Hi,
On a hass.io system, is there any way to prevent port 8123 from being exposed on the host’s network interface while still allowing access through the nginx proxy addon?
From what I understand, changing http.server_host would not work, as the http server and nginx are running in two separate containers. What I’d need is to get docker not to expose the port to the outside world, but I can’t find any documentation explaining how to do that anywhere.
Thanks.
I’m curious as to why this is a requirement
I might be a little paranoid, but I really don’t like the idea of exposing my hass to the public internet with as little protection as a password, which with multiple users may or may not meet any complexity requirements. So I want the proxy to require SSL client authentication as an additional security measure.
I got this working already, but it is easily bypassed if you can access the underlying server directly.
Hold on. Why are you forwarding port 8123?
You don’t need a port forward on 8123 if you’re using nginx as a reverse proxy.
Setup a firewall to disallow access to port 8123 from the outside internet and only allow from the computer running the nginx proxy. If the same PC, even better as you can only allow local access.
Edit: if your pc running Hass is not directly connected to the public internet (which it really REALLY shouldn’t be), this should not be a problem as you can just not forward the port in your router.
My router only NAPTs IPv4. All devices have their own public v6 address that is wide open to the internet.
A firewall would be an option if it can be done on hass.io. Though I’ll probably end up using hassbian as I just found out there are other things (homekit) I need that won’t work on .io
If this is true, you need a firewall. End of story.
You’re probably right, but this is off topic. A firewall shouldn’t be the primary line of defense anyway.
While I do agree about the usefulness of a firewall as an additional precaution in case something is misconfigured and vulnerable, I would rather have my devices not expose anything sensitive unprotected (or poorly protected) to the network in the first place.
Also I don’t necessarily trust everything on my local network.
Lots of devices are this way. You can’t control them all at the device level. It is assumed that your LAN is secure. It’s your job to secure your LAN.
A VPN perhaps. I have openvpn setup in my Netgear router.only allow traffic in yo the network from devices that have the client with correct certs. Outgoi g traffoc is free. But I only have the Home Automation and security on that network
But ipv6 negates that. He still can’t control his ipv6 devices access
Then I https://www.cloudflare.com/products/cloudflare-access/?utm_referrer=https://www.google.com/ look at Cloudflare Access. They handle ipv6 also I M sure
That doesn’t solve his issue.
Ipv6 gets a publicly routable IP address. It’s not hidden behind NAT. Without a way to firewall the device or hide all ipv6 behind a firewall, his device is accessible over the internet
So what you say is that if I have devices with ipv6 addresses in my network a vpn will not protect them?
If your ISP provides ipv6 instead of ipv4, yes. Your ISP and router have to support such a configuration. On a normal ipv4 NAT network you might see some ipv6 addresses but they are not routable unless your router is ipv6 as well.
But there is vpns out there that is dual stack, both ipv4 and ipv6
I don’t think you are understanding what your VPN is doing.
This isn’t about supporting ipv6 or ipv4 at the VPN level.
If your ISP is providing ipv6, every single device on that ipv6 network is publicly routable. Full stop. There is no NAT, and there is no port forwarding.
This proves to be a problem if you’re running a server and want to limit the ports published. You need a firewall.
This has nothing to do with VPN. A VPN isn’t going to fix this issue.
Ok have to read more. Anyway I have no ipv6 problems so its just by curiosity
But his router should include SPI firewall anyway. On my router with IPv6 I still have to expose port 443 to the outside to allow incoming connections and then my reverse proxy (Caddy) will proxy to port 8123 for home assistant or whatever other port is being proxies for things like configurator etc. I actually only use IPv6 for external access to my NUC - my duckdns address only has a IPv6 IP address. Even though he has an external IP address for his HA doesn’t mean it’s totally exposed unless he has Opened up ports…
I agree 100%, but he indicated he didn’t have a firewall, or was unwilling to utilize it.