Certificate files for Add-ons when running a reverse proxy in front of Home Assistant

Configuration
1

Hi. I am a bit confused about something, so thought I’d ask the forum. Recently I deployed Caddy Web Server as a reverse proxy in front of my proxied installation of Home Assistant. Obviously my separate server running Caddy is handling certificate maintenance. What confuses me is the configurations for a lot of my Supervisor add-ons. Many have config lines that provide an option for SSL and certificates being stored in the default location…
eg from TasmoAdmin…

ssl: true
certfile: fullchain.pem
keyfile: privkey.pem

TasmoAdmin does NOT use Ingress. Other add-ons do use Ingress so maybe that affects my final configuration.

Basically, do I need certificates also stored in Home Assistant’s ecosystem. And if I don’t need them stored on my installation, how do I handle add-on configs? Ignore SSL? Or do I reference them on the server that runs Caddy?

Please advise. Thank you!

2

I set ssl false in those addons. I also have a sub-domain for some addons like TasmoAdmin so it does get a certificate.

3

Thanks @DavidFW1960 . Can you explain a bit more. Not sure how you would apply a sub-domain to an addon like TasmoAdmin.

4

Here is part of my caddyfile:

domain:xxxxx {
    tls {
	    dns namecheap
	}
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
    -Server
}
    proxy / localhost:8123 {
        websocket
        transparent
        header_upstream Authorization {>Authorization}
    }
}

tasmoadmin.domain:xxxx {
    tls {
	    dns namecheap
    }
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    Referrer-Policy "same-origin"
    -Server
}
    proxy / localhost:9541 {
        websocket
        transparent
    }
}

I don’t use port 443 BTW… I use a high numbered port.

I can then go to https://tasmoadmin.domain:xxxxx and tasmoadmin opens. I can also use that in an iFrame so I can view it in the sidepanel of Home Assistant.

5

That’s very interesting. If you are not using standard ports how do you achieve the certificate test? With a DNS challenge?

6

Yep. I have DNS challenge setup in the addon for the certificates. There is a DNS challenge for DuckDNS and also Namecheap (which I use) and lots of others. But you need to download a custom version of Caddy (which sounds complicated but is actually only a few mouse clicks)

1 Like
7

Excellent. I’ll give it a whirl.

8

I have this working a treat with 443. BTW, why the high numbered ports? Just to lesson the chances of hackers finding an open port on your network? Thanks!!!

9

Yes. As @Tinkerer says, when you walk down the street and everyone has their door (port 443) in the same place but your door is say port 10456, you will get far less strays just knocking on your door if they can’t find it. A lot of port scanners will only look at the first thousand ports so it’s just extra obscurity. I actually only have an IPv6 record (AAAA) for my HA domain so really, good luck finding that and on a non-obvious port…

10

Good advice. Thanks David