Access for Local-Only Users via SSL?

I have my own domain and use a Cloudflare tunnel (via CloudFlared) to access my instance via https://ha.mydomain.com/. I’m in the process setting up a tablet with Fully Kiosk Browser to mount on the wall. I created a tablet user with local access only. For obvious reasons, if I try to login with that user via the domain above it errors our because that user doesn’t have remote access. I can access locally via https://ha-ip-address.lan:8123 but Fully Kiosk doesn’t seem to do well with insecure connections. I also seem to not be able to access it via http only (I thought I used to be able to do that but haven’t tried in a few years).

What is the proper procedure to set this up so I can access via SSL (or http) locally with a local only user? I also ideally do not want the tablet to have internet access. I thought I could just create a DNS rule in Pi-Hole to redirect my domain to the local IP but it seems I can’t specify port numbers in Pi-Hole.

Any thoughts?

EDIT - It seems that in order for Frigate WebRTC feeds to work I need to connect via SSL, so it seems that http is not an option.

You are onto the right solution.
Pi-hole or any DNS running internally for your domain with local IPs is the way.
It is called a split DNS setup.

You can use the NGINX Proxy Manager addon to handle SSL and port mapping for you. Pi-hole DNS would send the request to NPM, and that would proxy the request to your http://ha-ip-address.lan:8123/.

It would be easier to set up a different subdomain to access internally (eg ha-int.mydomain.com). If you use the same domain internally and externally, for the last month or so, people (including me) have been having intermittent problems (eg here). However I have recently tried this possible solution and it seems to have worked for me.

1 Like

Probably to http instead of https.
No idea of using a proxy to to forward from https to https and https do not work with IP addresses on most certificates.

Ah yes thanks - a copy/paste without paying attention. I will edit it.