Update complete. Let me know if I missed anything and thanks for helping.
Hi @skykingjwc, can you please explain more about the advantage of the above tutorial over regular usage of the Cloudflared addon?
It says at the beginning that the advantage is that it âmaintain access though the web interfaceâ. Which web interface has no access when using Cloudflared addon?
many thanks @skykingjwc! just wanted to share that if anyone faced an issue of clients not properly getting the client-certificate prompt I had to disable the HTTP/3 QUIC on cloudflare to make it work smoothly.
1 Like
Just in case anybody else who has an iPhone comes across this and doesnât know any better, this will NOT work for you as iOS doesnât support it.
Typically if you use the Cloudflared plugin and secure HA with Cloudflare Auth it makes the HA App stop working because the app cannot capture the auth token necessary for auth to work. The browser will work, but the app will not. Perhaps this will be supported at a future date, but currently it is not. Cloudflare tunnels donât provide any security unless you also configure authentication. If configured incorrectly, auth will breaks things. This guide is a way to secure both the HA app and the web interface at the same time. Without additional security, your HA instance is protected only by the HA login screen which means it can be brute forced or could become vulnerable if there is ever a flaw discovered in HA security. When done right, configuring Cloudflare Auth will make it so attackers wonât even be able to access the HA login screen via a browser or use the app without the proper private key certificate, which results in an added layer of projection. Attackers would have to bypass Cloudflare and HA in order to gain access to your instance, which is something thatâs very unlikely to happen.
1 Like
why is step 5 onward needed? I thought WAF rules should block anyone without a cert
Thank you @skykingjwc for the clear explanation. Much appreciated.
Here is a security question: If I use the Cloudflared addon without Cloudflare Auth, and I set the HA subdomain name to a randomly generated long string, is there a practical way for hackers to find it and access the HA login page?
Hello,
I followed the above guide along with the different comments but I am still unable to use this.
Trying to debug it piecewise, starting with the web access.
I get the following screen when accessing ha.mysite.net
Help please.
There are multiple Step 5s.
Which section are you referring to?
Thatâs the screen you are supposed to see. Thatâs Cloudflare securing your app.
Set up Cloudflare Application Authentication to get to HA.
Section: Set up Cloudflare access for the HA Companion App and HA Web GUI. - Step 5
Because you want to make sure the app (as opposed to the web GUI) is using the cert you specify, not just âanyâ cert. The idea is to protect the HA install from being seen from the internet without first passing through Cloudflare. Doing this with the web UI is easy. Getting the app to do it is hard. Setting up the app to use Cloudflare without also screwing up the web UI requires a very specific set of configurations. This is just away I got it to work. Perhaps one day the app will support Cloudflare auth, and all this will become a moot point. Currently though, this is the only way I am aware of to make both work at the same time.
Strange. I only use mTLS cert with mTLS rules and it works well for both android app and web access from PC. On PC web gui, youâll get a prompt to select the mTLS certificate every session. On the android app, youâll get the prompt once on set up.
Does it require that you install a cert on the PC, as well as the app?
Yes I have the cert on both the PC and the android phone
I guess the difference is I would rather rely on Cloudflare auth for the PC without the need for a specific private cert. Meaning I can log in from anywhere on a PC as long as I have authenticated with Cloudflare. If Iâm at my momâs house for example I donât want to have to install a certificate on her PC first to access my HA instance. I just want to hit the URL and have Cloudflare to its thing.
The HA app is not compatible with Cloudflare auth (yet), so a cert is needed if you wish to also use Cloudflare with the app.
So yes, you are correct in the you donât have to do anything after step 5, if want to use a private cert for everything, however this article is about getting the app to work with a cert, while still allowing the web gui to use Cloudflare without the need for a manually installed private cert on a PC.
1 Like
Really appreciate the well written guide.
Perhaps itâs just me missing something, but I could not select the necessary option from the Selector field when adding a group.
Are you sure you uploaded a certificate to Cloudflare? It may not come up until you do.
If you mean âupload a certificate to Cloudflareâ by following steps 1 to 4 (Generate public and private keys), then yes Iâve done that and rechecked that the certificate is active.
@skykingjwc Thank you very much for writing this guide! Got my HA up and running on Cloudflare Tunnel in 1 eveningâs work.
The only thing which tripped me up was in Step 5 for the Web GUI Application, Cloudflare enforces âCreate additional rulesâ (canât leave it blank). I had to include emails to only my email address to be able to save the application policy.