How to secure local access?

I want to somehow secure my access to HA so I dont get warnings from Studio Code Server etc about unsecure access. I already use Tailscale so dont want to use Duck DNS as an additional layer. Is there an easy way to apply SSL certificates or something else? I’m not that knowledgeable of DNS stuff so please ELI5. Thank you

it isn’t easy… trying too to do this… and already try couple of methods… apparently “the certificates” need to be created for the local machine DuckDNS is pointing to outside… and the local machine need to have have the same domain (or subdomain) we are pointing too… so if we use duckdns nope crome, safari and so on will complain that isn’t a valid certificate and the instance of HA is “dangerous” :smile: anyhow let’s keep in this post the updates and we will probably found a solution.

1 Like

Ignore the warnings, you are safe :joy:
If you really want headaches, use the letsencrypt addon.

but what about the integrations that require a secured site such as fitbit? (tho I think that particular integration isnt working anyway). But yeah, I’m not so concerned about the warnings, more the annoyance that they’re there.

Those will need an open access, like with duckdns.
They won’t work with tailscale alone, so it’s another story.

Just trying as above… and… something is happening… now I get 401 on studio code server and terminal… I guess because the domain name changed successfully.

okay the instance runs with the cloudfare certificates but of course it isn´t perfect… same issue with the authority for instance with crome… because of the DNS name… it means https is active but the certificates are not “trusted” (same as per duckdns)… so in the end… I guess the procedure we got works also because reading it say that this would happen but now DNSmaq probably will help… will keep you posted.

i used to do like this:

  • set up dns name in my router
  • create a dhcp reservation for ha (

this means internally, resolves in

for outside i registered name.mine, and point ha to my external IP address.

only downside, internal i have to use
while external i use

but since the name resolves ok, no SSL errors…
(no nginx/hairpin involved here)

1 Like

I set up an external web page which looks at the incoming IP address and redirects to the correct name based on whether it’s internal or external.

This requires that the external site “knows” your home router’s current IP address. There are a number of ways to do this. I have another page set up which stores the IP address on that external server whenever it’s loaded. Sort of like the various “myIP” pages out there. I have an automation which hits that page regularly. When my home IP changes, the new value is stored, ready for my HA redirect page to use.

I’m not saying this is the easiest way, just that it works for me, since I’ve had that external “myIP” page running for years for other things anyway.

This sound excellent, unfortunately it depends from the router when you can setup the domain name in the inside network, anyhow… I got the remote access on https without any problem (Cloud Fare), certificate wise I need still to check how to get those in the local instance without to smash the cloud connection (that by the way… looks to be related to the domain name that the network provide to the local machine). I think using a PFSense or Pi Hole as network manager would make everything more easy (I do have a FritzBox and it is a pain to setup for this kind of application).

You could use any DNS server… as long as it takes care of resolving the name :wink:

I think even HA’s dnsmasq addon would work :thinking:

This is provided you can define the dns address in dhcp server, but same goes here, you could use another dhcp server :grin:

I already try it but… I got completely confused with it… I do have the domain and Cloud Fare DNS of course keep it running via “Cloudflared”… I will have a try… you know since the new updates we got with Assist I guess the guys could have implement some less complicated way to get the local instance secured. Anyhow I would need to secure it as per the main instance run basically via power net… (the server is in the celler), I will give it a try and then probably we can fix a procedure that will help also the others to do it.

For internal use only, i’m using the Tool xca:

SSL-certs for internal use, but only makes sense if the server is not accessible from the Internet.