I don’t use Windows, so I’m not quite sure of how or where to import store custom certificates and trust them.
However, the browser should be requesting a certificate on page load. (At least, that’s how it worked for me on MacOS for either Chrome or Safari.)
And come to think of it, this is only when loading the HA webUI through the Cloudflare tunnel. It’s actually Cloudflare that wants the certificate, to validate according to the WAF rule.
But I would suggest, it’s all somewhat irrelevant if accessing HA locally. I mean, if you trust yourself, there isn’t much need to get too secure?
For my setup, I do use internal and external FQDNs ( + subdomain for external, domain.tld for internal).
Through DNS rewrites, I manage local device connections to route to the local LAN IP, regardless of the domain in the request.
Doing this bypasses the CF Tunnel, which is ok, because I trust myself.
I tried your rule 5 using my Android phone, but since the IP address that appears in the Request Details is IPv6, your “Lock Down rule” did not block it.
Instead, what I needed to do was capture any requests with IPv4 and IPv6, like this:
Created a block IP source of 0.0.0.0/1 theoretically blocking the entire internet
Created a skip all following rules for the hostname of my website & client certificate verified and put it above the former rule
Generated a client certificate which gave me a certificate and private key
Saved both individually as client.crt and client.key individually
Downloaded OpenSSL and used the following command to turn it into a p12 file: openssl pkcs12 -export -in correct-client.crt -inkey correct-client.key -out client.p12 -name “Hostname”
Uploaded the P12 file to Chrome. Checked if I could access it, I got a blocked error
Checked the certificate and it was one provided from my anti virus, disabled the antivirus and cleared the browser cache. Tried accessing it again still blocked from google trust services.
Is your Block rule AFTER your Skip rule in the Cloudflare WAF rules list? The CF WAF rules are processed in order, so if the block is first, or before the skip, your skip rule won’t be applied because the Block rule was true.
Check the Events in the Security of Cloudflare (same sub menu as the WAF).
Filter the view so that it only displays your certificate rule.
There will be detailed information about the pass/fail outcome.
I’ve used the Events extensively to troubleshoot blocks and skips. And to fine tune my rules to ensure only I can get through.
The process can become quite nuanced. I am still prevented from Saving passwords in VaultWarden when using the CF Tunnel for ingress because my rules are too tight, and the Save process must be using a URL scheme which I have yet to determine and define. But that’s a low priority for me.
Thanks @Lewis for the tutorial and post. I am just trying to work out how I am going to tackle this, as I have previously been using the initial authentication, but that is a pain for certain apps (Bitwarden, etc), as well as the annoyed wife factor for having to do anything extra… So I do need a method to get it all going when away from the house. However, it will need to be on multiple devices and applications.
@kzaoaai, I do like the idea of your method as well, which I did try to get going with adding my mobile phone IP dynamic address, then I ran into the complications of multiple phones / IP’s etc. Are you able to share your redacted iOS shortcut & IP update script?
I do have Tailscale setup but as you noticed, it sometimes causes problems with my connection, so would prefer not to have that on all the time…
So many times when I am trying to make something work, using parts of others’ tuts and posts, I wonder if my contributions ever get noticed.
I have likely modified my security flow since I wrote this.
A major discovery I made recently is that iOS http POST can be sent to a NodeRed HTTP-in node, and then that flow can handle more authentication, like insisting on a token in the header to validate.
I have found this useful in trying to make automations more… automated.
I try to have iOS do as little as possible, and process triggers and actions and data and responses within HA.
My most recent is an elaborate alarm system which integrates / syncs iPhone alarms to HA, and HA uses the alarms to trigger things like turning on light and opening covers and playing wake-up music.
Sure. All of that could be accomplished with Shortcuts and Automations on iPhone. But the iPhone lives to give up in a kernel panic when something isn’t exactly correct.
Anyway, I’ve digressed.
If you are at some point and you’ve hit a block, send me a DM, I would be glad to provide whatever assistance I can muster.
