I have got a Sainlogic WS3500 weather station (wind, rain, sunlight, …) which runs with the Ecowitt app.
The weather station is set up to deliver the data to the ecowitt.net portal and I can see the data there.
I have installed the HACS Ecowitt integration, changed the line 21 in int init.py like described here and other places. I have added the integration and and set up the device at the port 4199 with the second field set to “ecowitt”. No idea, what this is for actually.
To reach my server, I have added a second host to my cloudflared tunnel pointing to the correct IP and port. When I open the URL the browser shows the text OK. Hence, I really assume the connection to the Ecowitt integration is working.
Then I have set up in the Ecowitt App on my iPhone as follows:
path: / - I don’t get a token anymore, when setting up the integration. On my first installation I got something along the lines: /api/q98c7492cn74q28c794723c947234c29n379
port: 80 - as the tunnel then directs it to my servers port 4199
update interval: 1 Minute
pressed save
The integration shows: no devices or entities
The App keeps showing: reported X seconds ago
And refreshes the value once a minute.
When I enable the debug logging and look at the file I get when stopping it, the ecowitt extension is mentioned to be loaded, but nothing else.
I would switch to the built-in integration. I also tried to get the HACS one working recently (without the cloudflare setup), but couldn’t get it working.
I had some issues trying to remove the HACS integration but eventually got the built-in one working.
Yes, but the problem is: The Ecowitt App can’t send HTTPS and HA integrated app only listens to 443
Hence, I installed the one from HACS. There it’s possible to configure the port the integration listens to. Where I chose the 4199, which seems the default.
And opening up 80 and sending unencrypted is a definite no go.
Is there a way to change the port of the built-in integration?
Ecowitt would locally send it to HA, not via internet. So if you use reverse proxy, in most of the cases, you would/could locally connect to http anyway
Ok, this was a misunderstanding on my side. I thought the server pushes the data from outside, not the weather station. Makes sense though.
But I still don’t want to open up my HA installation to accept unencrypted HTTP. There is no way to restrict it to one subdomain or path and too much devices on the network that can not be trusted.
I’ll admit we are now straying into territory beyond my expertise… But wouldn’t you want HA inside the protected zone of home automation devices, i.e. one’s that are intrusted? No offense to HA dev’s or Community members, but it is open to either lax or “problematic” developments…
Yes, of course I have HA set up to exclusively https. But the Ecowit app can’t talk https, just http. That’s the problem.
I don’t see a way to convert the http to https though. Or do I miss something?
Edit: of course I could write my first own HA integration. An HTTP port 4199 request to HTTPS port 443 converter
Would love that to get my toes wet in this regards, but unfortunately don’t have the time.
This is a similar setup like mine. He uses DuckDNS for dynamic IPs, I have a static IP from my internet provider. Hence, I can leave out DuckDNS and use AWS Route53 DNS challenge for SSL certifaction creation.
For routing I have forwarded DNS resolution to cloudflare and have a tunnel there directly to my HA installation. Hence, I don’t even need to open up a port on my router. It adds a layer of security to my setup.
Internally I use nginx reverse proxy to terminate SSL and redirect traffic to port 80 to 443, which prevents HTTP connections to HA and forces them to become HTTPS.
I really want to avoid to let browser talk with servers in plain text. Even in my own network.
For sure I don’t use all the correct lingo here, as it’s not my area of expertise, but I hope you get the idea…
Edit: maybe I could create a writeup one day, as I had to use a lot of different sources and some trial and error to get this up and running.
For someone who is not an expert in this area, you are much further along in your understanding than I am. I thought there would have been a way in the networking sense to isolate your Home Automation devices so that any lack of security could be contained. But again, I’m not someone who can advise on how to achieve that.
I am software developer, but networking is not my strong side. Just had to learn the basics during administering our little network. Trying not to open up every gate for the dark forces somewhere out there in the wild internet…
