I have it almost similar, instead of using cloudflares certs, i use nginx proxy manager to do those.
What i like is that you can even strict more with cloudflares firewall, by only allowing your own IP to access the site. Meaning, if you are not coming from home to access HA than you get denied. This of course has mobile issues once you are on cellular.
So to counter that, i have created a custom VPN profile for the iphones to turn on VPN once they are off home network to establish a internal connection.
This way, my IP is not accessible unless from inside, my devices automatically phone home, and all services are encrypted.
Additionally, my pihole keeps working on the devices regardless of where i am, as it will also work on VPN.
Ive not had any issues with speeds, but im not streaming anything.
This way i have been able to turn off ports for wired alrm, nvr cameras system, HA, synology and many more.
First you need to be sure you set up cloudflare to proxy all traffic to your subdomain. Then you need to create an alias in pfsense that contains all ip addresses that cloudflare uses to proxy your traffic. Then last, on your NAT role in pfsense, where you are forwarding traffic to your server on site, you need to configure the rule to only allow traffic that originated from this new alias.
@andynbaker thanks for your post. I have applied rules as below and it works:
top one is to allow from Cloudflare and the second one it to block from the rest.
Technically you don’t need the block all rule. There’s ‘hidden’ block all rule at the bottom of each interface. That is, all traffic is blocked by default, so you only need to limit who you allow through in this case. But leaving it there won’t hurt!
If for whatever reason you don’t want to use VPNs (or can’t, like in my case), I created this small Node.js based service to manage an IP allow-list in Cloudflare:
The idea is that you setup your home firewall to allow request from Cloudflare only, and setup Cloudflare to allow connections from an allow-list only. Then let the service add and remove the IP addresses of your mobile devices / laptops automatically to this allow-list.
At the moment getting it running require 3 manual steps (setup Cloudflare, deploy a Docker container with the service, and setup your client devices to ping the endpoint to allow its IP address).
Eventually when I have enough time, I’ll create an online step-by-step setup guide to make it easier to get going.
anyone able to resolve the issue of “Unable to connect to Home Assistant.”
before installing the certificate everything worked via cloudflare
once I added the certificate and added the additional IP address in the config file and change the SSL/TLS encryption to Full strict its been unable to connect
I even changed the Full strict to flexible and still not able to connect
Same problem as @milutm, @NaduK and @miorba. I generated pem certificates from Cloudflare, replaced it in ssl folder with Samba Share, made sure the http section in configuration.yaml was set correctly, but HA won’t boot correctly. To get a proper boot I must remove newly added pem files with Samba Share, put the old ones back, and edit configuration.yaml through TextEdit app and revert Http section back to previous version.
@MattHodge, that would be great if you could help. ChatGPT cannot help and I have already tried a lot of things so far but still no luck.
What I had to do finally was to remove all pem files. Uninstall any add-ons I had like Duck-DNS, Let’s Encrypt (not just stop but remove all together), remove the lines from configuration.yaml to not use the pen files, reboot (need to access HASS from local http url now) then start from there to install Cloudflared
Hi @igoramadas , I stumbled upon this tread, after having the x time of unavailability of DuckDNS DNS servers.
Would like to try Cloudflare, and noticed that you planned to make a tutorial for this.
Hopefully did you manage to do so?
Kind regards Bert
I used your guide and everything works fine. Thank you!
However, I needed a VPN so I set up WireGuard for Home Assistant and it won’t work with my domain name if Cloudflare is set to proxy it.
I am unsure what to do. I don’t think I want to disable the Cloudflare proxy because it’s an added protection, right? But I also need to be able to connect back home from both phones and TV’s and more.
According to this posting I found a short time ago on Cloudflare, supposedly, there seems to be a workaround using Cloudflare Tunnels and WARP client (Wireguard).
I’m new here, still trying to determine what permanent setup I’m going to go with, so, for now, I’m just collecting links to put the puzzle together later on. If I get a final answer, one way or another, and no one responds back before me, I’ll try to post my results since I would like to do the same thing.
can someone please post a video step by step on how to get https?
i got it working with cloudfare from another video but im not getting https as seen here:
@MattHodge wouldn’t it now be easier and more secure to use Cloudflare WARP client and cloudflared tunnel instead? That wouldn’t expose HA to the internet at all - neither directly via your router (because it doesn’t need any ports being forwarded on your router), nor via Cloudflare. Only authenticated WARP client would be able to route traffic from your phone to your HA instance. You do still need a domain name (to be publicly resolvable) and point it to your.private.HA.IP.at.home (e.g. my-ha.example.com -> 192.168.1.9).
Split tunnels > Include IPs and domains (instead of the default exclude):
Selector: IP Address
Value: your.private.HA.IP.at.home/32
Description: hass-private
Save profile
Run docker compose up -d using the docker-compose.yml
On phone, install > 1.1.1.1 WARP (Cloudflare), then in that app go Settings > Account > Log into my-team.cloudflareaccess.com
Enable VPN > install suggested VPN profile (on iOS, or whatever pops up in Android)
With that setup, only traffic to your.private.HA.IP.at.home would go via WARP, and the rest would go directly to where it did before WARP. Then you’ll be able to access your HA in the HA app (or browser) using http://my-ha.example.com:8139.
To eliminate the possibility of accidentally connecting to a malicious service instead of your HA, you’d have to set up SSL on HA using your domain (see Set up encryption using Let's Encrypt - Home Assistant), then use https://my-ha.example.com instead (recommended). I have SSL set up to cast to Nest Hub anyway.