Home Assistant set-up question - sorting out external access

Forums › Gadgets, robotics, home automation, electronics (including wearables) › Home Assistant set-up question - sorting out external access

1 | 2

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#3068225 26-Apr-2023 18:46

spmiller:

Cloudflare does the HTTPS for my instance. When I'm at home I can access the box directly via HTTP if I want to.

I think this is safe because cloudflared sets up a Wireguard tunnel between my server and their endpoint, so the HTTP traffic is carried encrypted over that link before it is exposed to the Internet over TLS.

That's good to know Cloudflare will manage that - so there's general consensus this is a safe approach?

Jase2985:

Does this help?

https://mariushosting.com/synology-how-to-enable-https-on-dsm-7/

Thanks - that's the exact guide I had followed, and rinsed and repeated to make sure I'd not stuffed something up. Don't know what's going on (and, yep, I tried on different browsers and devices, cleared the cache etc) but I've left it a couple of hours, come back and HTTPS is working on one browser/device (Chrome on computer) but not on another browser or my phone. What gives?!

Jase2985

13457 posts

Uber Geek

ID Verified

Lifetime subscriber

#3068230 26-Apr-2023 19:54

working internal to your network or external?

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#3068298 27-Apr-2023 08:38

HTTPS works on Chrome on multiple devices, including when connecting via network or external (mobile data); no luck with it working on other browsers though (tried Opera, Brave and Edge), either internally or externally.

Here's the weird thing: on those other browsers the security certificate it's accessing is for Synology's Quickconnect service

[Edit: Found the problem - I had to request a synology.me certificate again in the DDNS window. All working on other devices and browsers now, so all good! Now onto getting HA working.]

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3068307 27-Apr-2023 09:18

jonathan18:

That's good to know Cloudflare will manage that - so there's general consensus this is a safe approach?

Far safer than just port forwarding as you're then going through a WAF (Web Application Firewall) platform adding a little additional security. For most people I'd never recommend port forwarding applications as one exploit in that application can have your whole network compromised - this includes opening up Quickconnect (I have this only accessible over Tailscale personally).

For additional security, enforce TLS in Cloudflare. Go to SSL/TLS on the side and set it to Full (strict):

Under "Edge Certificates" set "Always Use HTTPS", set Minimum TLS Version to TLS 1.2, turn off Opportunistic Encryption, turn on TLS 1.3 and Automatic HTTPS Rewrites and lastly I would recommend setting HSTS across your domain so everything going forward has to use a valid TLS certificate:

Then under Security --> WAF configure as you see fit. There are a whole lot of controls including the ability to add your own firewall and rate limiting controls in here too. I'd recommend taking a look at some tutorials on YouTube for example on this.

But those reasons are the reasons I'd recommend using Cloudflare to secure your web applications over port forwarding. You get a whole lot more control, logging etc and IMHO it is a more elegant solution. Plus also, you don't need a static IP. The great thing also is all this is free as you'd never go over the free usage caps.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#3068463 27-Apr-2023 16:43

Thanks, @michaelmurfy (et al) - thanks to these tips I think I'm almost there with sorting out Cloudflare!

I've got it working with the main NAS interface, so nas.[domain].xyz resolves to 192.168.1:5000 and I can log in (and it's HTTPS).

I'm not having the same success with the HA interface; with the following settings I get a '400: Bad Request' message:

That same URL above works fine if I enter that directly, so it's correct. Are there other specific settings I need to make in relation to HA, whether under the 'additional application settings' or elsewhere?

(You can see I'm just using HTTP; is there any particular advantage using HTTPS internally, given Cloudflare ensures any external connection is secure?)

Thanks again for your help with this - it's really appreciated.

Jase2985

13457 posts

Uber Geek

ID Verified

Lifetime subscriber

#3068481 27-Apr-2023 17:32

Step 15 and 16?
https://mariushosting.com/how-to-install-home-assistant-on-your-synology-nas/

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#3068508 27-Apr-2023 19:01

Jase2985: Step 15 and 16?
https://mariushosting.com/how-to-install-home-assistant-on-your-synology-nas/

Thanks, could well be one of these but, as I've gone with Cloudflare, I currently don't have a reverse proxy set up (I had assumed that Cloudflare was providing a similar function to resolve the addresses) and, if I need this websocket thing sorted, I'm not sure what should be pointing to what IRT the reverse proxy settings!

I have also tried the '400: bad request' instructions but still no dice; if it also needs the above problem sorted that may explain it.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3068607 27-Apr-2023 23:53

@jonathan18 You'll need to specify trusted_proxies in your configuration file. I don't run my HA instance on my Synology (as this is remote for me) but my proxy is 192.168.2.21 (set this as your Synology IP) so I have my trusted proxies set as:

http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.2.21
- 127.0.0.1
- ::1

in my configuration.yaml file. I am a little bit of a n00b with Home Assistant (I mainly use Homebridge / Homekit) but it works for me.

For Cloudflare Tunnel I am pretty sure you'll need to trust their IP addresses (here) so it'll look like:

http:
use_x_forwarded_for: true
trusted_proxies:
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
- 192.168.2.21
- 127.0.0.1
- ::1

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#3068682 28-Apr-2023 09:12

Brilliant, thanks Michael - I just needed to follow the first part to get external access to HA, so have achieved what my initial query sought! Now for the delights of trying to work out how to set up and use HA.

One flow on impact, though... Prior to setting up Cloudflare I had turned off other forms of NAS access, ie deleted all the port forwarding and disabled QuickConnect. The result is that I've lost access via the DS apps, most importantly DS Cam (as our security cameras use Synology Surveillance).

To other Synology NAS users: how convoluted is it to provide these key DS apps access via Cloudflare as opposed to using QuickConnect (or should I just re-enable QuickConenct)?

Thanks for any further advice.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3068709 28-Apr-2023 09:51

Ensure automatic updates are enabled on your NAS and just use Quickconnect for this - it is fine. It uses high random ports or tunnels and as-long as you only enable the quickconnect services you need you'll be fine. Just login to your NAS every now and then to ensure it is updated.

Historically there has been some Synology hacks but I have not seen exploits in recent years that have targeted Quickconnect. Synology seems pretty on-top of it with security in recent times.

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#3068795 28-Apr-2023 12:41

Thanks, Michael; I've re-enabled QuickConnect and that's all working again.

Back to HA, annoyingly I'm not able to log in via the Android app - no problems logging in locally, but if I try to do so via the Cloudflare-managed address I get an 'invalid login session. Please try going to the URL of your application'. (This is the passcode security layer provided by Cloudflare before I get to the HA password login; I assume I'd get in if I disabled the passcode requirement, but would rather keep it in place.)

Any thoughts on what's going wrong? (Just to be clear, I do always try to find a solution before asking here!)

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3068857 28-Apr-2023 14:46

Yep will be caused by Zero Trust. The app will likely expect to get straight in. It is a little safer given it is going via Cloudflare + you can also block high risk countries too in the Cloudflare Security side of things if you wanted to use the app.

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#3068922 28-Apr-2023 15:27

Cheers!

So I've tried disabling OTP (I already have it limited to logins only from NZ) and so I no longer get the problem of it not accepting the Zero Trust-managed PIN, but now get a similar 400 error to that I've had previously:

Now, I'm assuming I'm supposed to enter the same URL I use to access HA via a browser (ha.mydomain.xyz), or have I got that bit wrong? I've ensured all of Cloudflare's IP addresses are also loaded in the configuration.yaml file, so not sure how to get around this latest problem... (And, yep, it's still accessible via a browser.)

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3068924 28-Apr-2023 15:32

It could be getting blocked by Cloudflare's bot management too - not sure. I don't even have an Android phone to test myself :)

Have a look at the security logs in Cloudflare and see if it is tripping up there. You may need to lower your security a little in Cloudflare if this is the case.

1 | 2