HTTPS inside LAN | New Version of HA iOS App

kameo4242 · October 22, 2019, 1:24pm

Hi,

If it can be of any help to someone looking at this thread one day, here is how I solved the problem for my own use. I have hass.io, used duckdns and lets encrypt, own a decent linux based firewall and uses Pihole on Hass.io.

To put it short, I wanted to be able to use the hass app, without reconfiguring when I’m inside or outside.

So I added a line in my pihole config:

{
  "update_lists_on_start": true,
  "ssl": true,
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "interface": "",
  "ipv6": true,
  "ipv4_address": "192.168.0.XXX",
  "ipv6_address": "",
  "virtual_host": "",
  "hosts": [
    {
      "name": "YYY.duckdns.org",
      "ip": "192.168.0.XXX"
    }
  ]
}

replace XXX / YYY by the proper settings. As mentionned before, you can achieve the same by adding a line in your /etc/hosts file if you don’t use pihole.

Then, I added a line in my firewall:

$IPTABLES -t nat -A PREROUTING -m set --match-set whitelist src -p tcp              --dport 8123 -j DNAT --to 192.168.0.XXX
$IPTABLES -A FORWARD -p all -m set --match-set whitelist src -j ACCEPT

for the one not too familiar with iptables, you could narrow it down to:

iptables -t nat -A PREROUTING --dport 8123 -j DNAT --to 192.168.0.XXX
iptables -A FORWARD [-s IP_I_TRUST] -p tcp --dport 8123 -j ACCEPT

The only difference is that I use an ipset to store my whitelisted IP in coordination with port knocking.
(On Iphone, I have an App named KnockonD, it sends a stream of packet in a certain order and the IP they were sent from is added to the whitelist ipset, which himself is whitelisted in my firewall)

You can do the same with basic NAT in your router box. (but I don’t trust any object / technology / app, so I do firewall everything and impose port knocking to any app/tools willing to connect home).

Finally, in the app, I just leave the same good old URL for accessing the app:

https://YYY.duckdns.org:8123

Hope this helps.

rmarinho · June 7, 2020, 6:52pm

I m hitting this issue as well. The internal ip should allow sjip https validation.

Also even on the browser i cant do http://:8123 … i can only do https://:8123 shouldn’t i HomeAssistant still work with https and http ?

Denman2103 · June 8, 2020, 7:59pm

I have exact the same issue. Why can i use http instead of https inside my own LAN?

nickrout · June 9, 2020, 1:16am

Home assistant serves either http or https, but not both.

Ilja_Leiko · August 15, 2020, 9:23pm

Can’t believe this is still an issue have someone managed to solve it without tinkering with router?

D43m0n · October 12, 2020, 4:24pm

I wish to use HTTP://mylocalIP:8123 (without SSL Verification) inside my LAN, and https://xxxx.duckdns.org (with SSL Verification) outside of my LAN. I think it isn’t possible today

mario84 · October 24, 2020, 5:13pm

I was following https://www.splitbrain.org/blog/2017-08/10-homeassistant_duckdns_letsencrypt

Isn’t it possible to assign two certificates for the same server? (duckdns and internal ip address)???

pierfrancescoelia · October 26, 2020, 11:34am

Hi @mario84,
it’s not possible to have a Let’s Encrypt certificate for a local IP.

pierfrancescoelia · October 26, 2020, 11:34am

Yes it is!!
You can use NGINX proxy.

ddeconin · May 3, 2021, 11:34am

My Router doesn’t support loopback , so me to I’dd like to be able to do HTTP for local and HTTPS for external. This should be as simple as allowing HTTP for internal network…
For browser I can live with the ‘unsecure’ warning, but the IOS app doen’t work. Where can we request this is fixed?

aceindy · May 3, 2021, 12:25pm

use external
https://home.assistant.url (with port 443 forwarded to 8123 on your router)
and internally use
https://192.168.0.x:8123

ddeconin · May 3, 2021, 2:18pm

Hi,
That works from a browser, but the (IOS) app throws a certificate error and doesn’t let you in…
The ‘workaround’ for that i loopback on the router, but my router doesn’t loopback.
Internal access should be possible on http, even when setting up https for external access imho.

aceindy · May 3, 2021, 3:34pm

Yeah, you are right…

what I did:

added a domain name in my router f.e. assistant.url

image829×471 8.61 KB
added a lease for HA on it’s IP f.e. 192.168.100.100 and gave it a name f.e. home

After that, your router should be able to resolve home.assistant.url as the reserved IP

(home.assistant.url should equal your qualified https dns name )

ddeconin · May 4, 2021, 8:29am

Hi, Unfortunately my router doesn’t have these kinds of settings. Will raise a request on the Ios app to let it accept an invalid cert for the Internal URL. Either that or having a HTTP port in addition to the HTTPS port would be good solutions that don’t require any additional hoops to jump through…

nickrout · May 4, 2021, 9:26am

On your lan’s dns make your external domain name (eg example.duckdns.com) point to the internal ip address of your HA server, (eg 192.168.1.200).

ddeconin · May 4, 2021, 9:34am

Hi, my ISP’s router does not have that option. So will need to go either with a separate dns (pihole) or a separate router.

aceindy · May 4, 2021, 1:48pm

Use another DNS server…you can use HA’s addon…

github.com

home-assistant/addons/blob/de05c9b09c436491e78abf494ea6ccb988c65b04/dnsmasq/README.md

# Home Assistant Add-on: Dnsmasq

A simple DNS server.

![Supports aarch64 Architecture][aarch64-shield] ![Supports amd64 Architecture][amd64-shield] ![Supports armhf Architecture][armhf-shield] ![Supports armv7 Architecture][armv7-shield] ![Supports i386 Architecture][i386-shield]

## About

Setup and manage a Dnsmasq DNS server. This allows you to manipulate DNS
requests. For example, you can have your Home Assistant domain resolve with
an internal address inside your network.

[aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg
[amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg
[armhf-shield]: https://img.shields.io/badge/armhf-yes-green.svg
[armv7-shield]: https://img.shields.io/badge/armv7-yes-green.svg
[i386-shield]: https://img.shields.io/badge/i386-yes-green.svg

ddeconin · May 10, 2021, 2:44pm

Hi,
2 steps forward, 1 step back.
This works when I set this DNS on a PC
Then I get
dnsmasq[208]: query[A] myxxxxx.duckdns.org from 192.168.1.22
dnsmasq[208]: config myxxxxx.duckdns.org is 192.168.1.97
dnsmasq[208]: query[A] wpad.localdomain from 192.168.1.22

However, when setting this on a Iphone,Ipad it with IOS 14 it doesnt. Looks like its triggering DNS over HTTPS.
When I put the same URL that works from a PC in my Iphone I get entries in dnsmasq pointing to
]: cached 27.courier-push-apple.com.akadns.net is
…
So no local DNS call is performed…
Back to square I again.

pierfrancescoelia · May 10, 2021, 3:25pm

Hi everyone,
there is a solution for the problem I described in my first post.

The solution is to use the NGINX Home Assistant SSL proxy plugin.

My HTTP configuration is the following.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.0.0/16
  ip_ban_enabled: true
  login_attempts_threshold: 5

While my plugin’s configuration is:

domain: miodominio.cloud
certfile: fullchain.pem
keyfile: privkey.pem
hsts: max-age:31536000; includeSubDomains
cloudflare: false
customize:
	active: false
	default: nginx_proxy_default*.conf
	servers: nginx_proxy/*.conf

In this way, home assistant is listening HTTP port 8123 and HTTPS port 443 tanks to the plugin, so I use internal and external URLs. Of course, fullchain.pem and privkey.pem correspond to Let’s Encrypt’s certificates.

ddeconin · May 15, 2021, 12:53pm

Hi,
using the combination of duckdns & nginx worked perfectly for me!