Here’s a question from someone who doesn’t really know much about the topic.
I’m just someone who wants to access Home Assistant externally (with a https://[…].duckdns.org:8123 subdomain).
This works fine so far, even from home.
But if my internet at home goes down, I no longer have any way of accessing my Home Assistant with the app (when I’m at home).
Why can’t you just make it so that if you are not in the local network, you can access Home Assistant via the duckdns subdomain, for example, and as soon as you are at home, the ip is also sufficient (http://[Local-IP]:8123), even if only as a fallback.
In my case at least, when I set up duckdns (with encryption), I was no longer able to reach my Home Assistant via http://, but only via https://
Is it not possible for both to be accessible at the same time?
I have been struggling with reverse proxy (NGINX Home Assistant SSL proxy) for over a week now. Since I have no idea about the topic, I can’t get it to work. There are only outdated instructions/videos on the Internet that simply don’t work for me.
Often the instructions don’t even explain what is being done or why - I suspect that this is where most of the problems arise for people who are not so familiar with it.
Either the interface has changed fundamentally (compared to the tutorials shown), or points are mentioned that cannot be found (e.g. the Nginx Proxy Manager Web UI … where is it? I can’t find it anywhere?).
Of course, it doesn’t make it any easier for me that English is not my native language and that I have to deal with a lot of technical terms.
There is no perfect security; every problem is preventable, but there is always an effort to prevent it. When the effort is too much for people, they don’t do it, and such is the case here. Security is a balance between cost and benefit, it is about reaching a good-enough compromise for everyone, and getting better with time. I’m sorry to be harsh like this, but sentences like “we will never X” in security discussions should be banned, and it begs the question of your capacity to be in charge of this.
Again, we’re not discussing what the best security is, but what’s the best set of defaults for regular users (who may not even know what’s a certificate) is. Regular users click and click, they will not be installing a CA and client certs in their mobile phones, sorry… that’s what you are asking them to do, but most of them won’t do it. And if you insist that’s what they should be doing, you are not dealing well with security, plain and simple, because the default (that the average user will be doing) is a “bad” default, it’s bad for security in HA, just because you can’t compromise and achieve the “good-enough” default.
Having SSL with not-verifiable certificates is better than not having SSL at all, that’s unquestionable. Providing valid SSL certificates in an environment for access over the LAN is difficult. If it was easy, HA will be doing it already. Every commercial application would have done it already, and they don’t, because it’s difficult. What they are doing is to use SSL by default and allow exceptions when the certificate is not trusted. They show you a warning every now and then, and from this “good-enough” default they tell you how to get better. This is how OpenVPN, OwnCloud, Synology Drive and many others do it. It’s not great, but at least they’re not sending application credentials in cleartext (!!).That’s from the 20th century, sorry.
I know already you won’t admit you’re wrong, I spent an hour writing this with the hope someone else will see it.
Amazing job with that hour of your life! I have honestly never seen someone write something so wrong on so many levels.
I seriously hope there’s some kind of hidden “nope” badge which you managed to unlock at least.