HA, SmartThings & CloudFlare securely & issue

jphebert · April 12, 2023, 2:08pm

Hi everybody,

I realized I cut off the ST & HA integration by implementing authentication with Cloudflare to access my tunnels, the authentication layer prevents these 2 from chatting. Facepalm.

So am trying to find a way out of this and I think I got it but would appreciate input: I’d use my registrar’s DNS settings to make a subdomain and use that for the ST URL link. Same domain as my Cloudflare tunnels, would that work? Instead of domain.com I’d use stha.domain.com for the integration to work- can this be done with CF or do I need a 2nd domain?

If I go that way, any security advice? Probably some firewall rules I guess? I’d install Cloudflare tunnels on HA as well for security & connectivity.

Thanks!

apj68 · April 12, 2023, 6:42pm

I am in the middle of doing this myself and came here for help with a problem! This is what I’ve done so far:

Created a new Cloudflare tunnel with cloudflared running on my internal gateway (I already had this setup from previous requirements).
Added a new public DNS on my existing domain/website (ha.domain.com).
Added an application for access management of that subdomain and added inclusion/exclusion rules.

At this point I thought that SmartThings might still be blocked so I created a service authorization token for SmartThings but realized there would be no way to “give” this token to SmartThings so I think that step was ineffective. So then I:

Added a WAF firewall rule (Website->Security->WAF) and created a new firewall rule to skip all security actions for that particular webhook URI.
I added the CloudFlare trusted proxies:

http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies:
   # macOS
   - 192.168.254.17
   # Synology
   - 192.168.254.51
   # Cloudflare
   - 103.21.244.0/22
   - 103.22.200.0/22
   - 103.31.4.0/22
   - 104.16.0.0/13
   - 104.24.0.0/14
   - 108.162.192.0/18
   - 131.0.72.0/22
   - 141.101.64.0/18
   - 162.158.0.0/15
   - 172.64.0.0/13
   - 173.245.48.0/20
   - 188.114.96.0/20
   - 190.93.240.0/20
   - 197.234.240.0/22
   - 198.41.128.0/17
   - 103.21.244.0/22
   - 2400:cb00::/32
   - 2606:4700::/32
   - 2803:f800::/32
   - 2405:b500::/32
   - 2405:8100::/32
   - 2a06:98c0::/29
   - 2c0f:f248::/32

I enabled debugging on the component:

logger:
  default: info
  logs:
    homeassistant.components.smartthings: debug

I used SSL Certificate Checker - Diagnostic Tool | DigiCert.com to check my subdomain and I got all green checkmarks except:

The Certificate is not issued by DigiCert, GeoTrust, Thawte, or RapidSSL

However, I am still getting an error:

Logger: homeassistant.components.smartthings.config_flow
Source: components/smartthings/smartapp.py:147
Integration: SmartThings (documentation, issues)
First occurred: 11:05:57 AM (2 occurrences)
Last logged: 11:21:21 AM

API error setting up the SmartApp: {'requestId': '103FB517-7A86-4A61-8DBB-F21D95919A28', 'error': {'code': 'ConstraintViolationError', 'message': 'The request is malformed.', 'details': [{'code': 'TargetNon200Error', 'target': 'https://ha.domain.com/api/webhook/1588f078blahd08a', 'message': 'Target did not respond with a 200 status. Upstream status code=302', 'details': []}]}}
API error setting up the SmartApp: {'requestId': 'AA626CF2-332B-4007-86DE-C01E7F3C066B', 'error': {'code': 'ConstraintViolationError', 'message': 'The request is malformed.', 'details': [{'code': 'TargetNon200Error', 'target': 'https://ha.domain.com/api/webhook/1588f078blahd08a', 'message': 'Target did not respond with a 200 status. Upstream status code=302', 'details': []}]}}
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/components/smartthings/config_flow.py", line 126, in async_step_pat
    app, client = await create_app(self.hass, self.api)
  File "/usr/src/homeassistant/homeassistant/components/smartthings/smartapp.py", line 147, in create_app
    app, client = await api.create_app(app)
  File "/usr/local/lib/python3.10/site-packages/pysmartthings/smartthings.py", line 110, in create_app
    entity = await self._service.create_app(app.to_data())
  File "/usr/local/lib/python3.10/site-packages/pysmartthings/api.py", line 171, in create_app
    return await self.post(API_APPS, data)
  File "/usr/local/lib/python3.10/site-packages/pysmartthings/api.py", line 395, in post
    return await self.request("post", self._api_base + resource, data=data)
  File "/usr/local/lib/python3.10/site-packages/pysmartthings/api.py", line 368, in request
    raise APIResponseError(
pysmartthings.errors.APIResponseError: Unprocessable Entity (422): {"requestId": "103FB517-7A86-4A61-8DBB-F21D95919A28", "error": {"code": "ConstraintViolationError", "message": "The request is malformed.", "details": [{"code": "TargetNon200Error", "target": "https://ha.domain.com/api/webhook/1588f078blahd08a", "message": "Target did not respond with a 200 status. Upstream status code=302", "details": []}]}}

I saw similar errors reported as issues related to not having an SSL cert but I am currently under the impression that Cloudflare (in this configuration) would be handling the SSL transactions and I’m pretty sure that SmartThings would consider it trusted (or does it only trust those that are trusted by Digicert?). Also, the errors reported on that issue were slightly different (timeout) whereas my error is “Target did not respond with a 200 status” which I thought might be HA.

I’m happy I’m able to access HA through the Cloudflare subdomain but getting the SmartThings integration is still an open task for me.

Would appreciate any ideas!

jphebert · April 13, 2023, 2:15pm

Thanks for the detailed response! Will dig deeper in the next few days if I find something I’ll reply here

jphebert · May 10, 2023, 3:53pm

Finally have some time to dig into this - would there be a way to add say the IP addresses used by ST? I suspect they will change all the time though. I’d add that to the authorized IPs in my group.

mohesles1 · May 25, 2023, 10:20pm

any luck? stuck in the exact same situation

jphebert · July 10, 2023, 2:46pm

So I decided to go with “acceptable risk” and here is what I did:

Cloudflare for DNS & overall security, I have a VM running Cloudflared
Set up the following in the config to allow only from certain addresses (the first 2 are LAN, rest is Cloudflare IPs)
http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.0.205
- 192.168.0.0/24
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/12
- 172.64.0.0/13
- 131.0.72.0/22
I also set up the HA VM to auto update - am not that paranoid about it as HA is secondary to my SmartThings (for now)

Thoughts? Hope this helps!

netzbus · July 31, 2023, 8:30pm

I also using Cloudflare and tried this proxies but it’s not working.

API error setting up the SmartApp: {'requestId': '1536467425141246226', 'error': {'code': 'ConstraintViolationError', 'message': 'The request is malformed.', 'details': [{'code': 'TargetTimeoutError', 'target': 'xxxxxxxxxx', 'message': 'Upstream target timed out', 'details': []}]}}

http:
  cors_allowed_origins:
    - https://google.com
    - https://www.home-assistant.io
  ip_ban_enabled: false
  login_attempts_threshold: 3
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

Any Idea?

jphebert · August 6, 2023, 7:06pm

Mine works here is the part of my config for all that:

external_url: “https://ha.domain.tld/”
internal_url: “http://192.168.0.abc:8123”

http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.0.205
- 192.168.0.0/24
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/12
- 172.64.0.0/13
- 131.0.72.0/22

blka · August 15, 2023, 10:34am

if you use cloudflared or any proxy, make sure minimal allowed TLS is 1.2, if you force (by default) only 1.3, it will not work, and TargetTimeoutError will occure.

CDSquirrel · December 28, 2023, 8:36am

I struggled with this for days. Very long days. I had Smartthings running fine then it just disappeared. I found where Cloudflare was blocking Smartthings.

Security > Bots > Bot Fight Mode

You can create exclude rules directly from the log of blocked attempts. When I realized that every event was some nightmare I experienced while trying to configure HA I just disabled the entire service.

Thank you for everyones hard work above. It was my attempt to recreate the solutions in this thread that led me to my Cloudflare account. Thank you to the Matrix for the glitch that had me accidentally click on the bots link.

ballakers · March 4, 2024, 8:20pm

Switched domain names (after Freenom blew-up) and did a bunch of security updates within cloudlfare dashboard - didn’t realize my laundry announcements had stopped for weeks. Was messing with all the skip rules but your TIP here got me on the right track. Thought I was doing good practice with TLS1.3min but it bit me. All set and working now after that little hiccup