Secure Remote Access to Home Assistant with Cloudflare Proxy

Рет қаралды 22,452

Күн бұрын

Access your Home Assistant server securely using Cloudflare proxy. Step-by-step guide and thoughts on what remote access method I use.
Support the channel with membership:
/ @mostlychris
Discord: / discord
If you would like to support me:
Buy me a beverage: ko-fi.com/mostlychris
Become a patron: / mostlychris
Products I reference in my videos (Contains affiliate links)
www.mostlychris.com/my-smart-...
www.xsplit.com?ref=chriswest&discount=mostlychri&pp=stripe_affiliate
DISCLAIMER: Some of the links above take you to affiliate sites that may or may not pay a small commission to me. It doesn't increase the cost to you, but it does help support me in making these videos.
Snail Mail to Send Stuff:
Mostlychris
24165 IH-10 West
STE 217 #164
San Antonio, TX 78257
00:00 Intro
00:38 Requirements
01:12 Cloudflare HTTPS Proxy Ports
03:02 Set Up Subdomain
04:00 Set up Origin SSL Certificate
06:14 Put Certificate on Home Assistant
09:10 Allow Home Assistant to use Proxy
10:30 Mid Video Recap!
11:52 Enforce Strict SSL Mode
12:53 Restrict Access at Your Firewall
15:20 Restrict Proxy Access by Geography
17:06 Thoughts on Access Methods
20:26 WRAP!

Пікірлер: 73

@raveen69 2 жыл бұрын

Perfect timing, I started to set this up but didn't know about the CF items. Thanks!

@mostlychris 2 жыл бұрын

You're welcome!

@BeardedTinker 2 жыл бұрын

Nice video Chris!!! Enjoyed it very much!

@mostlychris 2 жыл бұрын

Thanks!

@bcookdc2 2 жыл бұрын

Great video Chris!

@mostlychris 2 жыл бұрын

Thanks!

@stephanhackett5012 2 жыл бұрын

Great video Chris. Appreciate your work as usual. Fyi...if you want to avoid opening ports you can use the Cloudflare Argo Tunnel. It's a bit more complicated to setup than what you show here but it's a great way to avoid opening ports and keep the same functionality.

@mostlychris 2 жыл бұрын

Thanks for the tip. I'll look into that.

@ItsiPaddie 2 жыл бұрын

@@mostlychris checkout the "Cloudflared" addon by brenner-tobias, this makes it super easy

@mostlychris 2 жыл бұрын

Will do!

@ZackBarett 2 жыл бұрын

First. Damn good Thumbnail. Second. Damn Good explanation. Great Job!

@mostlychris 2 жыл бұрын

Lol. Thanks Mr. Barett!

@jorghenkel7596 Жыл бұрын

Thanks a bunch. Just set that all up :) Love it.

@mostlychris Жыл бұрын

Thanks for watching!

@jamesking890 2 жыл бұрын

great video and explanation on things.

@mostlychris 2 жыл бұрын

Thank you!

@moonter45 Жыл бұрын

That is what I need : D Thank You!

@mostlychris Жыл бұрын

You're welcome!

@ericesev 2 жыл бұрын

Great video. 4:44 - Just one thing to note is that the connection is not encrypted "through Cloudflare". It is decrypted through Cloudflare and then re-encrypted when it is sent to the origin server. It is hop-to-hop encrypted between the browser and Cloudflare and from Cloudflare to the origin server. This is one difference from Nabu Casa; where the browser establishes a secure connection directly with the local Home Assistant instance.

@mostlychris 2 жыл бұрын

Thanks for the clarification Eric. VPN is the only real way for end-to-end encryption. How is Nabu doing it?

@aaaaaa-bx8hh Жыл бұрын

@@mostlychristhanks

@rytsydup 2 жыл бұрын

You can also used Cloudflared addin for Home Assistant, which tunnels your traffic to Cloudflare using your origin cert. This setup wont require you to open ports on your router.

@mostlychris 2 жыл бұрын

Interesting. I hadn't seen that. Thanks for the tip!

@MartinHiggs84 2 жыл бұрын

I've started to use the tunnel. Be good if could use automation to turn off tunnel if phone presence at home.

@boopeshkumarprabhakaran Жыл бұрын

@@MartinHiggs84 hi but by using tunnel ..your home assistant local runs on http ..not https ...any fix for that?

@Capozzi3 24 күн бұрын

Hello i did the cloudflare process, does that mean that my connection is already secured? Im a newbie

@dls691 2 жыл бұрын

Great video, thank you. Any chance you do a video explaining how to configure HA opening just enough to allow passing through snapshots in motion notifications from Unifi Protect cameras? Thank you.

@mostlychris 2 жыл бұрын

Thanks! I'll add your suggestion to my list of video ideas.

@claytongreer7532 2 жыл бұрын

Thank you, Chris. This video arrived at a good time. I'm starting to setup a number of servers under proxmox beyond just HomeAssistant. What approach would you suggest if one needed remote access to an arbitrary number of hosts? VPN? nginx reverse proxy? A Kemp LoadMaster L7 route? Or...?

@ericesev 2 жыл бұрын

FWIW, I have a Let's Encrypt wildcard certificate for my domain and a wildcard DNS entry. I point this to a single port on my reverse proxy (which runs on my router). The reverse proxy then forwards to each backend server based on hostname. In addition, I also require authentication inside the reverse proxy by default. That way no traffic (random internet scans) can reach the backend server without first being 2FA authenticated. I prefer going this route because everything I need to access on my home network can be reached over http/https. This requires a one-time setup of the reverse proxy and no setup on each end device. Had I needed to use something other than http/https, I'd have considered a VPN. I'm not a fan of cloud-based solutions, so Cloudflare/NabuCasa/Tailscale/ZeroTier are all no-go for me. I have zero concerns about being port scanned. I just keep my reverse proxy up-to-date.

@mostlychris 2 жыл бұрын

This really depends on you. As Eric mentioned in his comment, I think that nginx reverse proxy is a good solution if you don't want to use a VPN. This allows connections over SSL to your hosts inside your network and can also add an additional layer of security with specific proxy auth.

@justinsmall9149 8 ай бұрын

what files to amend on home assistant when using docker as configuration.yaml does not contain any of this ssl stuff

@kapil550 Жыл бұрын

Sir thank you so much for the detailed video share with us...i am happy to learn more from your shared videos...may i get some example to access HA on remote and HA API access (which step i need to follow to access HA API) using third party automation sys

@mostlychris Жыл бұрын

Thank you Kapil for watching and joining the channel! There is a developer section for accessing HA API over at developers.home-assistant.io/.

@krayzieegg7294 Жыл бұрын

i hope you reply: anyways im getting an error logging in to home assistant stated login blocked: user cannot authenticate remotely. i gotta be honest here i followed another tutorial and did everything right and the only thing i didnt do is setting up the ssl because i wasnt sure if that was already included on the namecheap domain that i bought. im using namecheap, cloudflare, HA on a vm without any ports open. your help would be highly apprecited i finally figured it out: people->your account->un ticked can only log in from local network. thanks you

@ThomasWetterer 2 жыл бұрын

I did try it and now have the problem that the Cloudflare Origin Certificate is not valid when I access my homeassistant instance directly. Which means I want to access homeassistant inside my home network without going outside to the cloudflare proxy first. The origin certificate is only valid for the cloudflare proxy and not in a browser. Any ideas/solutions for that?

@mostlychris 2 жыл бұрын

I know that pain. I have been just accepting the SSL to IP mismatch for now. I am still experimenting with a way to access SSL both internal and external. Since I have two instances of HA running, this demo was on my secondary and not my primary. On my primary, use the same url both external and internal and when internal, AdGuard rewrites my DNS query to the internal IP. This one is not going through Cloudflare though, so I don't have the origin cert installed there.

@bearhntr928 2 жыл бұрын

When creating your DNS record - you called it 'remote' -- but you did not put in an IP. I have been fighting with this for days (a dozen videos) and nothing ever works. I am using pfSense (and it is my DNS, and DHCP and Router for my home). Should I be putting my "public IP" that I see as WAN address in pfSense or should it be the IP address of my HomeAssistant server which has a Static DHCP mapping in pfSense???

@mostlychris 2 жыл бұрын

You've got to get to the public facing IP of your local network.

@xisop 2 жыл бұрын

Great video. I just started HA and want to access it outside of home. Running a VM on Unraid. Domain is managed by CF and I have a bunch of subdomains running through CF and nginx proxy manager (NPM). NPM also directs my certificates. Can I run HA through NPM instead of the way shown in the video? Is it just by creating a subdomain and editing the config with an entry of that subdomain for remote access?

@mostlychris 2 жыл бұрын

I think you probably can. NPM is just a service running on your network. As long as you can get to it, you can forward to any IP/port inside your network.

@xisop 2 жыл бұрын

@@mostlychris it works. Only had to add a couple of lines of code to configuration.yaml specifying a couple of local addresses and the proxy server.

@mostlychris 2 жыл бұрын

Oh! Yeah, I forgot about that. You have to allow proxies like you did. It was a security feature added quite awhile ago.

@xisop 2 жыл бұрын

Had to do some digging around but found it. Thanks 🙏 I'm getting more and more excited about HA every day. Keep figuring out more features and tricks to make things better every time. Really appreciate everyone in the community, everyone seems to be more than willing to help others. Lots of love to you all from The Netherlands and keep up the good work ⚒

@dah1214 Жыл бұрын

I am new to Home Assistant, and many thanks for your video, I get "400 bad request" accessing HA on my browser after following every steps on your video, could you help me to fix this issue? thanks

@mostlychris Жыл бұрын

Welcome to HA. I would need more details on how this is failing and how you set things up. Discord is the best place to have a discussion such as this.

@jeffer8762 2 жыл бұрын

i cannot access my homeassistant portal locally after setting the http: configuration, only able to got it working after removing the http configration , what is wrong?

@mostlychris 2 жыл бұрын

You are going to have to access at the local IP address with https. Alternatively, you can use nginx proxy manager local DNS such as pi-hole or AdGuard to have a rewrite point you to your domain.

@oakfig 2 жыл бұрын

Can we use cloudflare zero trust tunnel for this?

@mostlychris 2 жыл бұрын

Probably. I haven't played with that but I have been asked to make a video on some other Cloudflare access methods. If anything, you can set up a zero trust connection to something in your local network and then access HA at the local network IP address assuming it is on the same subnet.

@sneffetsd Жыл бұрын

I did everything but still get the 400 bad request.

@ImTaran 2 жыл бұрын

Great video! One thing that I believe you skimmed over is that unless you know how to use Cloudflare's API to update your endpoint domain with the appropriate IPv4 WAN address of from your ISP (assuming it's dynamic), then this whole video is pretty much pointless.

@mostlychris 2 жыл бұрын

Thanks for pointing that out. There are a number of ways to tell various DNS providers what your IP is and those update automatically. Too many to mention in the video but I've used quite a few over the years.

@HATipsByLarry 2 жыл бұрын

this works but it breaks tts for google assistant. Even if i don't put in the firewall ip's. Says that the google assistant's can't reach home assistant locally because of the ssl certs. Local communication unavailable Google devices will not be able to talk locally with Home Assistant because you have configured an SSL certificate for your HTTP integration

@mostlychris 2 жыл бұрын

For this type of situation, you might be better using something like Nabu Casa (Home Assistant's Cloud). This gives you access to those devices. Keep in mind that there are a number of different access solutions for Home Assistant and not all of them will fit every setup. You'll have to choose which one is best for your setup. FWIW, I run both Alexa and Google smart speakers but the local TTS and other stuff is still working. I am connected to Nabu Casa on my production box as well has having the ability to tunnel and use other access methods.

@argentinomacrifuevidaltamb3772 2 жыл бұрын

Cloudflare Proxy no es seguro.

@mostlychris 2 жыл бұрын

Why is that?

@hkitservices 2 жыл бұрын

Not all of us have a fixed IP to enter at the beginning into the cloudflare setup. You should have shown the setup when people do not have a fixed IP at home. :(

@jmr 2 жыл бұрын

It's pretty easy. You could set up something like duckdns to keep your IP address up to date. Then on cloudflare you would use a cname record instead of an A record that points to your duckdns hostname instead of the IP.

@hkitservices 2 жыл бұрын

@@jmr I understand it is possible, but I come to the Internet to find full solution, not half one that requires knowledge I may not have. And I believe that people with a Dynamic IP outnumbered by far the number of people with Fixed IP - so why target the minority only? I would have add maybe an extra 2-3 minutes to the video. That is not too much !

@zyghom 2 жыл бұрын

@@jmr why anything on top of duckdns? what is the benefit? if you want real security you use your own vpn on your lan and go to your HA (not only) through this

@jmr 2 жыл бұрын

@@hkitservices I can't argue with that reasoning. Just an oversight probably. Dynamic IP definitely outnumber fixed in his audience.

@jmr 2 жыл бұрын

@@zyghom The primary but not only advantage of this setup is that it can stop DDOS attacks. Not everyone wants to run a VPN constantly on all their devices to talk to their system. VPNs are also difficult when running outside services that must talk to Home Assistant. I really think this is primarily in there for completeness which I believe he mentioned. I have been considering this setup for months and might eventually try it.

@abdoahmed1231 2 жыл бұрын

I have a question please When I use a proxy server and I follow people on Instagram, the follow-up is not done, for example, I have 5 followers on Instagram and I request to follow 100 people, that account is not done, they are still following 5 people, I just want to know how this happens, can the effect of the reverse proxy or forward proxy or requests sent can be redirected please help me

@mostlychris 2 жыл бұрын

I'm not sure I understand this question.

@jmr 2 жыл бұрын

I dropped GoDaddy and moved to Google Domains because although GoDaddy offers support I found it useless 90% of the time. With Google Domains don't expect personal support but they include private registration free. My experience with domains and DNS is over 20 years so the support GoDaddy provides might be useful to a less experienced user.

@mostlychris 2 жыл бұрын

I was using Google Domains and then moved to Google DNS that allowed me to renews SSL certs via automation. Then I decided to go to Cloudflare to keep it all under one roof. I can also do SSL renewal via Letsencrypt and automation using Cloudflare so that's a plus. I also use Cloudflare as my registrar. How did you get free at Google? I was paying for each domain.

@jmr 2 жыл бұрын

@@mostlychris I'm paying for domain registration and I'm getting "domain privacy" free. It's doesn't show my contact information. I referred to it as "private registration". That was poor phrasing. That feature will probably be offered free by more companies given EU legislation that I believe basically requires it for customers in the EU anyway.

@mostlychris 2 жыл бұрын

I use that feature as well. All domains belong to "jaifjieawefaw" or something like that, lol.