I am failing at correctly configuring external access for my Home Assistant on a recently acquired Green. I’ve followed the instructions in the video by Lawrence Systems but still cannot manage to connect, so any and all help is appreciated.
I have bought my own domain and configured an A record (subdomain) to point to my IP. I think this is working because when I use dig (local, Google and Quad9) I get a response pointing to my IP.
$ dig @9.9.9.9 ha.mydomain.tld
; <<>> DiG 9.18.20 <<>> @9.9.9.9 ha.mydomain.tld
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8523
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ha.mydomain.tld. IN A
;; ANSWER SECTION:
ha.mydomain.tld. 1007 IN A 200.x.y.z [yes, it matches my WAN IP on pfSense]
;; Query time: 3 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Fri Dec 29 17:22:45 CST 2023
;; MSG SIZE rcvd: 64
I can also ping my subdomain and get a response, from my computer or from the terminal in Home Assistant.
The domain was bought via Namecheap and the ACME certificates configuration was done using their API and the cron entry has been enabled.
I have tried both to listen on the WAN address and create a Virtual IP for HAProxy with the same results. In any case, firewall rules and NAT have been created for each situation.
HAProxy has a frontend and a backend, but the server is always down and this message appears after each reload attempt:
[NOTICE] : haproxy version is 2.8.2-61a0f57
[NOTICE] : path to executable is /usr/local/sbin/haproxy
[WARNING] : config : Server HomeAssistant_ipvANY/HomeAssistant is DOWN, changed from server-state after a reload. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Why not just install Wireguard on pfSense and have your own private VPN? It’s easy and it’s free and no third party providers are required, except for maybe dyndns if you don’t already have a static IP.
EDIT: Since you already have your own domain, dyndns would not be unnecessary. You have that already covered. Now just install Wireguard. Problem solved.
I know this would probably be more secure, but I do not know how to set up a VPN. Also, I do not think this resolves the reverse proxy situation where I could set up subdomains to specific services within my local network like Nextcloud or TrueNAS.
After a couple of walkthroughs across the setup I realized the Home Assistant server was not available on port 443 so a tiny filament in my head lit up. I installed the Let’s Encrypt add on within Home Assistant and filled it with the Namecheap API details and it seems to work now:
No error, just a regular browser timeout. External ping is failing too. I can only access the URL if I am within the LAN/VLAN.
This is frustrating and not having the system accessible from the outside and mobile devices is pretty limiting. I am gonna go back to researching for a while.
Home Assistant should NOT have SSL enabled, and should remain on port 8123. The entire point of a reverse proxy is that it proxies the connection to the upstream server. HAProxy has SSL enabled already and you have a Lets Encrypt certificate. HAProxy is in charge of the SSL termination.
That is not the issue. Check the logs for Home Assistant, and see if there are many messages about not accepting the connection because it is not a trusted proxy.
I mean if it is in a production environment sure. But for home use I definitely would not recommend it. This forum is LITTERED with people who have set up SSL and for whatever reason something has gone wrong at some point after it was set up and now they are struggling to access their system. It’s always massively easier if port 8123 is still available internally, and served over plain http.
(The reason a lot of us went down this route incidentally, was because various bits of hardware, didn’t support speaking to Home Assistant over SSL - konnected.io being one of the main ones that was a problem)
Well, if someone already jumped into SSL offloading with a proxy, completing the secure link all the way to HA should be a minor step. But, yeah, for troubleshooting or initial testing better go step by step; always ensuring that at the end you have HTTPS all over. Even inside the LAN is a bad idea to be transmitting in plain text.
Ironically, I set up a Home Assistant Blue at my parents’ with a DuckDNS address and a Konnected alarm that is fully functional. I got a Green and a domain for my place and can’t even finish the setup
The only error in Home Assistant reads as follows:
Dec 30 22:59:58 homeassistant dockerd[590]: time="2023-12-30T22:59:58.250891146Z" level=error msg="[resolver] failed to query DNS server: 10.100.50.1:53, query: ;o427061.ingest.sentry.io.\tIN\t A" error="read udp 172.30.232.2:56985->10.100.50.1:53: read: connection refused"
The HAProxy logs may tell you what’s wrong with the upstream connection. Following the cue from andrew, you may try too to disable SSL on HA and see what HAProxy does.
