HTTPS inside LAN | New Version of HA iOS App

Hi,

If it can be of any help to someone looking at this thread one day, here is how I solved the problem for my own use. I have hass.io, used duckdns and lets encrypt, own a decent linux based firewall and uses Pihole on Hass.io.

To put it short, I wanted to be able to use the hass app, without reconfiguring when I’m inside or outside.

So I added a line in my pihole config:

{
  "update_lists_on_start": true,
  "ssl": true,
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "interface": "",
  "ipv6": true,
  "ipv4_address": "192.168.0.XXX",
  "ipv6_address": "",
  "virtual_host": "",
  "hosts": [
    {
      "name": "YYY.duckdns.org",
      "ip": "192.168.0.XXX"
    }
  ]
}

replace XXX / YYY by the proper settings. As mentionned before, you can achieve the same by adding a line in your /etc/hosts file if you don’t use pihole.

Then, I added a line in my firewall:

$IPTABLES -t nat -A PREROUTING -m set --match-set whitelist src -p tcp              --dport 8123 -j DNAT --to 192.168.0.XXX
$IPTABLES -A FORWARD -p all -m set --match-set whitelist src -j ACCEPT

for the one not too familiar with iptables, you could narrow it down to:

iptables -t nat -A PREROUTING --dport 8123 -j DNAT --to 192.168.0.XXX
iptables -A FORWARD [-s IP_I_TRUST] -p tcp --dport 8123 -j ACCEPT

The only difference is that I use an ipset to store my whitelisted IP in coordination with port knocking.
(On Iphone, I have an App named KnockonD, it sends a stream of packet in a certain order and the IP they were sent from is added to the whitelist ipset, which himself is whitelisted in my firewall)

You can do the same with basic NAT in your router box. (but I don’t trust any object / technology / app, so I do firewall everything and impose port knocking to any app/tools willing to connect home).

Finally, in the app, I just leave the same good old URL for accessing the app:

https://YYY.duckdns.org:8123

Hope this helps.

1 Like

I m hitting this issue as well. The internal ip should allow sjip https validation.

Also even on the browser i cant do http://:8123 … i can only do https://:8123 shouldn’t i HomeAssistant still work with https and http ?

I have exact the same issue. Why can i use http instead of https inside my own LAN?

Home assistant serves either http or https, but not both.

1 Like

Can’t believe this is still an issue :sweat: have someone managed to solve it without tinkering with router?

I wish to use HTTP://mylocalIP:8123 (without SSL Verification) inside my LAN, and https://xxxx.duckdns.org (with SSL Verification) outside of my LAN. I think it isn’t possible today :roll_eyes:

I was following https://www.splitbrain.org/blog/2017-08/10-homeassistant_duckdns_letsencrypt

Isn’t it possible to assign two certificates for the same server? (duckdns and internal ip address)???

Hi @mario84,
it’s not possible to have a Let’s Encrypt certificate for a local IP.

Yes it is!!
You can use NGINX proxy.

My Router doesn’t support loopback , so me to I’dd like to be able to do HTTP for local and HTTPS for external. This should be as simple as allowing HTTP for internal network…
For browser I can live with the ‘unsecure’ warning, but the IOS app doen’t work. Where can we request this is fixed?

use external
https://home.assistant.url (with port 443 forwarded to 8123 on your router)
and internally use
https://192.168.0.x:8123
:nerd_face:

1 Like

Hi,
That works from a browser, but the (IOS) app throws a certificate error and doesn’t let you in…
The ‘workaround’ for that i loopback on the router, but my router doesn’t loopback.
Internal access should be possible on http, even when setting up https for external access imho.

Yeah, you are right…

what I did:

  • added a domain name in my router f.e. assistant.url
  • added a lease for HA on it’s IP f.e. 192.168.100.100 and gave it a name f.e. home
    image

After that, your router should be able to resolve home.assistant.url as the reserved IP

(home.assistant.url should equal your qualified https dns name :innocent:)

Hi, Unfortunately my router doesn’t have these kinds of settings. Will raise a request on the Ios app to let it accept an invalid cert for the Internal URL. Either that or having a HTTP port in addition to the HTTPS port would be good solutions that don’t require any additional hoops to jump through…

On your lan’s dns make your external domain name (eg example.duckdns.com) point to the internal ip address of your HA server, (eg 192.168.1.200).

Hi, my ISP’s router does not have that option. So will need to go either with a separate dns (pihole) or a separate router.

Use another DNS server…you can use HA’s addon…:thinking:

Hi,
2 steps forward, 1 step back.
This works when I set this DNS on a PC
Then I get
dnsmasq[208]: query[A] myxxxxx.duckdns.org from 192.168.1.22
dnsmasq[208]: config myxxxxx.duckdns.org is 192.168.1.97
dnsmasq[208]: query[A] wpad.localdomain from 192.168.1.22

However, when setting this on a Iphone,Ipad it with IOS 14 it doesnt. Looks like its triggering DNS over HTTPS.
When I put the same URL that works from a PC in my Iphone I get entries in dnsmasq pointing to
]: cached 27.courier-push-apple.com.akadns.net is

So no local DNS call is performed…
Back to square I again.

Hi everyone,
there is a solution for the problem I described in my first post.

The solution is to use the NGINX Home Assistant SSL proxy plugin.

My HTTP configuration is the following.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.0.0/16
  ip_ban_enabled: true
  login_attempts_threshold: 5

While my plugin’s configuration is:

domain: miodominio.cloud
certfile: fullchain.pem
keyfile: privkey.pem
hsts: max-age:31536000; includeSubDomains
cloudflare: false
customize:
	active: false
	default: nginx_proxy_default*.conf
	servers: nginx_proxy/*.conf

In this way, home assistant is listening HTTP port 8123 and HTTPS port 443 tanks to the plugin, so I use internal and external URLs. Of course, fullchain.pem and privkey.pem correspond to Let’s Encrypt’s certificates.

1 Like

Hi,
using the combination of duckdns & nginx worked perfectly for me!

1 Like