i was able to access from local IP fine before with http://192.168.1.229:8123/ and via cloudfare tunnel with my domain xxxxxx.com. originally the page does not have SSL at all.
after adding 3 lines into config file, 2 pem files in ssl folder, then i cannot access it locally nor from the domain i set up with cloudfare. any idea?
luckily i can still access HA files via Samba on my local network. BUT off course HA server is not working and no automations are working as well.
please advise
HA works again once i remove these 3 lines but it would be nice to have SSL:
Iâm confused - youâre telling HA to serve UI on port 2096, but still trying to connect via 8123 by the looks of it. Try to connect via 2096 instead (ie: http://192.168.1.229:2096/ (or https depending on whatâs going on with the SSL)).
Which leads to the question - why are you changing the port that HA UI is served on? Thatâs normally not necessary or desirable.
Also, re the SSL configuration, what are you trying to achieve â SSL locally, or just when connecting externally via Cloudflare tunnel?
If via CF, & youâre using a standard cloudflared setup, then you donât need an SSL certificate on your local server. CF automatically creates and manages the cert, terminates incoming SSL connections, and hits up your local server (via the daemon running locally) via HTTP.
If trying to run SSL locally to 192.168.1.229 (why?) - then thatâs going to be quite difficult to do well and securely. CAs only certify public hostnames, not private IP addresses, so youâre going to have to jump through quite a few hoops to try to get that to work (ie self-signed cert, manually trusting that (private) CA, cert, etc etc - and this all compromises the cryptographic integrity of your connection anyway).
âNormalâ config is to connect via http locally, and https to CF externally or if using your public hostname.
i honestly dont understand all of this networking rule, especially the CF tunnel.
i followed this guide and he said i should use port 2096 or port forwarding which i dont want to do.
what i am trying to achieve is to have HTTPS. i understand that is crucial for voice since the mic on phones/tablets only work with https. https://192.168.1.229:2096 does work now with desktop machine. Firefox gives a warning and i accepted the risk and got in https://i.imgur.com/k27SDVv.png
if you are using CF Tunnel and addons such as Cloudflared directly on HA, preferred method is to use server side managed tunnel. So in addon configuration on the HA side, all you need to put in the configuration is tunnel token
Everything else, such as which public domains are routed via the tunnel, is defined by the configuration on dash.cloudflare.com.
by configuring the http section, you defined on which port is your SSL listening on, and trusted proxies define IPs that can connect via http
Example would be:
-letâs say that you create Tunnel on CF side and get a token XYZQ123
-you would insert only that as a tunnel token into your cloudflared addon, addon will establish a tunnel to CF
-on the CF, you would define a public hostname ha.example.com that routes to `HTTP 192.168.1.100:8123
You do not need to provide SSL certificate here because your connection is encrypted between CF and âaddonâ. If you want full end-to-end encryption, you would need to grab SSL certificate from CF and upload it to HA and point it to it.
This configuration should make sure that coming from private addresses, your HA instance would still listen to http://192.168.1.100:8123, but when navigating to https://ha.example.com, you should get SSL-encrypted connection. You should be able to point, whatever you need to point to https, to that ssl-encrypted URL.
these are just DNS records (that get created when you route public URL via CF tunnel). Go here: https://dash.cloudflare.com/ and before you click on your domain, select âZero Trustâ on the left. If you never used CF managed tunnels, it may take you for the first time through some sort of âsign upâ wizard. Donât worry, it is free. Then under Access - Tunnels, you should see your tunnel. If it is server-side managed, you are able to modify it. Select 3 vertical dots next to your tunnel - configure. Then above âPublic hostnameâ and there you define, which public domain gets routed through this tunnel, and what is the protocol, destination and port. If you create something there, DNS record is automatically created with the entry of your tunnel.
And BTW, in those DNS names screenshot, whichever you use for your tunnel, it should not be A record, but CNAME for the tunnel (is autocreated). Your A record would be when you point to your public IP assigned to you, but then you (usually) need to do port forward on your router. If you are not using it, then you do not need that record.