Remote Access to Hassio

Hi all,
I’m pretty new to this world, so apologise for noob question.
I’m trying to configure remote access to Hassio, and after several hours of configuration of duckdns, configurator etc., all I can get is to access from remote but only through IP address and only HTTP, not HTTPS.
I also forwarded on the router the TCP on all requested ports for the internal ip address to the raspberry:

• 443 to 8123
• 80 to 80
• 3218 to 3218

these are the settings of duckdns

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "mytoken",
  "domains": [
    "mydomain.duckdns.org"
  ],
  "seconds": 300
}

this is the configurator

{
  "dirsfirst": false,
  "enforce_basepath": false,
  "ignore_pattern": [
    "__pycache__"
  ],
  "ssh_keys": [],
  "username": "user",
  "password": "pwd",
  "ssl": true,
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

and this is the configuration.yaml

# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:

# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
 http:
   base_url: https://mydomain.duckdns.org:8123
   ssl_certificate: /ssl/fullchain.pem
   ssl_key: /ssl/privkey.pem

# Text to speech
tts:
  - platform: google_translate

group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml

Any help?

When i did mine i didn’t have the port number so i would just have

 http:
   base_url: https://mydomain.duckdns.org
   ssl_certificate: /ssl/fullchain.pem
   ssl_key: /ssl/privkey.pem

Nothing changed unfortunately…but thanks for posting!

Have you tried nabu casa? That would that all that pain away.

No worries, just out of interest why have you forwarded: 3218 to 3218

also can you post the logs for duckdns please?

sure:

# INFO: Using main config file /data/workdir/config
+ Account already registered!
[15:48:45] INFO: OK
XXX.XXX.XXX.XXX
NOCHANGE
# INFO: Using main config file /data/workdir/config
Processing mydomain.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jan 26 08:59:47 2020 GMT Certificate will not expire
(Longer than 30 days). Skipping renew!
[15:53:49] INFO: OK
XXX.XXX.XXX.XXX
NOCHANGE

regarding the forwarding: I understood it’s mandatory for local access after enabling ssh.

I know, but it’s not for free. if there is the possibility, I would go without paying!

hmm strange i havent forwarded that port and my ssh works although i’m not using hassio for ssh. So Duck dns is connecting and sending ok, what do you get when you try and access mydomain.duckdns.org?

mydomain.duckdns.org sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

so with your forwarding your doing 8123 local -> 443 external?

yes, exactly!

Here is what I would suggest you do.

Forward 8123 -> 8123 or 443 -> 8123. Don’t forward anything else. Going straight 8123 -> 8123 will result in less noise in your router logs or people accessing your front end as 443 has a lot more scanning done on it than 8123. 8123 -> 8123 is not more secure but just doesn’t have as much noise. Also, some businesses may now allow your to egress via 8123 from their network. (my work does this for instance)

https://www.home-assistant.io/docs/security/webserver/

From there you should be able to get to your front end, turn on/off things remotely. Configurator has the ingress option so it can be accessed from the open 443/8123 port once logged in. This should be more secure than exposing it to the open internet by opening 3128 .

Finally, make sure you have a strong password and I strongly suggest turning on two factor authentication, and IP bans after a few bad login attempts. Your HA instance will be open to anyone so securing it is important.

If you need help with the router settings post your router config page. (showing your external IP should be avoided but internal IPs are fine to share).

Did it, but with no success:

121582×234 27.8 KB

Are you sure your duckdns address is resolving?

Try. Https://yourexternalip

Or https://yourexternalip:8123 since you have that port open too.

What message is your browser giving you?

That’s what I was describing in the first question:
with https://yourexternalip or myexternalip:8123 all I obtain is:

external_ip sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

The interesting part, is that if I remove the S in https, and I try http://myexternalip:8123/ I get access! but obviously the access is not safe…

Ok, thats progress at least. The SSL error is expected.

If http://XXX.XXX.XXX.XXX:8123 worked, then we know that your port is opened correctly for 8123 -> 8123.

Goto the duckdns site and make sure your duckdns domain is updating properly. It should show your current external IP. A dns lookup site also works ( https://mxtoolbox.com/DNSLookup.aspx )

Finally you need to decide if you will use 443 -> 8123 or 8123 -> 8123. See my post above on the pros/cons of each.

done it, DuckDNS shows the correct external ip, also with mxtoolbox I get the same IP.
regarding the ports, for the moment I would leave it both forwarded, just not to add constraints at the moment.

Is

https://mydomain.duckdns.org:8123
or
https://mydomain.duckdns.org

Working? If not, what is the message from the browser when not working?

not working, the messages are:
https://mydomain.duckdns.org:8123 sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

https://mydomain.duckdns.org sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

For US$60 per year you really can’t go past this service…its the icing on the cake!