What I want is to use my public dns name without a port number. I use Pi-hole and I split DNS so internally on my network the name will always resolve to a 192.168 address, and on the internet it will resolve to my router- I can port forward when I want remote access.
The problem is that with the configuration suggested above, Home Assistant kind of merges the two configurations so I end up having to use “https://homeassistant.mydomain.net:8123” to connect, but then certificate validation works normally.
I want to turn off http altogether, except when the LetsEncrypt plugin needs to configure to respond to challenges, and I want to stop using 8123 and only use 443.
As a side note, is there a reference for all settings in configuration.yaml and what they do?
I’m sure you will get 100 different opinions on this one. I use the caddy addon:
Then just have a caddyfile that redirects your homeassistant.mydomain.net to homeassistant.local:8123 . Then you never have to worry about anything and caddy renews your cert for you. Caddy is very light weight, but learning the configuration file takes some time.
nginx proxy manager is also popular and has a GUI. Never used it.
No, caddy and the nginx solution handles it for you and keeps it up to date automatically. It does the port challenge itself. Caddy (maybe nginx too) can also do a DNS challenge if do not want to have port 80 open, but it is a little more complicated as depends on your dns provider.
in the http section of your configuration.yaml you also need to tell assistant to trust your proxy
http:
# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- 172.30.33.0/24
- 192.168.1.XX (where xx is the local IP of your homeassistant/caddy)
ip_ban_enabled: True
There is a caddy thread " Home Assistant Add-on: Caddy 2 on this forum with skeleton config files and the caddy forum can help if anything too crazy. getting an A+ security rating on the headers takes some tweaking, but good information in the thread above
the add on page didnt even have instructions for configuration.
i only need local https://192.168.1.229:8123
as of now, i access my HA OS’s GUI via http://192.168.1.229:8123
i wont need to access the gui remotely or anything fancy like that
I saw your PM, but putting it here so others can see.
Caddy is the wrong tool for your requirements. It is designed for having a DNS, because it needs to give you a trusted certificate based on your domain name. Without a DNS service, you cannot get a trusted domain. There are work arounds (you can look on Caddy website) for untrusted certificated, but not worth it if only want local access.
If you just want SSL on your local network, make your own certificate and add it to home assistant. You’ll need to have your devices trust it. There are a lots of tutorials on this method:
If you choose caddy, you create a Caddyfile under /share/caddy and use the documentation from Caddy website. An easier option than caddy is https://github.com/hassio-addons/addon-nginx-proxy-manager , but still need DNS. It has a GUI which might be a better fit for you.
thanks for the link. that guide was really good. now my companion app on android tablet does not work. lol.
seems it refuses to work with self sign certificate. i followed the direction here after googling Add & remove certificates - Pixel Phone Help
imported the fullchain.pem file into the wifi certificate of tablet. it imported fine but the android companion app still does not work.
