I’ve been using Cloudflare tunnel with the Home Assistant App to remote access my server for over a year now. When it works, it works great. But at the end of the 30 day Cloudflare application session expiration, its a major pain to set up again.
Anyone else feeling this pain and know of a better way to handle it?
The Cloudflare application session is set to expire after 30 days (the max)
When it does this, the HA App can no longer connect.
You can then try changing the settings, refreshing the URL, or wait
Wait does nothing. same as changing the settings
Refreshing the URL give the Cloudflare login page to get a new login code emailed to you
Get the code and log in.
Then you get a “Invalid Login Session” error from CloudFlare, I think because HA App is using the old cookie id from the previous expired session, not the new one
The only way I’ve found to get around this is to delete the server from the HA App (and sometimes uninstall and reinstall the HA App) and then set it up all over again (internal/external URLS, re-login to HA, check to make sure HA didn’t create a new Mobile APP device as a duplicate to your previous one (thus breaking your automations, etc)
I have 2 HA servers and 2 phones (Android and iPhone). It behaves the same on both. And every 30 days I have to slog through this gauntlet from hell to set everything back up again.
Hello, so how are you using the cloudflare tunnel? A couple years ago I was using cloudflare with HDrock or something with the word rock on it. About a year ago I used the clouldflare integration in HA. I do happen to have my own domain, so I was able to create a subdomain that points to my HA. I am not very good with the lingo, so might end up confusing you more.
lets say my domain is mydomain.com and it is up an running on a shared server. When you go to mydomain.com you end up seeing the website on the public shared server. I then create myhome.mydomain.com (not sure if that is called a subdomain or not).
In order to get it to work, I had to go to where my domain name is registered and put in clouldflare’s DNS server addresses. So when a request comes in, if it is for mydomain.com clouldflare sends traffic to the public server, but if the request is for myhome.mydomain.com it sends the traffic to my home assitant server.
I wish I could give you more info, but I pretty much just set it up once and it has never given me problems. It has been about a year that I set it up and it hasn’t given me any issues at all.
No expert here, but something tells me the 30 days session expires has more to do with the domain you are using to point to your server rather than cloudflare expiring.
My setup is the same: The ‘myhome’ in your example is the Zero Trust Application of the domain I registered for Cloudflare’s Tunnel (the mydomain.com in your example).
Within the ‘myhome’ Zero Trust Application, you can set additional security so that only authenticated users can pass through to your HA server. Since I didn’t want just anyone to be able to have direct access to the HA login, I set up a security step in the Zero Trust app to allow only authorized users pass. This is done by making a list of registered email addresses in Zero Trust app. When someone goes to ‘myhome.mydomain.com’ they are required to enter their email address. If it’s in the authorized list, they are sent a 6 digit token to their email address. After receiving and entering their 6 digit token, they are forwarded to my actual HA log in page, and their Zero Trust Session is now good for a max of 30 days. After which they mush ‘login’ to the Zero Trust App again to get a new token for a 30 day session.
Again, I use this optional extra security step in the Zero Trust App so not just anyone/everyone can bang against my HA login screen after finding myhome.mydomain.com URL, as Security through Obscurity is Absurdity.
Through this, I believe the HA Android/iPhone app does not flush its old Cookies from the expired Zero Trust Session token. So when it tries to load the HA login page, Cloudflare denies it with the aforementioned error message.
Perhaps there is a way to flush the cookie cache in the HA App so that it will get a new one with the new session - without having to uninstall/reinstall the app.
I have zero experience with zero trust sessions. I think sometimes by us wanting to be “more secure” we only end up making our lives harder for little to no gain. Reminds me of the very difficult password some apps makes us create. Turns out that only made it “unsafer” for many, since they now have to write the PW down somewhere.
In order for someone to get to my HA from the outside they first need to know/find the url used which probably not impossible but not easy by any means. Once they find the url not only do they have to figure out a working user name, they also have to figure out the corresponding password. HA is pretty quick at notifying when someone fails a login starting from the first attempt.
Pretty sure it would be easy to set up an automation that when login attempts fail not only do you get the notification via the HA app but you can also have it trigger a whatsapp or telegram message to inform you of the failed login attempts. Heck I just checked and you can trigger a HA shutdown via automation as well. That means you could set up an automation that if you have x amount of failed login attempts in z amount of time your HA shuts down.
For me all that mega extra security at times is over kill, similar to many HA users that create these amazing dashboards. They spend all this time and effort creating these really amazing dashboards that don’t really get used. Just my two cents, although I realize it does NOTHING to help you resolve the issue you have.
