Hass on https for internal lan

elbowz · July 5, 2016, 7:57am

I have configured my hass following the blog guide: https://home-assistant.io/blog/2015/12/13/setup-encryption-using-lets-encrypt/

All work like a charm, but now I cannot access to Home Assistant inside my local network, why?

From outside the url https://sub.domain.com works good, but inside my lan

https://sub.domain.com
http://sub.domain.com:8123
http://<ip.of.hosting.machine>:8123
https://<ip.of.hosting.machine>

NO WORK !

I have tried to add sub.domain.com to internal DNS, assigning it to the <ip.of.hosting.machine> but not works anyway.

Chrome simply answer:

This site can’t be reached
sub.domain.com unexpectedly closed the connection.

Do you know what happen?

martinhjelmare · July 5, 2016, 8:15am

I think the https URL should work both inside and outside your network. For me it does, but I can no longer use the IP address of the computer running hass to access it inside the network.

I’m not a network expert so I can’t really explain this behavior. I would look at the router config, and go through all settings for the IP of the computer running hass.

elbowz · July 5, 2016, 9:27am

I don’t know what setting/config you speak about…There is nothing on my router related to hosting machine…

martinhjelmare · July 5, 2016, 12:02pm

You should have portforwarding activated for atleast port 443 to 8123 for the IP of the host.

AlucardZero · July 5, 2016, 2:16pm

https://sub.domain.com:8123
    ^

dap35 · July 5, 2016, 3:19pm

The FQDN (sub.domain.com) ‘should’ work, but if you use the local/internal IP address, then it will not resolve to the external sub.domain.com id, and therefore would fail.

martinhjelmare · July 5, 2016, 4:45pm

Yes, but why would it need to resolve to the external address within the network?

elbowz · July 5, 2016, 5:03pm

I have abandoned that setup and I’m trying to install home assistant behind apache with mod_proxy.

Is there a setting to specify a document root for home assistant?

I would like something like: https://sub.example.com/hass/

but home-assistant use absolute path in the source code, and apache+mod_proxy fail

elbowz · July 5, 2016, 5:06pm

something like this, works but load only the first login page:

<VirtualHost *:443>
ProxyPreserveHost On
ProxyRequests Off
ServerName home.example.org
ProxyPass /hass/ http://localhost:8123/
ProxyPassReverse /hass/ http://localhost:8123/

martinhjelmare · July 5, 2016, 7:00pm

Have you tried this?

elbowz · July 5, 2016, 7:13pm

Yeah, thank…but the issue is that guide don’t use the path but only sub-domain.

Home assistant does not use relative path for internal resource, but only absolute path…that fight with the virtual host with a sub path (ei. domain.com/hass/)

dap35 · July 6, 2016, 12:04am

If the SSL certificate is based on the external FQDN, then the address you connect to (internal IP) won’t match the external address.

martinhjelmare · July 6, 2016, 7:14am

Thanks, that makes sense.

AlucardZero · July 6, 2016, 1:52pm

What I was trying to say by this is that you don’t say that you tried https and port 8123 at the same time, internally.

Also, I use nginx to reverse proxy to HASS, but not Apache. I could share the nginx config if you wanted.

hokagegano · July 6, 2016, 2:08pm

I use duckdns and letsencrypt.
My Raspberry runs home assistant on port 443.

I reach it from outside with https://myadress.duckdns.org/

and from inside too with the same adress https://myadress.duckdns.org/

no adaptation needed.
I think about a function of your router…

elbowz · July 6, 2016, 2:08pm

I think you had right

Anyway, if you don’t use a virtual host with sub-domain, but something with a path, please share.

ei. domain.com/hass

I really don’t know how to do that if hass internally use absolute path.

dax333 · July 7, 2016, 6:56pm

Very interested in your nginx config. Id like to do no password inside and require auth for external ssl access.

AlucardZero · July 7, 2016, 8:39pm

Ok, so:

I have a subdomain (hass.example.com) pointed at my external IP
But internally, my DNS server (router) replies with the internal IP of my HASS box for this subdomain
My hass is running on default 8123 with SSL (why not), and my nginx is running on 8124
My router port forwards 8124 to nginx, and hass is not exposed externally
Hass does not have a password configured

Then my nginx config is below (there are comments inline, and things you need to change).
End result: https://hass.example.com:8124 works externally and internally. Authentication is required only externally. https://hass.example.com:8123 goes to HASS internally (only), but I don’t often use it (you could switch the ports as long as you do it consistently).

/etc/nginx/conf.d/hass.conf :

[code]server {
listen 8124 ssl;
listen [::]:8124 ssl;

Default deny

deny all;

but passing any of the subsequent checks allows access

satisfy any;

Allows internal LAN. 10.0.1.0/24 is my internal IP range (like 192.168.1.0/24)

allow 10.0.1.0/24;

Prompts everyone else and allows if they enter a valid user & pass

auth_basic “Restricted”;

Create this with: htpasswd -c /etc/nginx/.htpasswd some-username

If you add more users, omit the -c

auth_basic_user_file /etc/nginx/.htpasswd;

location / {
proxy_pass https://hass.example.com:8123;
}
}

Global nginx proxy settings, from some Google tutorials

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
proxy_buffering off;

Global nginx SSL settings. Mozilla intermediate, mostly

ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ‘ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS’;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

Generate this with: openssl dhparam -out /etc/nginx/dhparam.pem 2048

ssl_dhparam /etc/nginx/dhparam.pem;

Replace with your key/cert path

ssl_certificate_key /etc/nginx/hass.example.com.key;
ssl_certificate /etc/nginx/hass.example.com.crt;
[/code]

elbowz · July 8, 2016, 8:31am

The issue is when you have a Virtual Host with a sub path (sub.domain.com/hass), this because the links (js, css, imgs, etc…) inside the html of Hass are absolute and not relative.

I guess this could be consider a bug (all web app should be able to install under a sub path, and not only in the DocumentRoot)

@AlucardZero: aynyway, I though, why you don’t add hass.example.com in the internall dns, and you can say to ngnix that:

Request come from your router ip (external) display login form (auth)
Request that come from others internal ip (internal) don’t display login form

So, you can avoid to switch from a port to another

AlucardZero · July 8, 2016, 11:04am

It is in internal DNS, and hass and nginx are on the same box for me, so I can’t have them on the same port.