy manager (NPM) addon with a letsencrypt cert and a dynamic public ip.

internet <> (router port forward :2200) <> (nginx :2200 https <> HASSOS :8123 http)

The router is configured with NAT LOOPBACK but I've also for testing purposes injected a static DNS for the hass server on the local IP just to see.

Currently I can fully access the local:1984 and stream all the feeds via ingress or via HASS UI external/internal.
I can't use ingress for a secure (:2200) port https with my domain name though. That is when I get those errors above about the origin server.

[calisro]

For an additional test, I moved the api to a subdirectory and hosted it in a new location so I can now access the go webui outside of HA ingress. I wanted to take HA out of the picture. I can now see the webui on a https port but I still cannot view the feeds and still get the same exact origin messages. I believe we need a way to whitelist origins.especially coming from docker.

[AlexxIT]

You have some problems with your config. Ingress works fine, also with audio.

[calisro]

Hm. That's interesting. Did you do that on hassos? The thing about Nginx Proxy Manager is its very light on configuration. IT's pretty much set out of the box. I am not sure what 'config' it could possibly be. The only config related to this is the http section in HASS which is pretty basic, and nginx.

Very confused. That tells me its likely OUTSIDE Of nginx. But that confuses my even more since there's not much outside of nginx besides my router and 'http' section in HASSOS.

[calisro]

I figured it out!!! But I don't understand why. Is there a requirement that the port is 443 for https? I just changed my inbound port to nginx to 443 rather than a non-default port and it immediately worked. I can't really keep this port config easily without changing quite a bit. I need to understand why it won't work on non-443.

Why would I receive " ERR [api.ws] upgrade error="websocket: request origin not allowed by Upgrader.CheckOrigin" when on a non-default port? Is tehre something in the code not allowing this?

The 443 works. 2200 does not.

[calisro]

WOW though. On another note though. the 2-way works beautifully with the AD410. :)

Let me know about if something can be done to address the non-standard port issue. If not, i'll likely need to change this to 443. That's no fun. :(

[AlexxIT]

Should be fixed in beta.4