How to solve "Reolink webhook URL uses HTTPS (SSL)" error?

Configuration
1

I recently started setting up the new built-in Reolink integration, which now gives me the following warning:

Reolink products can not push motion events to an HTTPS address (SSL), please configure a (local) HTTP address under “Home Assistant URL” in the network settings. The current (local) address is: https://<redacted server address> , a valid address could, for example, be http://192.168.1.10:8123 where 192.168.1.10 is the IP of the Home Assistant device

Is there any way to set up this configuration so that HA can provide a custom address to the Reolink cameras? I don’t want to just open up my HA installation over unencrypted HTTP (even on my internal network), and I already have to poke holes in my firewall DMZ to allow these untrustworthy devices access to my home-assistant server.

I also can’t seem to find any info about what path is used for the callback, which I’ll need to set up a forwarding rule to prevent the cameras from having access to the entirety of home-assistant’s services.

I have also filed Provide alternate http URL for Reolink camera callback · Issue #91640 · home-assistant/core · GitHub to track the feature request.

2

Can you not have both configured in your security conscious setup?

edit i see you don’t want to do this. so can’t help sorry.

3

Two issues for me there:

  • My DMZ doesn’t actually have access to the DNS that I use for my internal URL. Anything in my DMZ looking up that DNS will find the external IP, which only answers on https. For security reasons, cameras are all in the DMZ.
  • When I had different URLs for internal/external (one http, one https), my phone would often fail to connect. I thought this was an issue related to HA on my phone not being able to properly identify the internal/external network, but as I type this I wonder if it’s more likely to been related to DNS caching the external-network IP and trying http (internal URL) and failing because the external IP has http disabled.
1 Like
4

Just adding a note here for any future readers:

There is a lot of conversation/clarification about this on the ticket at github. Please see it for more details: Provide alternate http URL for Reolink camera callback · Issue #91640 · home-assistant/core · GitHub

TLDR: HA core team design requirements prevent integrations from using any sort of host override. Unfortunately, this means the only way to use the Reolink ONVIF callbacks is to disable HTTPS on the internal home-assistant URL (at least until Reolink adds support for https, but this seems unlikely given their rapid hardware iteration seems to leave even older cameras stuck without firmware updates).

5

Do you recommend using the Reolink integration and the ONVIF integration in parallel?
I used both for some time but had the impression that this creates issues.

6

The message this delivers is so bassackwards. Secure your HA, but not really. If this is really what devs are saying, the reverse proxy should part of the standard HA deployment.

So in the end, it would be best to run HA via http, block all traffic to it with exceptions for things that can’t use https and frontend it via HTTPS proxy open to all. Does that sum it up?