Securing Home Assistant with Cloudflare

Tags: #<Tag:0x00007fc3e9fa0b18>

Cloudflare provides a free CDN (content delivery network) that can sit in-front of your Home Assistant installation. It provides a free and automatically renewed SSL certificate on a custom domain, DDoS protection and a firewall you can protect your Home Assistant with.

I wrote a detailed guide on setting it up for a Home Assistant installation.

Hopefully its useful to you!


you could also use cloudflare access which is also free up to 5 user to harden your hass more on top what you already have done.

Matt, thanks for the guide, that was really clear to follow. I hit a persistent snag, in that I get a 522 (Host) Error from CloudFlare via my HASS OS but figured out that my config wasn’t free of errors. Testing with the internal and external IP (something you had mentioned which bypasses CloudFlare obviously) helped me narrow down the root cause. I’m now very happy to have secure external access to my HA dashboards for the first time. A bonus that CloudFlare has a free tier that covers the implementation. Thanks again!

The path for my installation is: User - CloudFlare - CPE Router - Unifi SG - Cisco 3650 - Hass OS

Good write up. Last thing on my list is to set up a firewall rule on my pf sense box to only accept traffic from cloudflare.

@MattHodge is this still accurate? I ran in to some issues when I followed the guide. Maybe I was too impatient for Cloudflare to cache… Just checking. I’m using Nabu Casa for now, but will try to migrate to my own domain again soon.

Just set up a cloudflare IP alias on pfsense to only allow traffic through their proxies. I ended up just using pfsense for all the firewalling, geoIP blocking, and reverse proxy with SSL termination. I followed your basic flow though. Good stuff. Thanks for sharing!

Awesome tutorial…I hit a roadblock!

I have HASS running on HyperV within my windows 10 machine (I know…but got to work with what you have and I havent figured out the virtualbox new stuff yet)

Im trying to serve
I already have the domain and it works (I have other services not from my IP working)
I have added my (external) IP at the DNS level as a type A? and then the “hass” portion as a cname, right/wrong?

I have cloudflare setup as per Matt awesome cloudflare tutorial and also I saw the http is been deprecated?

*obvious one: should I do a cname or type A record? I read a lot and get all kind of mixed responses, just looking for some guidance - go easy on me!

  • when I do the certificate part, there is an “origin.pem” not a “certificate.pem” what am I breaking?
    *since http may/wont work anymore, I used the addon for nginx and used port 443, no errors within the logs but no access either

Any help will be most appreciated it.

I have it almost similar, instead of using cloudflares certs, i use nginx proxy manager to do those.

What i like is that you can even strict more with cloudflares firewall, by only allowing your own IP to access the site. Meaning, if you are not coming from home to access HA than you get denied. This of course has mobile issues once you are on cellular.

So to counter that, i have created a custom VPN profile for the iphones to turn on VPN once they are off home network to establish a internal connection.

This way, my IP is not accessible unless from inside, my devices automatically phone home, and all services are encrypted.

Additionally, my pihole keeps working on the devices regardless of where i am, as it will also work on VPN.

Ive not had any issues with speeds, but im not streaming anything.

This way i have been able to turn off ports for wired alrm, nvr cameras system, HA, synology and many more.

Hope these additional tips help

1 Like