Remote access with EXTERNAL Cloudflare Tunnel

Infraviored · May 21, 2024, 11:33am

Issue with Accessing Home Assistant via Cloudflare Tunnel on Intel NUC

Hello everyone,

I’m facing an issue where I can’t access my Home Assistant instance via a DNS URL set up through a Cloudflare tunnel.
I was able to access homeassistant back when i ran the tunnel over the Cloudflared Add-On - But now Cloudflared should run on the Host machine.

Here’s the setup and problem in detail:

Setup

Host Machine: Intel NUC running Ubuntu 22.04
Home Assistant Environment: Running in a VirtualBox VM with a bridged network adapter.
IP Addresses:
- NUC: 192.168.178.2 (Static)
- Home Assistant: 192.168.178.100 (Static)
Cloudflare Tunnel Configuration: Configured to point assistant.infraviored.lol to http://192.168.178.100:8123.

image3087×931 93.3 KB

Current Status

Home Assistant is accessible locally via http://192.168.178.100:8123.
The Cloudflare tunnel redirects printer.infraviored.lol to http://fritz.box successfully for testing purposes.
Accessing Home Assistant through https://assistant.infraviored.lol results in a 400: Bad Request error.
In /config/network, https://assistant.infraviored.lol/ is used as Interent Home Assistant URL
Configuration.h:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

Questions

Do I need to generate HTTPS certificates specifically for Home Assistant to work with the Cloudflare tunnel?
Should I be adding an external URL in the Home Assistant configuration to rectify this?

Any guidance or suggestions to resolve this issue would be greatly appreciated. Thanks in advance for your help!

koying · May 21, 2024, 1:15pm

Nothing specific in the HA log regarding an untrusted proxy?

Infraviored · May 21, 2024, 1:34pm

Why does

172.30.33.0/24

Work for the Addon when it is also via cloudflare?

ChatGPT suggested trying

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 103.21.244.0/22
    - 103.22.200.0/22
    - 103.31.4.0/22
    - 104.16.0.0/12
    - 108.162.192.0/18
    - 131.0.72.0/22
    - 141.101.64.0/18
    - 162.158.0.0/15
    - 172.64.0.0/13
    - 173.245.48.0/20
    - 188.114.96.0/20
    - 190.93.240.0/20
    - 197.234.240.0/22
    - 198.41.128.0/17

without success.

using

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 0.0.0.0/0

i can reach the site, but it is EXTREMELY slow. Takes multiple minutes to load a page.

What to test? Where to look? What to try?

koying · May 21, 2024, 2:49pm

You didn’t answer my question, but this tells it’s the actual root cause.
The HA log will tell you exactly the address to put in configuration.yaml

Why it’s slow is another story…

Fuergrissa · August 8, 2024, 10:52pm

What should you look for in the HA logs? I have a basically identical setup to OP except I get 502: Bad Gateway instead of 400: Bad Request, and adding 0.0.0.0/0 to configuration.yaml did not allow me to reach HA from outside.

I don’t see anything in the log about entrusted proxies (also, which log? Core, Supervisor, host, DNS…?)

koying · August 10, 2024, 7:32am

502 is related to your reverse proxy configuration which has an issue, not (yet) to HA itself, that you don’t even reach.

xxgmxx · August 23, 2024, 10:21pm

@Infraviored Hi How did you solve this issue, I am facing the same one with the Bad Request error.
I am not that skilled in networking, so the terminology is a mistery for me I have multiple

https://192.168.0.2 - Homeassistant
https://192.168.0.15 - Kasm workspaces

Those all have https:// and when accesing, they give me the red warning about the certificate not being valid. net::ERR_CERT_AUTHORITY_INVALID.
If I setup the tunnel, which is outside HA (192.168.0.66) and I make for example kasm.xxgmxx.com it works and no error but when done with HA - ha.xxgmxx.com I get the 400 error Request` error. How is that possible, that both having initially problem with certificat one of them is now ok, but HA not?

I am quite lost not knowing what to be looking for if one works and the other not. There must be something I am missing.

alexcf · September 24, 2024, 8:28am

Cloudflare’s IP blocks are here: IP Ranges

framenaba · November 10, 2024, 3:50pm

Hello friends, currently I’m accesing to mi HA by Cloudflare tunnel, and its all very good, but a have a question:

I set up a rule on cloudflare, to access HA by google account, but the Android app don’t redirect me a new tab to login with my gmail acoount, only i see an error. How can i do it? I need add a plus of security to my server