-
-
Save gaieges/936bdf91e01e4cc782eb047e5873089b to your computer and use it in GitHub Desktop.
version: '2.1' | |
services: | |
homeassistant: | |
restart: always | |
image: homeassistant/raspberrypi3-homeassistant | |
expose: | |
- 8123 | |
ports: | |
- "8123:8123" | |
devices: | |
- /dev/ttyACM0 | |
volumes: | |
- ./config:/config | |
network_mode: host | |
labels: | |
- "traefik.enable=true" | |
- "traefik.http.routers.hahttp.rule=Host(`MY_DOMAIN`)" | |
- "traefik.http.routers.ha.rule=Host(`MY_DOMAIN`)" | |
- "traefik.http.routers.ha.tls=true" | |
- "traefik.http.routers.ha.tls.certresolver=le" | |
- "traefik.http.routers.ha.tls.domains[0].main=MY_DOMAIN" | |
- "traefik.http.services.homeassistant.loadbalancer.server.port=8123" | |
traefik: | |
restart: always | |
image: traefik:v2.2 | |
command: | |
- "--api.dashboard=true" | |
- "--api.insecure=true" | |
- "--accesslog=true" | |
- "--providers.docker" | |
- "--providers.docker.exposedbydefault=false" | |
- "--entryPoints.web.address=:80" | |
- "--entrypoints.websecure.address=:443" | |
- "--certificatesresolvers.le.acme.tlschallenge=true" | |
- "--certificatesresolvers.le.acme.email=MY_EMAIL" | |
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json" | |
ports: | |
- 80:80 | |
- 8080:8080 | |
- 443:443 | |
volumes: | |
- "/var/run/docker.sock:/var/run/docker.sock:ro" | |
- "./letsencrypt:/letsencrypt" | |
extra_hosts: | |
- host.docker.internal:172.17.0.1 | |
It’ll be the IP of your default docker bridge network. Usually thats 172.17.0.1/24 but I’ve also seen 172.18.0.1/24. It’s possible to set the default range as a docker startup default but that depends on your platform.
The extra host stanza basically says if you need to talk to
host.docker.internal
, go to that specified IP instead. We're basically hardcoding the target for all of the requests going into traefik to go to the docker bridge IP
Ah... traefik tries to resolve localhost with a DNS lookup to host.docker.internal. This is probably to support docker-for-windows, which uses this trick to reach the host. Now it makes sense, thanks!
I had to add these to labels to avoid getting 400 bad request:
traefik.http.routers.ha.middlewares: haHeaders
traefik.http.middlewares.haHeaders.headers.customrequestheaders.Connection: Upgrade
Thank you for this. I've spent a few hours before stumbling upon this little gem.
Thanks for this gist, helped me get my HA working.
3 years later and "extra_hosts" still does the job, thank you!
This took me hours to find - thanks for the help my man! :D
If you want to avoid adding a "magic" IP address you can use
extra_hosts:
- "host.docker.internal:host-gateway"
make sure you are using linux and docker >v20.10.
If you receive "400 Bad Request" error, you need to whitelist the IP of the docker proxy in home assistant.
Check the Home Assistant logs. You should see something like:
2024-03-30 22:28:57.467 ERROR (MainThread) [homeassistant.components.http.forwarded] Received X-Forwarded-For header from an untrusted proxy XXX.XXX.XXX.XXX
Add the XXX.XXX.XXX.XXX
IP in you home assistant configuration.yml
file.
http:
use_x_forwarded_for: true
trusted_proxies:
- ::1
- 127.0.0.1
- XXX.XXX.XXX.XXX
This IP changes if you destroy your traefik container / network.
You can allow the CIDR 172.16.0.0/12
so it will be always allowed whatever IP it takes... But it's less secure of course.
Is the 172.17.0.1 ip universal or do I have to specify that elsewhere?
Edit: seems like it's the default for the IP address of the bridge interface (docker0 by default)
Found here
https://doc.traefik.io/traefik/providers/docker/#host-networking