Home Assistant access via a Cloudflare Tunnel

wwwescape · July 23, 2022, 2:40pm

I am running Home Assistant in a Docker container on a Raspberry Pi 4. I am trying to use a Cloudflare Tunnel I set up to access my instance from a custom domain home-assistant.mydomain.com.

Since I couldn’t get a Cloudflared Docker image to work on my Raspberry Pi 4, I set up the tunnel using the Cloudflare CLI.

I also created a public hostname to be accessed via this tunnel: home-assistant.mydomain.com

However, I get the 400 bad request page:

I even tried adding the configuration in my configuration.yaml file as mentioned in the Cloudflared Addon for Home Assistant documentation:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

This did not work likely because that’s for the Cloudflared Addon Docker container?

Any ideas?

I was able to successfully get a public hostname to Plex accessible via this tunnel: plex.mydomain.com though.

Does anyone know of a Cloudflared Docker image that works and a complete documentation to set it up with Home Assistant?

elcajon · July 23, 2022, 5:19pm

exactly. If you installed cloudflared somehow and somewhere different, you need to adapt trusted_proxies to fit your environment. I guess the 400 error will be logged with the proxy IP on HA Core, did you check the logs for a corresponding entry?

May I ask why the Cloudflare Add-on is not working for you? Maybe you can outline which parts of the documentation are not detailed enough so we can improve this parts.

wwwescape · July 23, 2022, 5:39pm

I am using Home Assistant Container on a Raspberry Pi 4.

I know that we can’t use addons with Home Home Assistant Container as I am hosting a couple of other applications on the Pi. Is there a way to use the Cloudflare Add-on with Home Assistant Container?

I needed an armv7 image of Cloudflared for my Pi. Found this Docker image but I got stuck not understanding how to configure the tunnels properly. Any help with some steps here would be appreciated.

Hence I eventually used the Cloudflare CLI.

I get the following error in Home Assistant:

Logger: homeassistant.components.http.forwarded
Source: components/http/forwarded.py:123
Integration: HTTP (documentation, issues)
First occurred: 3:37:51 PM (2 occurrences)
Last logged: 3:37:51 PM

Received X-Forwarded-For header from an untrusted proxy [MY IP ADDRESS]

wwwescape · July 24, 2022, 10:27am

Got it working by adding my IP address in the trusted_proxies:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - [MY IP ADDRESS]

I hope this is correct and doesn’t cause any other issues or security concerns.

rossco555 · July 25, 2022, 2:54pm

I’ve got this same issue as originally described. I’m running HA in Docker on a Synology NAS and have setup Cloudflared similarly. I get the exact same 400 error (formatting wise and all).

I have (already had) the http integration exactly as you have it… but no cigars for me so I’m not sure its the solution. Was there anything else you did?

tintin814 · July 29, 2022, 6:58pm

Edit:

It suddenly works when I wake up today. I did nothing and simply keeps the setting in config.yaml.

Exactly same issue here.

Before I add the aforesaid http integration, I got a 400 error and HA logged the follows:

Logger: homeassistant.components.http.forwarded
Source: components/http/forwarded.py:114
Integration: HTTP (documentation, issues)
First occurred: 02:21:00 (1 occurrences)
Last logged: 02:21:00

A request from a reverse proxy was received from 10.0.3.2, but your HTTP integration is not set-up for reverse proxies

Then I added the following in my comfig.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.0.3.2

After that, I got a 404 error.

I’m pretty sure the tunnel works properly, as I can access other services by the same setting. Just HA is inaccessible. Any idea how to resolve it?

wwwescape · July 29, 2022, 7:20pm

I don’t think I did anything else.

If you’re using the Cloudflared container then you probably need this configuration:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

wwwescape · July 29, 2022, 7:23pm

I’ll check all my configurations again and let you guys know if there’s anything unique I did to get this to work.

serafim · August 5, 2022, 3:33pm

what do you mean by “MY IP ADDRESS”? Is that the ip address of the machine that runs the tunnel?

wwwescape · August 20, 2022, 5:06am

My IP address was the IP address of the Raspberry Pi 4 where Cloudflared is installed. In my case 192.160.0.125.

Hence, I added:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.0.125

r4nd0mbr1ck · October 5, 2022, 11:28am

!See next comment for Zero Trust Dashboard based configuration!

@wwwescape - Did you manage to get the docker image working? Thanks to your tip I managed to get it working. I tried the zero trust dashboard way of configuring first but when that didn’t work I created a named tunnel using CLI and then used that as the config for the docker image. I think it should work with the zero trust way as well but didn’t have time to try again. Here’s what I did

On a separate machine (I am running Pi 3 so I couldn’t run CLI on the PI), installed CLI and created a tunnel
Note: mytunnel is the name I used for the tunnel. This can be anything.

cloudflared tunnel login
cloudflared tunnel create mytunnel

The login command creates a cert.pem and the create command creates a tunnel and installs a tunnel credentials file locally.
Copied the cert.pem and the tunnel credentials file to the pi into a folder (this folder will be mapped to a docker volume). Folder Name I used: cloudflared
Created a config.yml file in the same folder

tunnel: <<tunnel_id>>
credentials-file: /etc/cloudflared/<<tunnel_id>>.json

ingress:
  - hostname: <<domain_name>>
    service: http://<<hass_ip>>:<hass_port>>
  - service: http_status:404

docker-compose config

version: '3'
services:

  cloudflared:
    image: erisamoe/cloudflared
    restart: unless-stopped
    volumes:
      - ./cloudflared:/etc/cloudflared
    command: tunnel run mytunnel
    network_mode: host

home-assistant config

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.0/24

Caveats

I couldn’t get this working with HTTPS on the home-assistant instance. I think it is just a syntax issue with using noTLSVerify. This post might help fix it: https://community.cloudflare.com/t/cloudflared-ignores-notlsverify-option/233448/4
I couldn’t get this working with a tunnel created in the Zero Trush Dashboard as I couldn’t figure out how to create the credentials file.

r4nd0mbr1ck · October 5, 2022, 11:37am

Just after I posted above, I managed to get the Zero Trust Dashboard working.

Create tunnel in Zero Trust Dashboard
Using CLI, get token for the above tunnel

cloudflared tunnel login
cloudflared tunnel token <<tunnel_name>>

Copy cert.pem from the login command to the cloudflared docker volume.
Save tunnel token to .env file in docker root

TUNNEL_TOKEN=<<token_string>>

docker-compose configuration

  cloudflared:
    image: erisamoe/cloudflared
    restart: unless-stopped
    command: tunnel run
    network_mode: host
    environment:
      - TUNNEL_TOKEN=${TUNNEL_TOKEN}

home-assistant config

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.0/24

The advantage with this method is that config changes can be made in the dashboard and it gets picked up automatically by the tunnel.

steinauf · March 7, 2023, 6:21am

i’m using this successfully, and also have an Cloudflare Access profile that restricts access to my email address. Trying to figure out how I can securely allow Smartthings to access the webhook without opening it up beyond that

wwwescape · June 5, 2023, 5:15pm

I never got around to trying the Docker image. Been too busy with other stuff.

wwwescape · June 5, 2023, 5:16pm

When I get time, I will give this a go. Thanks for the detailed steps.