Hello Tobias, I am trying to install your add-on but I am stuck. I went to Addon store and added your repository. It is shown under “Add-on Repositorys verwalten”. What is the next step? Where do I find any options to configure it?
Thanks for the clarification.
I suggest reading the docs Home Assistant Add-ons. But you can only configure a add-on after you installed it. You don’t have to worrie about installing add-ons, because they will no be active until you start them. After you installed an add-on you can access the info, documentation, configuration and log in the HA add-on panel.
The step I was missing was to delete cookies in order for the add-on to show. No instruction told me about this step so I guess I was just stupid
I see. For me a simple reload of the page is sufficient.
I’m very intrigued by this add-on. I didn’t actually realize cloudflare offered this service and I would much rather use it then open ports on my network.
That being said my setup is a bit complex. I have a reverse proxy setup but I use Caddy 2 not Nginx Proxy Manager. And I would prefer not to replace it in my setup with the hosts option of this addon for a few reasons:
- I have two separate routing trees. One is external and everything is subdomains of my public domain, other is internal and everything is subdomains of a LAN-only domain. I would like to keep them together
- I have a pretty complex caddyfile making use of a lot of its features such as access filtering, adding/removing response headers, detailed logging (especially around external access), etc. Things that cloudflared understandably doesn’t support because its purpose is to be the tunnel, not a full featured reverse proxy
So I was wondering if perhaps you could you share some details about what a cloudflared config file looks like when generated by this addon? Like perhaps a sample file or two? I was hoping to iterate locally with cloudflared
directly to get something working on my network. Since I’m worried it may be a little tricky based on this post on the Caddy forums. Then I can hopefully turn that into a PR for this addon with Caddy 2 support.
I realize I could install the addon and toy around with it to see the generated configs but this step in the documentation made me pretty nervous:
Any existing DNS entries with your desired external hostname and additional hosts will be overridden at Cloudflare.
I put in a lot of time and effort getting my setup working the way I wanted with internal and external access so I don’t want things blown away.
That’s a fair request. I will think about how to incorporate that in the add-on and track the request in this issue.
@CentralCommand The development of the new option is done. Feel free to check out the add-on GitHub repo or the edge repository where it is already included and let me know what you think and if that solves your problem.
I will release it to the stable repository within the next days.
I just released v0.4.0 with the option to add a catch all service, e.g. for external reverse proxies in the stable repository.
Let me know if there are any issues with it.
It seems that it brick all connections… I can’t connect to any subdomains except the one that was created in beginning.
I read the information on GitHub but don’t know what to add extra to leave it as it is before the update
EDIT:
I added this line:
additional_hosts: []
restart cloudflared-addon and now its working again
When use additional_hosts: [] to forward subdomains, will it use the SSL of cloud flare when I use https:// to goto the page?
EDIT AGAIN: Tried it and seems to work also. And also looks like its much faster without NPM in between
That’s great to hear and sorry, that the configuration had to be adapted. It should have added the additional_hosts array a couple of releases ago, so not sure why this was not present in your config.
Did you have any ‘additional_hosts’ in your config before updating?
Regarding SSL: You are automatically using SSL for all your subdomains at Cloudflare. So the connection is encrypted from the visitor to cloudflare and through the tunnel to your HA instance. After that, it depends on which protocol you are using to forward to the next service. You can use https and this connection will also be encrypted or you use http, which will mean that the connection from HA to that service (usually a local connection within your network) will not be encrypted.
The good thing about Cloudflare is, that the client in the end does not see any difference, since from his point of view, the Cloudflare server is responding to his request and this connection is encrypted end-to-end. Also, since some services do not offer https, this is a pretty nice way of still using https for all internet facing connections and therefor highly reducing any security concerns about it.
This is something that every reverse proxy is offering, the only difference is, that the Cloudflare proxy sits “in the internet” and then gets what he needs to serve the requests through the secure tunnel.
I add now all my old NPM hosts into the additional_hosts of Cloudflare. Shutdown the NPM and did some tests with my mobile phone on provider network (so im not on the internal network)
Found 1 thing to remove a error. It was remove the line
internal_ha_port: '8123'
Last question. Some services I used in NPM had a custom location
location: /
Scheme: http
Forward Hostname / IP: 192.168.100.x
Forward Port: xxx
Is this also possible to add in the additional_hosts part of cloud flare?
ok, the ‘internal_ha_port’ option also used to be part of the config but is not needed anymore. I am considering adding a check for it in the config that removes it automatically.
Regarding the location: Unfortunately, this is not (yet) possible with Cloudflared. You can only define the hostname and port of the service, but not a individual location. I raised an issue for that, let’s see.
Nevertheless, when looking into the topic I found that you could define a path for the hostname to listen on. This means, that you cannot only define specific hostnames (e.g. ha.example.com), but also specific paths under them (e.g. home.example.com/ha and home.example.com/diskstation) and route them to different services. I will look into also offering that in my add-on, see this issue.
I read also something about using of web socket. This will be automatically used when needed.
Radarr, Sonarr and Bazarr normaly complain they can’t start the starterr service to get realtime information. But it seems to working correctly with cloud flare.
Ill keep you inform. Its much faster without NPM… and you have to add 1 time all the subdomains and you’re done… Add a new one is same speed restart cloud flare and you’re done… Even easier, because cloud flare check if subdomain is in DNS, if not it will add this. With NPM you must add subdomain before you can create a SSL and add the domain.
So for the configuration.yaml file is the trusted proxy left alone or do we put in our ha static ip?
In the configuration.yaml
you always have to enter the following:
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24
There is no need to change anything here as described in the documentation. The Cloudflare add-on will run within the internal Docker network, which is 172.30.33.0/24
. Therefor, the connections from this network need to be answered by Home Assistant, which is defined in the code-block above.
Hey everyone, I’m currently using duckdns and I wanted to try cloudflared out in order to avoid openning ports.
However I still wanted the SSL certificates from Let’s Encrypt and well it isn’t really working. Indeed the HTTP test doesn’t work in NPM and I don’t really know how to make it work (I didn’t test it since the latest update for SSL though). My ports are still open for this to work though, so I need to close them just after getting good certificates.
Another thing is the DNS. On my router I added a DNS entry so that at home my phone and all directly connects to my NUC instead of going in the cloud and going back down. With this, is it still possible? I only add my domain name and that’s it like when using duckdns?
Thanks for your help!
Hi All,
I see those errors. Is this ok or not?
2022-02-09T22:02:26Z INF Unregistered tunnel connection connIndex=0
2022-02-09T22:02:26Z INF Lost connection with the edge connIndex=0
2022-02-09T22:02:26Z WRN Serve tunnel error error="connection with edge closed" connIndex=0
2022-02-09T22:02:26Z INF Retrying connection in up to 1s seconds connIndex=0
2022-02-09T22:02:27Z INF Connection ca454518-<REMOVED>-cea5137f2ef4 registered connIndex=0 location=AMS
2022-02-09T22:41:04Z INF Lost connection with the edge connIndex=1
2022-02-09T22:41:04Z INF Unregistered tunnel connection connIndex=1
2022-02-09T22:41:04Z WRN Serve tunnel error error="connection with edge closed" connIndex=1
2022-02-09T22:41:04Z INF Retrying connection in up to 1s seconds connIndex=1
2022-02-09T22:41:04Z INF Lost connection with the edge connIndex=3
2022-02-09T22:41:04Z INF Unregistered tunnel connection connIndex=3
2022-02-09T22:41:04Z WRN Serve tunnel error error="connection with edge closed" connIndex=3
2022-02-09T22:41:04Z INF Retrying connection in up to 1s seconds connIndex=3
2022-02-09T22:41:05Z INF Connection ff356313-<REMOVED>-f31757f94c5b registered connIndex=1 location=HAM
2022-02-09T22:41:06Z INF Connection 26be9356-<REMOVED>100037a2aa2f registered connIndex=3 location=HAM
I suggest that you update to the newest stable version and try again with the certificates, should work now.
Regarding the local DNS: This should also still work, you can have your router resolve home.example.com
to a local IP and bypass Cloudflare altogether.