HTTPS inside LAN | New Version of HA iOS App

Hi everyone, I just updated the HA app in my iPhone, and now I can see that I can specify an internal URL.

My environment is set up to work as well inside or outside my network thanks to a domain that’s pointed to my public IP. Indeed, I have HTTPS communication with Let’s Encrypt.

Now, with this new update, my standard url is https://my-domain.com:8123 (as before), and if I try to specify an internal URL, I get two kinds of errors:

If I use HTTPS, the app does not accept the SSL certificate, else if I use http, the connection is refused.

May I allow HTTP only from the LAN?
Any solutions/advice/suggestion is appreciated.

Thanks to all. :slight_smile:

Dont use the advanced settings or specify an internal URL. Just the URL you used to under connection.

When outside of your network, it will route back to your home IP as it has.

When inside your network, your router should relect the request back with the request never leaving your network.

1 Like

The emphasis being should

  1. Your router has to support that;

  2. You usually have to set that up as well as port forwarding.

3 Likes

Ok, so what’s the purpose of this new feature? :face_with_monocle:
I should be able to use that…

Support what? Usually, I simply write a new line in the hosts file of my internal DNS server like:
domain.com 192.168.1.10

If developers created this feature, as I said, I should be able to use that. It’s obvious that in my LAN I can’t use my domain’s certificate with my local IP address, so in my opinion two are the solutions:

  1. Skip SSL verification
  2. Allow HTTP traffic from LAN only

Thanks to all :slight_smile:

2 Likes

So I am stuck at the exact position. Any further progress made?

Can the internal url feature be used with https? I run https with Hassio/DuckDNS-LetsEncrypt add-on. When I try to use internal url then the ios app reports an invalid certificate. Can we get a verify_ssl: Bool = false option to use with the internal url. If this is not the intended function then can you point us to where we can read about how to use the internal url feature?

HomeAssistant/Views/SettingsViewController.swift line 35

3 Likes

Hi,

If it can be of any help to someone looking at this thread one day, here is how I solved the problem for my own use. I have hass.io, used duckdns and lets encrypt, own a decent linux based firewall and uses Pihole on Hass.io.

To put it short, I wanted to be able to use the hass app, without reconfiguring when I’m inside or outside.

So I added a line in my pihole config:

{
  "update_lists_on_start": true,
  "ssl": true,
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "interface": "",
  "ipv6": true,
  "ipv4_address": "192.168.0.XXX",
  "ipv6_address": "",
  "virtual_host": "",
  "hosts": [
    {
      "name": "YYY.duckdns.org",
      "ip": "192.168.0.XXX"
    }
  ]
}

replace XXX / YYY by the proper settings. As mentionned before, you can achieve the same by adding a line in your /etc/hosts file if you don’t use pihole.

Then, I added a line in my firewall:

$IPTABLES -t nat -A PREROUTING -m set --match-set whitelist src -p tcp              --dport 8123 -j DNAT --to 192.168.0.XXX
$IPTABLES -A FORWARD -p all -m set --match-set whitelist src -j ACCEPT

for the one not too familiar with iptables, you could narrow it down to:

iptables -t nat -A PREROUTING --dport 8123 -j DNAT --to 192.168.0.XXX
iptables -A FORWARD [-s IP_I_TRUST] -p tcp --dport 8123 -j ACCEPT

The only difference is that I use an ipset to store my whitelisted IP in coordination with port knocking.
(On Iphone, I have an App named KnockonD, it sends a stream of packet in a certain order and the IP they were sent from is added to the whitelist ipset, which himself is whitelisted in my firewall)

You can do the same with basic NAT in your router box. (but I don’t trust any object / technology / app, so I do firewall everything and impose port knocking to any app/tools willing to connect home).

Finally, in the app, I just leave the same good old URL for accessing the app:

https://YYY.duckdns.org:8123

Hope this helps.

1 Like

I m hitting this issue as well. The internal ip should allow sjip https validation.

Also even on the browser i cant do http://:8123 … i can only do https://:8123 shouldn’t i HomeAssistant still work with https and http ?

I have exact the same issue. Why can i use http instead of https inside my own LAN?

Home assistant serves either http or https, but not both.

1 Like

Can’t believe this is still an issue :sweat: have someone managed to solve it without tinkering with router?

I wish to use HTTP://mylocalIP:8123 (without SSL Verification) inside my LAN, and https://xxxx.duckdns.org (with SSL Verification) outside of my LAN. I think it isn’t possible today :roll_eyes:

I was following https://www.splitbrain.org/blog/2017-08/10-homeassistant_duckdns_letsencrypt

Isn’t it possible to assign two certificates for the same server? (duckdns and internal ip address)???

Hi @mario84,
it’s not possible to have a Let’s Encrypt certificate for a local IP.

Yes it is!!
You can use NGINX proxy.

My Router doesn’t support loopback , so me to I’dd like to be able to do HTTP for local and HTTPS for external. This should be as simple as allowing HTTP for internal network…
For browser I can live with the ‘unsecure’ warning, but the IOS app doen’t work. Where can we request this is fixed?

use external
https://home.assistant.url (with port 443 forwarded to 8123 on your router)
and internally use
https://192.168.0.x:8123
:nerd_face:

1 Like

Hi,
That works from a browser, but the (IOS) app throws a certificate error and doesn’t let you in…
The ‘workaround’ for that i loopback on the router, but my router doesn’t loopback.
Internal access should be possible on http, even when setting up https for external access imho.

Yeah, you are right…

what I did:

  • added a domain name in my router f.e. assistant.url
  • added a lease for HA on it’s IP f.e. 192.168.100.100 and gave it a name f.e. home
    image

After that, your router should be able to resolve home.assistant.url as the reserved IP

(home.assistant.url should equal your qualified https dns name :innocent:)

Hi, Unfortunately my router doesn’t have these kinds of settings. Will raise a request on the Ios app to let it accept an invalid cert for the Internal URL. Either that or having a HTTP port in addition to the HTTPS port would be good solutions that don’t require any additional hoops to jump through…