Access Addons in Home Assistant Container Setup with Cloudflare

Configuration
1

Hello all,

Let me explain my setup to you:
I have home assistant as container running an an Intel NUC and together with all the other addons like e.g. Cloudflare, Zigbee2MQTT or Portainer managed via docker-compose.
My Home Assistant Container is reachable via a Cloudflare Tunnel.

docker-compose.yml:

[...]
  cloudflare:
    container_name: cloudflare
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    environment:
      - TUNNEL_TOKEN=${CLOUDFLARE_TUNNEL_TOKEN}
   homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    restart: unless-stopped
    environment:
      - TZ=Europe/Brussels
    volumes:
      - /home/sebastian/docker/homeassistant/config:/config
      - /etc/localtime:/etc/localtime:ro
      - /run/dbus:/run/dbus:ro # Bluetooth adapther
    privileged: true
    network_mode: host
    depends_on:
      - mariadb
      - influxdb
      - mosquitto
[...]

My goal is to access home assistant itself and all the other addons on the sidebar via my DNS name and the Cloudflare tunnel.
The Cloudflare tunnel is forwarding to http://<my_local_IP>:8123.
As a result, I can access my home assistant via https://<my_DNS_name>.

My issue:
When accessing the other addons e.g. zigbee2mqtt on the side bar of home assistant via their local IP (http:<container_ip:) I’m getting the following error:

image
image1358×132 10.5 KB

Workaround: Subdomain in Cloudflare for every add-on and pointing to the Subdomain DNS name in the sidebar of home assistant (https).
But the issue of this approach is that the addons themselves are unprotected accessible via the public internet.
=> Do you have an idea how I could protect these subdomains without limiting the access for myself or how to get it working using the http addresses for the addons?
If I add an Application Authentication via Cloudflare for the subdomains, iOS will not be able to handle that and I cannot limit it via IP address as I also want to access it via mobile network without VPN.

2

Those aren’t add-ons, add-ons only exist for Home Assistant OS. Those are just software you’re running in containers.

Use one domain, without Cloudflare auth, for HA. Use other domains (or one and paths) for the others, and use Cloudflare auth there.

1 Like
3

Thanks for your reply.
That’s definitely a possible solution but the issue here is that it is not supported by iOS.
Means if you are on your mobile phone and want to access an add-on/software in the home assistant side bar you will only get a blank page.

The cleanest solution would be to have something like the Hass.io Ingress feature which is integrating add-ons seamlessly: Introducing Hass.io Ingress - Home Assistant

Has anyone an idea how this could be manually imitated / set up in your own instance?

4

What isn’t supported by iOS?

5

iOS does not allow this proxying in the home assistant app as well as browser.
As a result you only get a blank page instead of the Cloudflare authentication page.

6

iframes aren’t proxies, they’re just pointers to the browser to tell them where the content really is.

Unfortunately there’s no way to easily replicate the ingress feature.

7

Yeah but in this case the iFrames are pointing to e.g. zigbee2mqtt.<custom_domain_name>.com which is using the Cloudflare tunnel to get back to the container on the NUC.
When you enable now the Cloudflare authentication, this intercepts the call and forwards it to the authentication page. When you enter correct credentials, then forwarded again to the container.

This works quite well on any device or browser except iOS.