Securing Home Assistant with Cloudflare

MattHodge · July 27, 2020, 9:25pm

Cloudflare provides a free CDN (content delivery network) that can sit in-front of your Home Assistant installation. It provides a free and automatically renewed SSL certificate on a custom domain, DDoS protection and a firewall you can protect your Home Assistant with.

I wrote a detailed guide on setting it up for a Home Assistant installation.

Hopefully its useful to you!

elRadix · July 29, 2020, 8:20am

you could also use cloudflare access which is also free up to 5 user to harden your hass more on top what you already have done.

https://developers.cloudflare.com/access/

gr1nch · January 19, 2021, 8:31am

Matt, thanks for the guide, that was really clear to follow. I hit a persistent snag, in that I get a 522 (Host) Error from CloudFlare via my HASS OS but figured out that my config wasn’t free of errors. Testing with the internal and external IP (something you had mentioned which bypasses CloudFlare obviously) helped me narrow down the root cause. I’m now very happy to have secure external access to my HA dashboards for the first time. A bonus that CloudFlare has a free tier that covers the implementation. Thanks again!

The path for my installation is: User - CloudFlare - CPE Router - Unifi SG - Cisco 3650 - Hass OS

andynbaker · January 19, 2021, 8:27pm

Good write up. Last thing on my list is to set up a firewall rule on my pf sense box to only accept traffic from cloudflare.

pb1051 · January 21, 2021, 3:41pm

@MattHodge is this still accurate? I ran in to some issues when I followed the guide. Maybe I was too impatient for Cloudflare to cache… Just checking. I’m using Nabu Casa for now, but will try to migrate to my own domain again soon.

andynbaker · January 22, 2021, 2:29am

Just set up a cloudflare IP alias on pfsense to only allow traffic through their proxies. I ended up just using pfsense for all the firewalling, geoIP blocking, and reverse proxy with SSL termination. I followed your basic flow though. Good stuff. Thanks for sharing!

aelg305 · March 11, 2021, 10:47pm

Awesome tutorial…I hit a roadblock!

I have HASS running on HyperV within my windows 10 machine (I know…but got to work with what you have and I havent figured out the virtualbox new stuff yet)

Im trying to serve hass.mydomain.com
I already have the domain and it works (I have other services not from my IP working)
I have added my (external) IP at the DNS level as a type A? and then the “hass” portion as a cname, right/wrong?

I have cloudflare setup as per Matt awesome cloudflare tutorial and also I saw the http is been deprecated?

Questions:
*obvious one: should I do a cname or type A record? I read a lot and get all kind of mixed responses, just looking for some guidance - go easy on me!

when I do the certificate part, there is an “origin.pem” not a “certificate.pem” what am I breaking?
*since http may/wont work anymore, I used the addon for nginx and used port 443, no errors within the logs but no access either

Any help will be most appreciated it.

henkjanvries · April 19, 2021, 5:07pm

I have it almost similar, instead of using cloudflares certs, i use nginx proxy manager to do those.

What i like is that you can even strict more with cloudflares firewall, by only allowing your own IP to access the site. Meaning, if you are not coming from home to access HA than you get denied. This of course has mobile issues once you are on cellular.

So to counter that, i have created a custom VPN profile for the iphones to turn on VPN once they are off home network to establish a internal connection.

This way, my IP is not accessible unless from inside, my devices automatically phone home, and all services are encrypted.

Additionally, my pihole keeps working on the devices regardless of where i am, as it will also work on VPN.

Ive not had any issues with speeds, but im not streaming anything.

This way i have been able to turn off ports for wired alrm, nvr cameras system, HA, synology and many more.

Hope these additional tips help

benek984 · March 13, 2022, 6:14pm

@andynbaker how did you setup your pfsense to allow traffic only from cloudflare?

andynbaker · March 15, 2022, 2:00pm

First you need to be sure you set up cloudflare to proxy all traffic to your subdomain. Then you need to create an alias in pfsense that contains all ip addresses that cloudflare uses to proxy your traffic. Then last, on your NAT role in pfsense, where you are forwarding traffic to your server on site, you need to configure the rule to only allow traffic that originated from this new alias.

benek984 · March 15, 2022, 3:17pm

@andynbaker thanks for your post. I have applied rules as below and it works:
top one is to allow from Cloudflare and the second one it to block from the rest.

andynbaker · March 15, 2022, 4:51pm

Technically you don’t need the block all rule. There’s ‘hidden’ block all rule at the bottom of each interface. That is, all traffic is blocked by default, so you only need to limit who you allow through in this case. But leaving it there won’t hurt!

igoramadas · April 6, 2022, 7:08pm

If for whatever reason you don’t want to use VPNs (or can’t, like in my case), I created this small Node.js based service to manage an IP allow-list in Cloudflare:

The idea is that you setup your home firewall to allow request from Cloudflare only, and setup Cloudflare to allow connections from an allow-list only. Then let the service add and remove the IP addresses of your mobile devices / laptops automatically to this allow-list.

At the moment getting it running require 3 manual steps (setup Cloudflare, deploy a Docker container with the service, and setup your client devices to ping the endpoint to allow its IP address).

Eventually when I have enough time, I’ll create an online step-by-step setup guide to make it easier to get going.

Feedback appreciated

Igor

milutm · October 18, 2022, 1:01am

when configure like in Securing Home Assistant with Cloudflare got:
Unable to connect to Home Assistant.

Retrying in XX seconds…
or:

dunno how to fix that. help pls

NaduK · January 17, 2023, 10:00pm

Same happens to me did you figure out what to do?

miorba · January 21, 2023, 3:57pm

The same for me… I don’t know why.

I cann access using ip registered in cloudfare ddns subdomain (so the ddns works). bur using domain name not found… How to solve it?

bajwaHA · February 6, 2023, 8:37pm

anyone able to resolve the issue of “Unable to connect to Home Assistant.”
before installing the certificate everything worked via cloudflare
once I added the certificate and added the additional IP address in the config file and change the SSL/TLS encryption to Full strict its been unable to connect
I even changed the Full strict to flexible and still not able to connect

donparlor · February 21, 2023, 1:35pm

Same problem as @milutm, @NaduK and @miorba. I generated pem certificates from Cloudflare, replaced it in ssl folder with Samba Share, made sure the http section in configuration.yaml was set correctly, but HA won’t boot correctly. To get a proper boot I must remove newly added pem files with Samba Share, put the old ones back, and edit configuration.yaml through TextEdit app and revert Http section back to previous version.

@MattHodge, that would be great if you could help. ChatGPT cannot help and I have already tried a lot of things so far but still no luck.

NaduK · February 21, 2023, 11:14pm

What I had to do finally was to remove all pem files. Uninstall any add-ons I had like Duck-DNS, Let’s Encrypt (not just stop but remove all together), remove the lines from configuration.yaml to not use the pen files, reboot (need to access HASS from local http url now) then start from there to install Cloudflared

remlei · March 5, 2023, 12:14am

sounds like your homeassistant is running on https. if thats the case make sure that tunnel for homeassistant have noTLSVerify option enabled.