Dynamically controlling remote access to HA with reverse proxy

I’m thinking through how to securely controll access to Home Assistent remotely, not using the Nabu Casa service (not because I don’t want to support, but more because I like to have control).

I already have a reverse proxy (nginx) running on a home server and my thought is:

  1. An app running on my phone that periodically updates a cloud based trusted IP addresses list with the public IP of my phone (could be as simple as a JSON/YAML file in S3)
  2. A script/automation that updates the nginx ACL for the reverse proxy instance based on the above file/resource.

Two things missing from my knowledge:

  1. Does anyone know of an iPhone app that can do the updating of the AWS service?
  2. Is it possible to update the ACL of an nginx instance without reloading the server? Reloading the server would interrupt any active sessions and probably cause other issues.

If anyone knows the answer to the above or another method to acheive this, please let me know!


The answer to question 2 appears to be solved here:

An API that could be called from an automation in HA.

Ah, this would appear to require nginx plus

This could work, though it requires an nginx reload (not restart) which from what I’ve read is session-safe.

If you have set number of devices meant to access you HA instance from the internet (i.e. your phone, if I get it right) and you’re anxious about HA being hacked, the simplest and safest way is likely to remove all public access (i.e. the nginx config) and to use the Tailscale addon to create a VPN.

Thanks, I have a VPN server running already which I use for remote admin of my home network, but setting up and tearing down the VPN each time I interact with Home Assistant is overkill, especally when I want to be able to instantly trigger actions from iOS notifications.

Really I just want to reduce the attack surface of Home Assistant as much as possible without going full VPN. Anything to stop a brute-force or exploit against the HA interface.

The other thought I had is if the HA app could support Mutual TLS but based on various posts this is not going to happen soon due to bugs/problems with websockets in iOS/Webkit and MTLS.

Maybe 2FA? That’d mitigate brute-force.

And if you’re concerned about security, I’d suggest to not use duckdns.org in the first place (anyone can see the registered hostnames), but a domain of your own (that your nginx will only respond to) and a semi random port number / hostname.

And you might be interested in the below to avoid punching holes in your LAN.
As you mentioned AWS, it can likely be reused there.

Your solution is interesting but not quite what I’m looking for. To clarify, I don’t use DuckDNS etc, and don’t plan to use DNS as the mechanism to control access (hence the suggestion around a file stored in S3 to which access could be controlled with IAM roles). It was just another solution I found out there with similarities.

2FA is a good option. Can 2FA be configured with a trusted devices list so 2FA is not required if logging in from a known device (i.e. with a previously stored token). Similar to what you get with logging into Office.com and clicking the “Don’t required a One Time Password from this device in future” checkbox.

Well, you seem to have make up your mind on what you’re looking for. Good luck.

1 Like

If the device you are accessing it from, has a valid token, having already logged in AND passed 2FA - then the device will immediately be able to access the interface, without having to login again, unless you specifically log the device out.

Good to know! Thanks.

The problem I am seeing with your overall concept though -
mobile devices change their IP address continuously, especially as you go between cell towers. CGNAT is an absolute pain. I’m concerned that you might not be updating the S3 file quick enough and will run in to situations where NGinx does not yet know about your current public IP address so denies you access - a lot more frequently than you might have imagined.

You’re probably right.

I think with the combination of a reverse proxy, non-standard port, TLS and 2FA I can be comfortable enough for now.

The frequency of updating isn’t a major concern, the service calls are very small and could be done as often as every few seconds if needed. The main sticking point is the iOS app, I cannot find anything that can do this in the market today. It would need to be allowed to run in the background and make these updates also, which I’m not sure is even supported, I think apps are forced to sleep after a certain amount of time.

1 Like