Hi all,
I just spent a few days loosing my hair to get this to work, so I thought I would share my findings to guide others who might attempt it.
Goal: Host webtrees on the same raspberry Pi 4 running my HA (using webtrees add-on) and make it securely accessible to family and friends without exposing my local network.
Note: I have AdGuard running as well, which might’ve added to the difficulty.
What did not work (so you don't try it)
I have tried using ingress integration + Ngix proxy (similar solution to this post) but it only resulted in ERR_BLOCKED_BY_RESPONSE and black screens despite testing all available options.
I’m guessing webtrees doesn’t allow embedding, or it was AdGuard sending my traffic elsewhere.
It would also require giving people access to my HA instance, which I wasn’t really happy with.
What DID work is a cloudflare tunnel, which is configured to only allow access to the add-on, with HA still going through Nabu Casa.
There’s plenty of materials on how to do this on the forum and on YouTube, together with securing it with additional rules and Google email verification.
But despite the documentation, there was still a lot of details that wasn’t clear to me, and trial and error because of interactions between the network, docker environment and webtrees itself.
Here’s the solution:
Webtrees add-on configuration with explanation
BASE_URL: httpS://your_tunnel_domain_name.example.com
# This is the external URL you'll be accessing the page with.
# Even though the base configuration of the add-on doesn't use SSL, when using Cloudflare it's important the base_url has https
# This is because when tunnel is running, Cloudflare will apply its own SSL to connection.
# If base_url has http://, this will cause a mismatch and some blocks will not load correctly
ssl: false #disabled, Cloudflare takes care of this
base_url_portless: true #must be enabled
#rest is standard
DATA_LOCATION: /config/data
certfile: fullchain.pem
keyfile: privkey.pem
# When doing this I also found these options, but in the end they are not needed:
#trusted_headers: cf-connecting-ip
#trusted_proxies: 172.30.32.0/24
Cloudflared add-on configuration
external_hostname: "" #none, to keep HA accessible only through Nabu Casa, but can be used to do both
additional_hosts:
- hostname: your_tunnel_domain_name.example.com #notice that it's the same as in webtrees config
service: http://your_HA_IP:9999 #notice that here it's http and with port, despite webtrees being configured portless
tunnel_name: Your_tunnel_name
Hope this will help someone avoid the mistakes I made!