Cloudfare + SSL = HA dead

tung256 · November 9, 2023, 3:39pm

i was able to access from local IP fine before with http://192.168.1.229:8123/ and via cloudfare tunnel with my domain xxxxxx.com. originally the page does not have SSL at all.
after adding 3 lines into config file, 2 pem files in ssl folder, then i cannot access it locally nor from the domain i set up with cloudfare. any idea?

http:
  server_port: 2096
  ssl_certificate: /ssl/origin.pem
  ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

luckily i can still access HA files via Samba on my local network. BUT off course HA server is not working and no automations are working as well.
please advise

HA works again once i remove these 3 lines but it would be nice to have SSL:

  server_port: 2096
  ssl_certificate: /ssl/origin.pem
  ssl_key: /ssl/privkey.pem

Tinkerer · November 9, 2023, 3:46pm

Use https://192.168.1.229:8123/

tung256 · November 10, 2023, 2:50am

still no luck locally.
since i cant post screenshots on this new forum, i post some in imgur.com

is this the correct place to put my ssl files?

and inside the folder are these 2 files

eftimg · November 10, 2023, 4:26am

Do you need to add all Cloudflarare ips to your trusted list?

Also add your local range as well?

MrFusion · November 10, 2023, 5:40am

I’m confused - you’re telling HA to serve UI on port 2096, but still trying to connect via 8123 by the looks of it. Try to connect via 2096 instead (ie: http://192.168.1.229:2096/ (or https depending on what’s going on with the SSL)).

Which leads to the question - why are you changing the port that HA UI is served on? That’s normally not necessary or desirable.

Also, re the SSL configuration, what are you trying to achieve – SSL locally, or just when connecting externally via Cloudflare tunnel?

If via CF, & you’re using a standard cloudflared setup, then you don’t need an SSL certificate on your local server. CF automatically creates and manages the cert, terminates incoming SSL connections, and hits up your local server (via the daemon running locally) via HTTP.

If trying to run SSL locally to 192.168.1.229 (why?) - then that’s going to be quite difficult to do well and securely. CAs only certify public hostnames, not private IP addresses, so you’re going to have to jump through quite a few hoops to try to get that to work (ie self-signed cert, manually trusting that (private) CA, cert, etc etc - and this all compromises the cryptographic integrity of your connection anyway).

‘Normal’ config is to connect via http locally, and https to CF externally or if using your public hostname.

tung256 · November 10, 2023, 12:13pm

thanks for helping me out. i am now able to access locally
https://192.168.1.229:2096

had to add my own IP range as you said

http:
  server_port: 2096
  ssl_certificate: /ssl/origin.pem
  ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
    - 103.21.244.0/22
    - 103.22.200.0/22
    - 103.31.4.0/22
    - 104.16.0.0/13
    - 104.24.0.0/14
    - 108.162.192.0/18
    - 131.0.72.0/22
    - 141.101.64.0/18
    - 162.158.0.0/15
    - 172.64.0.0/13
    - 173.245.48.0/20
    - 188.114.96.0/20
    - 190.93.240.0/20
    - 197.234.240.0/22
    - 198.41.128.0/17
    - 192.168.1.0/24

access through my own domain is still dead:

tung256 · November 10, 2023, 12:34pm

i honestly dont understand all of this networking rule, especially the CF tunnel.
i followed this guide and he said i should use port 2096 or port forwarding which i dont want to do.

what i am trying to achieve is to have HTTPS. i understand that is crucial for voice since the mic on phones/tablets only work with https.
https://192.168.1.229:2096 does work now with desktop machine. Firefox gives a warning and i accepted the risk and got in
https://i.imgur.com/k27SDVv.png

on my desktop, when i try to get to http://mydomain.com, i get error. i also tried other combos
http://mydomain.com:2096
https://mydomain.com
https://mydomain.com:2096

even tried adding a subdomain

but do i use ha.mydomain.com or use mydomain.com here?
https://i.imgur.com/XG5xhzk.png

regardless, i tried different variations and none worked. really appreciate your help here

stomko · November 10, 2023, 1:16pm

So few points to help navigate here:

if you are using CF Tunnel and addons such as Cloudflared directly on HA, preferred method is to use server side managed tunnel. So in addon configuration on the HA side, all you need to put in the configuration is tunnel token
Everything else, such as which public domains are routed via the tunnel, is defined by the configuration on dash.cloudflare.com.
by configuring the http section, you defined on which port is your SSL listening on, and trusted proxies define IPs that can connect via http

Example would be:
-let’s say that you create Tunnel on CF side and get a token XYZQ123
-you would insert only that as a tunnel token into your cloudflared addon, addon will establish a tunnel to CF
-on the CF, you would define a public hostname ha.example.com that routes to `HTTP 192.168.1.100:8123

-configuration.yaml would have following defined:

http:
  ip_ban_enabled: true
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.0.0.0/8
    - 192.168.0.0/16
    - 10.0.0.0/8

You do not need to provide SSL certificate here because your connection is encrypted between CF and “addon”. If you want full end-to-end encryption, you would need to grab SSL certificate from CF and upload it to HA and point it to it.

This configuration should make sure that coming from private addresses, your HA instance would still listen to http://192.168.1.100:8123, but when navigating to https://ha.example.com, you should get SSL-encrypted connection. You should be able to point, whatever you need to point to https, to that ssl-encrypted URL.

tung256 · November 10, 2023, 2:31pm

hi, im sorry but i cant find this section anywhere on CF
this is all i see.

tung256 · November 10, 2023, 3:45pm

happy to say i got the HTTPS now. seems it has to take time and not immediate. OR maybe i added in this line as advised ip_ban_enabled: true

this is my final config.yaml:

http:
  ip_ban_enabled: true
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
    - 103.21.244.0/22
    - 103.22.200.0/22
........

and off course i get http://192.168.1.229:8123/lovelace/0 locally.

any idea if microphone will work with the cloudfare domain url?

stomko · November 10, 2023, 5:57pm

these are just DNS records (that get created when you route public URL via CF tunnel). Go here: https://dash.cloudflare.com/ and before you click on your domain, select “Zero Trust” on the left. If you never used CF managed tunnels, it may take you for the first time through some sort of “sign up” wizard. Don’t worry, it is free. Then under Access - Tunnels, you should see your tunnel. If it is server-side managed, you are able to modify it. Select 3 vertical dots next to your tunnel - configure. Then above “Public hostname” and there you define, which public domain gets routed through this tunnel, and what is the protocol, destination and port. If you create something there, DNS record is automatically created with the entry of your tunnel.

And BTW, in those DNS names screenshot, whichever you use for your tunnel, it should not be A record, but CNAME for the tunnel (is autocreated). Your A record would be when you point to your public IP assigned to you, but then you (usually) need to do port forward on your router. If you are not using it, then you do not need that record.