Not many people tend to use IIS Reverse proxy, maybe due to Windows licensing or it's just that NGINX or HAProxy or any linux based ones are way more popular.
Nonetheless, I'm using HA with a IIS Proxy in front it and after some investigating and reading other configurations, I found out soon enough that HA uses websockets.
Without configuring this, you might not get any further than the login screen telling you the credentials are wrong even though you are 1000% sure they are correct.
I'm assuming you already did the pre-requisites to allow proxies to access HA by editing the configuration.yaml file. If not, then add the following to your file and restart HA:
http:
cors_allowed_origins:
- <your url>
use_x_forwarded_for: true
trusted_proxies:
- <IP of your proxy server or the entire ip range for example 10.0.0.0/24)
Another requirement is the installation of websockets on the IIS server, I assume you have enough server knowledge to know where to find the Windows Server Roles & Features section. If you go to the IIS section and expand Application Development you'll find websocket that you can install.
I also assume you've already installed IIS ARR for the URL Rewrite functionality.
Once installed do the following
- Start IIS
- On the left side in the Connection View, select your server name
- Open URL Rewrite
- On the right side in the Action section, click View Server Variables
- On the right side in the Action section, click Add
- Typ in the following value: HTTP_SEC_WEBSOCKET_EXTENSIONS
- On the right side in the Action section, click Back to rules
- Go to C:\Windows\System32\inetsrv\config\applicationHost.config
- Scroll all the way down to <globalRules> and below </clear /> add the following:
<rule name="ARR_HA_SSL" enabled="true" patternSyntax="ECMAScript" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://HomeAssistant/{R:0}" />
<conditions>
<add input="{HTTPS}" pattern="^ON$" />
<add input="{HTTP_HOST}" pattern="YOUR SITE HERE" />
</conditions>
<serverVariables>
<set name="HTTP_SEC_WEBSOCKET_EXTENSIONS" value="" />
</serverVariables>
</rule>
This creates 2 rules in IIS. One is accept SSL connections and the other is to convert HTTP to HTTPS. This is assuming you have your certs configured on IIS.<rule name="ARR_AHA_HTTPtoHTTPS" enabled="true" stopProcessing="false">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^ON$" />
<add input="{HTTP_HOST}" pattern="YOUR SITE HERE" />
</conditions>
<action type="Rewrite" url="http://HomeAssistant/{R:0}" />
<serverVariables>
<set name="HTTP_SEC_WEBSOCKET_EXTENSIONS" value=""/>
</serverVariables>
</rule>
It is possible to leave it all HTTP, if you want to do that for "testing" reasons, then just add this line:<rule name="ARR_AHA" enabled="true" patternSyntax="ECMAScript" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://HomeAssistant/{R:0}" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" pattern="YOUR SITE HERE" />
</conditions>
<serverVariables>
<set name="HTTP_SEC_WEBSOCKET_EXTENSIONS" value="" />
</serverVariables>
</rule> - Save the file
- Test the connection! Easiest would be with an external connection, but you can also route internal traffic to your proxy.
Normally you can edit rules in the IIS GUI perfectly fine, but not in this case. This is due to the ServerVariable settings. When you edit this in the GUI you are forced to enter a value, we want this to be empty for it to work.
You can try this for fun if you want, if you edit it in the GUI and check the file it will show this instead <set name="HTTP_SEC_WEBSOCKET_EXTENSIONS" value=" " enabled=TRUE />
IIS will never pass the traffic onto Guacamole because of this.