Home Assistant Access and Security Options

bruhautomation · June 21, 2017, 6:53pm

There was recently a great thread discussing the safest Home Assistant setup.

I wanted to open up a follow-up thread to ask more specific questions about NGINX and Cloudfare specifically and summarize what options are available.

Questions:

Is anybody using NGINX in their HA setup? If so, what do you add to your Home Assistant configuration to restrict incoming access to traffic only coming through NGINX? I sort of remember some server_host HTTP configuration option, but can’t seem to find it.

Can anybody provide examples of what use_x_forwarded_for and cors_allowed_origins is used for?

A few people have mentioned using Cloudfare to mask their public IP address. Can anybody specifically share how they set this up and what the experience is there?

So far, to make Home Assistant safe there are some options. Please feel free to mention any holes or missing information here. It’d be great to summarize this information in an easy-to-understand page for new Home Assistant users.

Security Step 1: Password Protect Home Assistant
This is basic and every Home Assistant user should utilize this option. Enable this using the api_password command in the HTTP component setup.

If you don’t need to access HA outside of your local network, stop here. Home Assistant can’t be hacked if it can’t be accessed.

However, for those people that want to access HA from the internet you’ll first need to…

Open Your Home Assistant instance to the outside world
In order to access Home Assistant from the web, you’ll need to setup a port forwarding rule in your router and/or modem. Typically, you’ll forward any external port you choose (8123, 12345, etc) to the internal IP address:port that Home Assistant is running on (normally 8123).

Then, to access Home Assistant from the web, you can go to a web browser and type http://externalIPaddress:externalport and should be good to go.

If you’re on your internal network you can then either access Home Assistant by typing in yourRaspberryPiIPaddress:8123 or the externalPublicIPaddress:externalport. In some cases, the external IP address will not work on your internal network. In that case, you’ll need to explore setting up a loopback rule in your router.

Security Step 2: Setting up a DNS Service (aka DuckDNS, DNS-O-Matic, etc)

These services forward a normal URL (e.g. yourHAinstance.duckdns.org) to the public IP address of your internet service. These don’t provide any real security, but make it convenient for accessing your Home Assistant instance from the web. At that point, you can access your HA instance by going to http://yournamehere.duckdns.org:externalport

Security Step 3: SSL Encryption

This is a major security step. Using a service like LetsEncrypt a SSL certificate can be issued. These certificates allow you to encrypt traffic that is being sent over the web so people can’t snoop on it. There is lots of good documentation for setting up LetsEncrypt.

At this point, you can access your HA instance by going to https://yourNameHere.duckdns.org

Security Step 4: NGINX

The next level is to setup NGINX. NGINX acts as an SSL proxy. HassIO makes setting up NGINX super easy. First, forward external port 443 to the internal port 443 at your Pi’s IP address. NGINX forwards incoming traffic on port 443 to your HA instance which is running on port 8123.

There is a way to restrict HA access to only what is coming from NGINX, but I can’t remember that command.

NGINX is advantageous to using just SSL encryption because NGINX is a tested platform against attacks whereas Home Assistant (theoretically) could have unknown exploits?

Security Step 5: VPN
VPNs facilitate a secure connection between two devices. Can anybody share how they setup their VPN service, how that relates to what ports they are forwarding, and what their HA HTTP config settings are?

Security Step 6: CloudFare
Cloudfare can mask your public IP address. You setup your DNS server to connect to the cloudfare server and it forward traffic through to your public IP address. It isn’t clear to me if people are preserving SSL encryption through the CloudFare servers or if it terminates there. Are there any other options for protecting a public IP address?

Security Step 7: VLAN
VLAN is a virtual local area network that segregates devices into their own networks. That way if one device is compromised it doesn’t compromise the whole network. Use case - keeping all IoT devices on one VLAN and PCs/servers (containing private data) on another VLAN.

I’m very interested in know what you all think on these topics, if anything is missing, or if you have any pointers on setup. I’m happy to write up a more official page as I can get more information. Cheers!

quattr0 · June 21, 2017, 7:33pm

In regards to Security Step 5: VPN…I use OpenVPN and when connect to HA, I use http://ha_LAN_ip:port

Of course, I could set up dns so that instead of using LAN IP, I could use names but too lazy.

Most routers nowadays support OpenVPN so that should take 5 minutes to configure from server-side and another few minutes to download Win/Android client config and setup the client side.

Most ISPs, I believe, nowadays allow you to use bridge mode on the router. I then use PoE plugs and each plug I will get a different WAN IPs. So, instead of using VLAN, I already have separate networks thanks to my ISP. All HA devices/streaming services on one network and home office on another.

gpbenton · June 21, 2017, 9:08pm

Why would I need a password on HA if I can only access it from my own network?

bruhautomation · June 22, 2017, 1:00am

I suppose you don’t, but I’d use it to keep kids and guests off.

gbboy · June 22, 2017, 2:07am

I’m using a synology 916+ NAS with docker to host home assistant. It has a built in nginx setup in DSM that you can utilise the reverse proxy on, which I use alongside SSL and a DNS. This allows my HA access outside of my home network. I think the main thing however is to be vigilant of the connections that come and go through your router still.

RobDYI · June 22, 2017, 3:09am

I forward my 443 external port on my router to my 443 port on my nginx machine.

My nginx.conf file

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    server {
        # Ensure these lines point to your SSL certificate and key
        ssl_certificate /etc/letsencrypt/live/XXXXXXX.duckdns.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/XXXXXXX.duckdns.org/privkey.pem;

        listen 443;
        ssl on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;


        location / {
            proxy_pass http://localhost:8123;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
    }
}

ega8892 · June 23, 2017, 9:08pm

I use openvpn to connect to my pfsense firewall. I have a vm server running ProxMox. My firewall is a vm, I also am running FreeIPA- This way I’m getting 3 factor auth to my HA install: A user id and pass, a OTP token from FreeIPA and a certificate from issued from my firewall. The firewall uses radius to communicate with FreeIPA. I’m on a cable provider, so I use Hurricane Electric’s free dynamic dns for my host resolution for the vpn. This works for me. BTW- new user of Home Assistant. I love this framework!!

wingers1290 · November 15, 2017, 10:17pm

I’ve just written an article about the challenges of securing home automation networks using non-enterprise hardware. https://echoit.co.nz/securing-home-automation-networks/

In short, the typical home owner either needs to start engaging with security issues at a really high level - or, the security industry needs to find ways of making it accessible and scaleable at the home level.

Things like VLANs, and self-hosted VPNs just really aren’t avaliable to regular users without advanced knowledge, and the trouble of maintaining complicated servers.

alve89 · November 23, 2021, 8:43am

@wingers1290 Unfortunately the linked page doesn’t exist anymore.

I found this post by searching more posts from you like this: Best Way to Protect from Hackers? - #18 by wingers1290, which seems to be great!

I think you could maybe re-publish an article about how to secure an HA installation? The official “manual” is quite small and doesn’t cover a few things you wrote about (DMZ, …) and you could help a lot of users with that. Or maybe integreating those thoughts in the official manual @admins @moderators ?