Home Assistant OS successfully with External Reverse Proxy Apache2 with LetsEncrypt

Hi all. I am a new user. I configure Home Assistant OS successfully with External Reverse Proxy Apache2 with LetsEncrypt.

Version Home Assistant OS : 2024.5.5 (VM proxmox)

IP Home Assistant OS :
Local DNS (PfSense) of Home Assistant OS : homeassistant.local

IP Internal Reverse Proxy : (no incoming acces Internet)

IP External Reverse Proxy : (incoming acces Internet)

HA Proxy internal and external: Debian 12
Server version: Apache/2.4.57 (Debian)
Server built: 2023-04-13T03:26:51

Mods enabled :
Essential Loaded Modules:

proxy_module (shared)
proxy_html_module (shared)
proxy_http_module (shared)
proxy_wstunnel_module (shared)
rewrite_module (shared)
ssl_module (shared)

vhost in Internal Reverse Proxy Apache2 :

<IfModule mod_ssl.c>

 ServerName home.domain.fr

 ServerSignature off
 RewriteEngine on
 SSLProxyEngine on
 SSLEngine on
 ProxyPreserveHost On
 ProxyRequests off
 SSLHonorCipherOrder on

Include /etc/letsencrypt/options-ssl-apache.conf

ProxyPass /api/websocket ws://homeassistant.local:8123/api/websocket
ProxyPassReverse /api/websocket ws://homeassistant.local:8123/api/websocket

  <Location />
    ProxyPass http://homeassistant.local:8123/
    ProxyPassReverse http://homeassistant.local:8123/
    Order allow,deny
    Allow from all

RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /(.*)  ws://homeassistant.local:8123/$1 [P,L]
  RewriteCond %{HTTP:Upgrade} !=websocket [NC]
  RewriteRule /(.*)  http://homeassistant.local:8123/$1 [P,L]

SSLCertificateFile /etc/letsencrypt/live/home.domain.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/home.domain.fr/privkey.pem

/etc/letsencrypt/options-ssl-apache.conf :

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

My configuration HA OS:


# Loads default set of integrations. Do not remove.

# Load frontend themes from the themes folder
  themes: !include_dir_merge_named themes

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

  external_url: "https://home.domain.fr" # ne pas indiquer le port
  internal_url: "http://homeassistant.local:8123" # adresse locale de HA avec le port

  use_x_forwarded_for: true
    ## My proxie IP
   ## My Home Assistant OS IP is (homeassistant.local)

  ip_ban_enabled: false

My internal proxy ( does not have internet access for incoming.
My external proxy ( has internet access for incoming.

In my external reverse proxy, for generate LetsEncrypt certificats,
I use certbot in command line like this when i create new subdomain :

First, I create and enable new vhost in my external proxy:

 ServerName newsubdomain.domain.fr
 ServerSignature off
 RewriteEngine on
 DocumentRoot /var/www/html

I restart apache2 and :
My port 80 is open (i open this port)

certbot certonly --webroot -w /var/www/html -d newsubdomain.domain.fr -n --agree-tos --email [email protected]

after, my port 80 is closed (i close this port)

In crontab, i have :

30 2 15 * * /usr/sbin/renew

renew :


/usr/bin/certbot renew --quiet
#/usr/bin/certbot renew --force-renewal --quiet
/usr/sbin/firewall nohttp
/usr/bin/systemctl restart apache2
/usr/bin/tar --overwrite -czf /etc/letsencrypt.tar.gz -C /etc/ letsencrypt
exit 0

In my internal reverse proxy ( i have :

In crontab, i have :

30 2 16 * * /usr/sbin/renew_via_proxyexterne



/usr/sbin/firewall nohttp
/usr/bin/scp /etc/
cd /etc/
/usr/bin/tar -xzf letsencrypt.tar.gz
/usr/bin/systemctl restart apache2
exit 0

/usr/sbin/firewall :


/usr/sbin/ufw default allow incoming
/usr/sbin/ufw default allow outgoing

if [ "${1}" == "nohttp" ]; then
 /usr/sbin/ufw deny 80
 /usr/sbin/ufw allow 80

/usr/sbin/ufw  -f enable
/usr/sbin/ufw status verbose

exit 0

The PfSense is configured so that the network has access to the network but not vice versa.

This therefore allows me, behind my PfSense firewall, to have virtual machines that are not accessible via the Internet with an SSL certificate (https) that is still valid and renewed every 16th of the month if necessary.

If I want to access my Home Assistant from outside (outside my Internet box), I use OpenVPN integrated into my PfSense.

I am therefore safe and have great functional freedom.