Restrict Web UI to LAN access only

Is it possible to prevent WAN access of HA web interface? I know I can turnoff port forwarding but I do have some external/wan routines that update HA sensors.

If you have not provided access, no one can access on the wan side. The Web UI only responds on the given port from inside your network. If it is responding from outside your network you need to adjust your router settings.

If you want to block Home Assistant from all internet access, this can be done also but is rather router specific.

LIke I said, I can turn off port forwarding (i.e. close port 8123) which will prevent web access to the UI but it will also prevent me from remote updating of HA devices via ```
http://IP_ADDRESS:8123/api/states/binary_sensor.DEVICE_NAME

I see, sorry I missed your goal at first.

You want external API access but not frontend access externally. Correct?

1 Like

I’m no security expert but I wouldn’t be exposing port 8123 to the internet, people who know more may say I’m wrong, but that sounds insecure, not encrypted etc.

Is the external device on a known IP address? Can you lock down access to just that address? Either a FW on your HASS server or on your router?

The port number is irrelevant. Its the security of what responds on the other side of that port that matters.

This is a good option if its a known IP. I have a port open but only to my work IP address. Works well, any other source just sees it as a closed port as nothing responds.

The problem is the external source. A Smartthings (ST) server running a “Groovy” smartapp. Not sure if the IP would be static. The Groovy functions I need to run locally exist but to get this HA devices updating to work within this lame language may be beyond my patience let alone ability.

I agree the port is no relevant per se. However, it implies full, unencrypted access to ha from the internet. Passwords etc. being transmitted in the clear.

Beyond my knowledge I’m afraid. You must make the risk assessment and determine if you’re happy with this.

Put a webserver (reverse proxy) in front of it.

Block access to / but allow access to /api

1 Like