HA remote access with KeenDNS

flamingm0e · January 10, 2019, 12:46am

What’s doing your SSL? I don’t see any SSL settings in your config. You either need SSL on home assistant or a reverse proxy running your SSL

DJTerentjev · January 10, 2019, 12:58am

From router manual:

By default, remote access to the device over the level 4 domain via the KeenDNS service works like this - you connect to the Internet center via the HTTPS protocol, and then you connect to the local device via the HTTP protocol via the HTTP protocol. Therefore, on the device for which we use the domain name of the 4th level, in its settings should not be excluded the possibility of using an HTTP connection, i.e. so that the option “Use only HTTPS” is not enabled. If you want to access via HTTPS, you can manually get your own certificate for the 4th level domain through the command line interface (CLI)

From router to HA required HTTPS or HTTP is enough?

DJTerentjev · January 10, 2019, 1:03am

I am not sure, but can be router providing SSL for lower level?

flamingm0e · January 10, 2019, 1:26am

Only if it’s acting as a reverse proxy

DJTerentjev · January 10, 2019, 1:31am

I tried:

http:
base_url: my.domain.keenetic.pro:8123
use_x_forwarded_for: true
trusted_proxies:
- 192.168.1.1
trusted_networks:
- 192.168.1.1

Loading match longer but same result.

flamingm0e · January 10, 2019, 2:35am

Do you understand what a reverse proxy is?

Changing the HA config isn’t going to fix your router…

DJTerentjev · January 10, 2019, 2:42am

Not at all I need to get SSL certificate and than I can use it with my domain name. Is it correct?

flamingm0e · January 10, 2019, 3:19am

If you want to use https, but if your router doesn’t support the necessary settings for reverse proxy in HA you’ll need to do something else.

DJTerentjev · January 11, 2019, 5:53pm

I just got reply from manufacture. Router can proxy some ports only:

HTTP: 80, 81, 280, 591, 777, 5080, 8080, 8090 и 65080
HTTPS: 443, 5083, 5443, 8083, 8443 и 65083.

What port is better to use?
Sorry for stupid question, but why HA using 8123 instead of 80 lets say?

flamingm0e · January 11, 2019, 6:59pm

You can use any of them.
Use 443 if you don’t want to have to put in a port number when connecting.

Lots of applications use their own ports. Port 80 on a Linux machine is reserved for root only (any port below 1024), and as such would complicate setups, and cause problems.

Forward port 443 to 8123

DJTerentjev · January 11, 2019, 8:16pm

KeenDNS settings:
domane name: my
Host (local net): 192.168.1.51
TCP port: 443

Port forwarding:
Input: Provider
Output: 192.168.1.51
Protocol: TCP/443
Destination port: 8123

In result at HA logging page: Error: Something went wrong
And nothing in the log. Is it correct settings?

flamingm0e · January 11, 2019, 8:47pm

I understand you want to use your router for this, but I don’t think it is going to work. There are things that HA needs to work with reverse proxies.

As an example, this config contains a few items that most normal reverse proxies do not.

If the settings of the built in reverse proxy are not capable of meeting these requirements, then it simply will not work.

DJTerentjev · January 11, 2019, 9:35pm

OK. It is more complicated than I thought! Any way than you for help!

Hypnotia · January 29, 2019, 11:57am

flamingm0e,

Thank you for the input but I cannot actually understand the root cause. My configuration is as follows:

HAAS.IO running in local network 192.168.1.X:8123
KeenDNS acting as reverse proxy associates 4th level DNS name with local network IP 192.168.1.X:8123
KeenDNS uses SSL

If i try to get access through 4th level domain name, remote HAAS.IO installation will respond and I will see the login page.

Having entered correct login, HAAS.IO reports “unable to connect”. Why? There is traffic, but login fails.

Regards

flamingm0e · January 29, 2019, 1:13pm

There are required settings for it to work, which, if you do not have access to change on your reverse proxy, will not work. I pointed to the documentation which shows the settings for NGINX. Without these settings, and with a standard reverse proxy configuration, NGINX will do the same thing as you describe.

The problem 100% solely lies in the REVERSE PROXY CONFIGURATION, which apparently you don’t have access to.

Hypnotia · January 29, 2019, 1:40pm

I am sorry for the stupid question. Is NGNIX included into HASS.IO or additional installation is required?

flamingm0e · January 29, 2019, 1:42pm

NGINX is a web server application. It is NOT part of hassio, but I believe it is available as an add-on, which I think has the proper reverse proxy configuration already set for it.

Dmitriy_Grishunin · June 8, 2019, 10:12am

Did you solve the problem?

lezlikov · October 22, 2019, 8:12pm

The solution to this problem is described here Home Assisant + KeenDNS. I checked - it works fine.

DJTerentjev · November 16, 2019, 4:03pm

Yes. KeenDNS service can be used:

Get domain name from KeenDNS (without SSL)
Use different port for your keenetic dashboard (not 80, 8080 can be used for exapmle)
Redirect ports 80 and 443 to HA server
Use Nginx Proxy Manager to redirect traffic to HA server and get SSL certificates.