HA, SmartThings & CloudFlare securely & issue

Third party integrations
#1

Hi everybody,

I realized I cut off the ST & HA integration by implementing authentication with Cloudflare to access my tunnels, the authentication layer prevents these 2 from chatting. Facepalm.

So am trying to find a way out of this and I think I got it but would appreciate input: I’d use my registrar’s DNS settings to make a subdomain and use that for the ST URL link. Same domain as my Cloudflare tunnels, would that work? Instead of domain.com I’d use stha.domain.com for the integration to work- can this be done with CF or do I need a 2nd domain?

If I go that way, any security advice? Probably some firewall rules I guess? I’d install Cloudflare tunnels on HA as well for security & connectivity.

Thanks!

#2

I am in the middle of doing this myself and came here for help with a problem! This is what I’ve done so far:

  1. Created a new Cloudflare tunnel with cloudflared running on my internal gateway (I already had this setup from previous requirements).

  2. Added a new public DNS on my existing domain/website (ha.domain.com).

  3. Added an application for access management of that subdomain and added inclusion/exclusion rules.

At this point I thought that SmartThings might still be blocked so I created a service authorization token for SmartThings but realized there would be no way to “give” this token to SmartThings so I think that step was ineffective. So then I:

  1. Added a WAF firewall rule (Website->Security->WAF) and created a new firewall rule to skip all security actions for that particular webhook URI.

  2. I added the CloudFlare trusted proxies:

http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies:
   # macOS
   - 192.168.254.17
   # Synology
   - 192.168.254.51
   # Cloudflare
   - 103.21.244.0/22
   - 103.22.200.0/22
   - 103.31.4.0/22
   - 104.16.0.0/13
   - 104.24.0.0/14
   - 108.162.192.0/18
   - 131.0.72.0/22
   - 141.101.64.0/18
   - 162.158.0.0/15
   - 172.64.0.0/13
   - 173.245.48.0/20
   - 188.114.96.0/20
   - 190.93.240.0/20
   - 197.234.240.0/22
   - 198.41.128.0/17
   - 103.21.244.0/22
   - 2400:cb00::/32
   - 2606:4700::/32
   - 2803:f800::/32
   - 2405:b500::/32
   - 2405:8100::/32
   - 2a06:98c0::/29
   - 2c0f:f248::/32
  1. I enabled debugging on the component:
logger:
  default: info
  logs:
    homeassistant.components.smartthings: debug
  1. I used SSL Certificate Checker - Diagnostic Tool | DigiCert.com to check my subdomain and I got all green checkmarks except:

The Certificate is not issued by DigiCert, GeoTrust, Thawte, or RapidSSL

However, I am still getting an error:

Logger: homeassistant.components.smartthings.config_flow
Source: components/smartthings/smartapp.py:147
Integration: SmartThings (documentation, issues)
First occurred: 11:05:57 AM (2 occurrences)
Last logged: 11:21:21 AM

API error setting up the SmartApp: {'requestId': '103FB517-7A86-4A61-8DBB-F21D95919A28', 'error': {'code': 'ConstraintViolationError', 'message': 'The request is malformed.', 'details': [{'code': 'TargetNon200Error', 'target': 'https://ha.domain.com/api/webhook/1588f078blahd08a', 'message': 'Target did not respond with a 200 status. Upstream status code=302', 'details': []}]}}
API error setting up the SmartApp: {'requestId': 'AA626CF2-332B-4007-86DE-C01E7F3C066B', 'error': {'code': 'ConstraintViolationError', 'message': 'The request is malformed.', 'details': [{'code': 'TargetNon200Error', 'target': 'https://ha.domain.com/api/webhook/1588f078blahd08a', 'message': 'Target did not respond with a 200 status. Upstream status code=302', 'details': []}]}}
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/components/smartthings/config_flow.py", line 126, in async_step_pat
    app, client = await create_app(self.hass, self.api)
  File "/usr/src/homeassistant/homeassistant/components/smartthings/smartapp.py", line 147, in create_app
    app, client = await api.create_app(app)
  File "/usr/local/lib/python3.10/site-packages/pysmartthings/smartthings.py", line 110, in create_app
    entity = await self._service.create_app(app.to_data())
  File "/usr/local/lib/python3.10/site-packages/pysmartthings/api.py", line 171, in create_app
    return await self.post(API_APPS, data)
  File "/usr/local/lib/python3.10/site-packages/pysmartthings/api.py", line 395, in post
    return await self.request("post", self._api_base + resource, data=data)
  File "/usr/local/lib/python3.10/site-packages/pysmartthings/api.py", line 368, in request
    raise APIResponseError(
pysmartthings.errors.APIResponseError: Unprocessable Entity (422): {"requestId": "103FB517-7A86-4A61-8DBB-F21D95919A28", "error": {"code": "ConstraintViolationError", "message": "The request is malformed.", "details": [{"code": "TargetNon200Error", "target": "https://ha.domain.com/api/webhook/1588f078blahd08a", "message": "Target did not respond with a 200 status. Upstream status code=302", "details": []}]}}

I saw similar errors reported as issues related to not having an SSL cert but I am currently under the impression that Cloudflare (in this configuration) would be handling the SSL transactions and I’m pretty sure that SmartThings would consider it trusted (or does it only trust those that are trusted by Digicert?). Also, the errors reported on that issue were slightly different (timeout) whereas my error is “Target did not respond with a 200 status” which I thought might be HA.

I’m happy I’m able to access HA through the Cloudflare subdomain but getting the SmartThings integration is still an open task for me.

Would appreciate any ideas!

#3

Thanks for the detailed response! Will dig deeper in the next few days if I find something I’ll reply here :slight_smile:

1 Like
#4

Finally have some time to dig into this - would there be a way to add say the IP addresses used by ST? I suspect they will change all the time though. I’d add that to the authorized IPs in my group.

#5

any luck? stuck in the exact same situation