Confirming setup of Home Assistant using unauthenticated paths

[Swiftnesses]

Hello,

I initially had issues with the iOS application (too many redirects error when not connected via LAN).

I now have this in my unauthenticated paths:

^/api.*
^/auth/token.*
^/.external_auth=.
^/service_worker.js
^/static.*
^/local.*
^/hacsfiles.*
^/frontend_latest.*

Things appear to be working (finally!). I just wanted a sanity check if this is the suggested setup?

Many thanks in advance.

[Swiftnesses]

Thought I had it, but adding a new device, I see the server (the local address), and I'm presented with the HA login, clicking login just says "login aborted" and I can't login using SSO (desktop works). This is a maze!

Update: I reinstalled the app and used my https://domain address for the initial config screen rather than the found http://local:8123 address and it seems to work... perhaps 😄

[jasjeetsuri]

I added this in traefik, and managed to get iOS app to auth, based on your URL list.

# Home Assistant Ingress Configuration
# High priority ingress for mobile app and static content - bypasses authentication
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    traefik.ingress.kubernetes.io/router.priority: "200"  # Higher priority than auth ingress
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
  labels:
    app: homeassistant-direct
  name: homeassistant-direct-ingress
  namespace: home-assistant
spec:
  ingressClassName: traefik
  rules:
  - host: ha.contoso.com
    http:
      paths:
      # Mobile app API endpoints - bypass authentication
      - path: /api
        pathType: Prefix
        backend:
          service:
            name: homeassistant-service
            port:
              number: 8123
      # Auth tokens - bypass authentication
      - path: /auth/token
        pathType: Prefix
        backend:
          service:
            name: homeassistant-service
            port:
              number: 8123
      # External auth endpoint - bypass authentication
      - path: /.external_auth
        pathType: Prefix
        backend:
          service:
            name: homeassistant-service
            port:
              number: 8123
      # Service worker - bypass authentication
      - path: /service_worker.js
        pathType: Exact
        backend:
          service:
            name: homeassistant-service
            port:
              number: 8123
      # Static content - bypass authentication
      - path: /static
        pathType: Prefix
        backend:
          service:
            name: homeassistant-service
            port:
              number: 8123
      # Local content - bypass authentication
      - path: /local
        pathType: Prefix
        backend:
          service:
            name: homeassistant-service
            port:
              number: 8123
      # HACS files - bypass authentication
      - path: /hacsfiles
        pathType: Prefix
        backend:
          service:
            name: homeassistant-service
            port:
              number: 8123
      # Frontend latest - bypass authentication
      - path: /frontend_latest
        pathType: Prefix
        backend:
          service:
            name: homeassistant-service
            port:
              number: 8123
  tls:
  - hosts:
    - ha.contoso.com
    secretName: ha-contoso-com-tls

---
# Auth ingress for web interface - goes through Authentik proxy
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    # Lower priority so bypass ingress takes precedence
    traefik.ingress.kubernetes.io/router.priority: "100"
    # Remove HTTPS redirect middleware to prevent redirect loops with Cloudflare Tunnel
    # traefik.ingress.kubernetes.io/router.middlewares: default-redirect-to-https@kubernetescrd
    # Home Assistant optimizations for WebSocket and long-lived connections
    traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
    traefik.ingress.kubernetes.io/service.sticky.cookie.name: "ha-sticky"
    # Ensure we listen on both HTTP and HTTPS entrypoints
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
  labels:
    app: homeassistant-auth
  name: homeassistant-auth-ingress
  namespace: authentik
spec:
  ingressClassName: traefik
  rules:
  - host: ha.contoso.com
    http:
      paths:
      - backend:
          service:
            # Direct reference to outpost service in same namespace
            name: ak-outpost-home-assistant
            port:
              number: 9000
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - ha.contoso.com
    secretName: ha-contoso-com-tls