I have ventured into an Alexa connection without the Nabu Casa Cloud. So far everything works. I use as a reverse proxy the NGINX Proxy Manager and DuckDNS. In the Proxy Manager I can also include a custom configuration.
I would now like to secure my instance a little more, but fail at the advanced configuration of NGINX.
My idea would be for example to allow only the Alexa user agent. Unfortunately no user agent is transferred for the token call “/auth/token”.
Also I would like to allow only the directories /auth/token and /api/alexa/smart_home.
Maybe you guys have tried something similar and can share your config? I would be very grateful.
Yea I did that once. I removed it because I don’t actually use alexa anymore so I can’t remember exactly what I put but those URLs sound right. You might also need /auth/authorize though as that’s the authorization URL you have to list in the alexa app config.
User agents can be faked very easily so even if you can’t add that it’s probably not a huge deal. If you want to add an extra layer of security you’d be better off trying to track down the range of IP addresses used for Alexa’s service. Not sure if they publish those though. Although if its the same range of IP addresses used for AWS then that probably isn’t particularly valuable either.
You can further restrict /api/alexa/smart_home however you want though. Since you set Alexa up manually I assume you copied and pasted this code into your own lambda. You can modify that to add a header or whatever else you like that would make you feel more secure.
I currently have my home assistant configured for SSL and have Alexa setup and working correctly by port forwarding the traffic to 8123 on my firewall, but I want to move over to NGINX/SWAG which I’m new to.
Question:
Will Alexa smarthome and custom skills integration work if NGINX is configured to simply listen on 443 and proxies the traffic to home assistant http on 8123 (removing SSL config on home assistant), or is there more to it than that?
Also, if anyone care to share their NGINX config, that would be appreciated.