I have a Harmony Hub and remote and I am thinking about adding the Emulated Roku to my HA.
However, in the documentation for this component, there is a warning stating the below information:
This component opens an unauthenticated API on the host, allowing anything on the local network to access your Home Assistant instance through the automations you create with emulated Roku as the trigger. Using a proxy with whitelisted IP addresses is recommended. (set advertise_ip to the proxy’s ip or DNS name)
What exactly does this mean and how do I configure this proxy so I keep my HA safe and secure?
I’m not an expert but my understanding is just that the API used to send Roku button presses from Harmony to HA isn’t password protected or anything. That means somebody connected to your router could also send the same button presses to HA and trigger whatever automation you have set to run from those. I don’t think it should allow anyone to control any arbitrary device in HA, just send fake Roku button presses to trigger automations, but someone else might be able to confirm that.
If those automations can’t in some way trigger your doors to unlock or disable security or anything, then it’s probably not a major security concern. Someone might be able to mess with your lights or TV but they’d have to already be on your local network, meaning your network is already compromised or they know your password. Just make sure you don’t expose the port emulated_roku listens on through your router.
As for the proxy setup if you really want to secure it, I think you could set up nginx, caddy, etc. to listen for any connection on the emulated_roku port and proxy it to HA. Then you would add rules for your proxy to only accept connections from your Harmony IP address. How exactly to do that depends on what proxy software you use and your network setup, e.g. https://www.shayanderson.com/linux/setup-nginx-as-forward-http-proxy-with-ip-address-whitelist.htm. Then, update emulated_roku’s advertise_ip to point to the proxy server.
With all of that, emulated_roku should only listen to the proxy server and the proxy server will only forward connections from the Harmony. That way, nobody else on your network can send fake Roku button presses to HA.
Again, I’m not an expert and I personally haven’t done this so you’d have to do your own research but maybe this will give you an idea of where to start.