and the topic title
Duplicati login failed from HTTP hostname xxx.duckdns.org
One might think this tries to validate its client by name. Actually it looks at the client URL to server.
DNS rebinding attack is what it’s trying to protect against by checking sent Host header for validity.
Does not accept hostname other than * was your me-too at a topic about a different error scenario:
The host header sent by the client is not allowed
I’m unsure what error you’re seeing under what situations. Are you ever getting host header error?
If not, then trying to change the Hostnames field is probably not going to solve the Password error.
If you allow remote access, and the Host header comes in wrong (is there a reverse proxy as well, potentially dropping or mangling it?) then you get a host header complaint on a very empty screen.
That’s where allowing * might help. Your posted error looks like you just typed the wrong password.
That’s the first set of options on the Settings screen shown above. Did you set up your own in this?
Some third-party Duplicati packages supply a hardcoded password. What exactly are you running?
Is Duplicati installed directly on the host, or is there a Docker? If Docker, whose Docker is running?
Or Is Duplicati not running on Home Assistant system, but simply providing its user interface there?
If you’re on a relatively safe network, would Duplicati let you in without a password if you turn it off?
Regarding Home Assistant, the DuckDNS integration looks like it uses dynamic DNS to update the primary Home Assistent DNS entry. There might be other IPs involved, e.g. if Duplicati is in Docker.
Those might be dynamically assigned (I’m no Docker expert). Not sure how you’d DNS-name them.
iframe Panel takes a URL, but I don’t know if sends a Host header the way a regular browser does.
One reason I wonder about reverse proxy is the URL in the bar at top of screenshot reminds me of reverse proxy being used to get to Duplicati using a URL on the main site, not directly by port 8200.