How to access Home Assistant docker using https on local network?

mr_gentile · February 28, 2026, 3:28pm

Hi everyone!
I’ve setup Home Assistant in a Docker container on my Raspberry Pi 5. Everything work very good and I’m greatful this project exists.

Currently I access Home Assistant using the Android App on the local network (http://:8123). Since a few weeks at startup the app asks me about the security level:

This has make me wonder if there’s a way to access my Home Assistant using an https connection instead. I tryied several times but I wasn’t able to make it working.

Since I don’t need external access I don’t want to buy a domain name to use with Let’s Encrypt. What I was trying to do is to create a self signed SSL certificate and then trust my Certification Authority within browser/device settings.
I’ve created the certificates but I don’t understand how I can make Home Assistant (or Docker) use them.

If you can help me I will be very grateful!

Let me know if I need to provide more info about the setup.
Thanks!

mr_gentile · May 2, 2026, 12:52pm

I want to leave un update here in case someone will need it in the future.

I finally managed to accomplish my goal!
I’m now able to access locally HomeAssistant Docker container using an encrypted connection (https) and without the need to buy a domain name.

That’s my current setup:

I have a Raspberry Pi 5 running Pi-Hole and Home Assistant in Docker containers.
In another docker container i run Nginx Proxy Manager (NPM) (https://nginxproxymanager.com/).
I created a local DNS record in Pi-Hole that points to my raspberry-pi IP adress (that i set as static in my router). As local domain I choosed homeassistant.name.home.arpa ( home.arpa is the recommended TLD for home networking, as indicated in IETF RFC 8375).

In home assistant compose file I removed the port 8123 and added an external docker network (that enables communications with NPM).

In the NPM interface i added a proxy host that redirects homeassistant.name.home.arpa to the docker containter homeassistant, port 8123 ( That NPM recognize since they are in the same network).

I edited HomeAssistant’s configuration.yaml to add:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.0.0/25

using the IP adress range of my Local Network.

In this way I am able to access Home Assistant interface via a domain name instead of IP:8123.

To add SSL certificates I used mkcert, a super simple tool that creates a local Certification Authority and use it to sign a SSL certificate for homeassistant.name.home.arpa
Then in NPM interface i uploaded this certificate and used it for HomeAssistant proxy.

In this way I am able to access Home Assistant interface via https:// homeassistant.name.home.arpa

I then imported the Certificate Authority in my other devices trust store, in this way the browsers trust the SSL certificates and don’t complain about it being self-signed.

When I type this domain https:// homeassistant.name.home.arpa in the browser ( or via HomeAssistant companion app) Pi-Hole redirects to Raspberry Pi. On raspberry pi there’s the NPM container that is listening on port 443, it recognize the domain name and redirects to Home Assistant docker container. This provides me with the Home Assistant interface without the warnings that the connection is not secure. And all stays contained to my local network.

Thanks for developing such a useful and empowering tool! Keep it up!
Bye

Here there’re the docker compose files I use, in case they are useful to someone:

Home Assistant compose.yaml

services:
  homeassistant:
    container_name: homeassistant
    hostname: homeassistant
    image: 'ghcr.io/home-assistant/home-assistant:stable'
    volumes:
      - /PATH_TO_YOUR_CONFIG:/config
      - /etc/localtime:/etc/localtime:ro
      - /run/dbus:/run/dbus:ro
    networks:
      - proxied
    restart: unless-stopped
    environment:
      TZ: Europe/Amsterdam

networks:
  proxied:
    name: proxied
    external: true

Nginx Proxy Manager compose.yaml

services:
  nginx-proxy-manager:
    image: 'jc21/nginx-proxy-manager:latest'
    container_name: nginx-proxy-manager
    restart: unless-stopped
    ports:
      - '80:80'   # HTTP
      - '81:81'   # Pannello di controllo NPM
      - '443:443' # HTTPS
    volumes:
      - ./npm-data:/data
      - ./npm-letsencrypt:/etc/letsencrypt
    networks:
      - proxied

networks:
  proxied:
    name: proxied
    driver: bridge
    ipam:
      config:
        - subnet: 172.21.0.0/16
          gateway: 172.21.0.1

busman · May 2, 2026, 1:35pm

This is interesting as I’ve been wanting to play with Nginx Proxy Manager.

Sorry, it’s pre-coffee for me, but do you consider your local network insecure? Is that why you wanted to run via https locally?

Are there things your HA instance talks to over insecure connections?

Another question, when running in its own docker network, are you forwarding mdns into that network? Did you do something so HA discovery of devices still works?

(This is also interesting to me as I run z-wave js on separate hosts, and the other day I was wondering about security there. So, I wrote a small an integration to create and manage SSH tunnels from HA to the other machines.)

mr_gentile · May 3, 2026, 8:15am

Yes, mostly for what is reported here. I don’t want my login credential to be sent over unencrypted connection when I mistankely open Home Assistant mobile app when I’m not at home.

Yes, I have some devices that HomeAssistant communicates with via http.

No. It just worked

ddaniel · May 3, 2026, 8:28am

Adding https access to all webui services and devices in local network is just another layer of security.
Traffic is encrypted, doesn’t cost you a thing and getting passwords or sniff encrypted traffic is basically useless.

dtrott · May 3, 2026, 8:44am

If you are going to use your own Certificate Authority you can pretty much use any domain you like on your LAN, as long as you avoid the major TLD’s (.com, .net,.org or equivalent in your country) it’s unlikely that you will be going to a website ending in .lan or similar so you can pick something short / easy to type.

It’s always possible one of your machines gets some malware installed on it and/or if you use older routers your wifi gets breached, for example it takes about 30 seconds to breach a WPA (1) WIFI password.

I am not sure if HTTPS is the biggest threat to HA security, but it probably won’t hurt to install a cert on HA.

busman · May 3, 2026, 1:34pm

Does that mean you are seeing things like ESPHome devices discovered in HA? Are you using a reflector or macvlan?

I had forgottned about this issue with mdns flooding and it probably won’t apply to you as I had both HAOS running and a separate HA running in docker with its own network and avahi configured as a reflector. Now I just run with host networking on the containers.