Smartthings Integration without making Home Assistant publicly accessible

Third party integrations
1

Hi all,

I’d like to share how I added the Smartthings integration to my Home Assistant installation without making it publicly accessible (at least that’s what I think - let me know if I’m wrong :exploding_head:).

Overview:
I want to control my Samsung WiFi connected devices from home assistant but I do not want the potential security issue that a third (or is it fourth) party (i.e. Nabu Casa) could be. I’m generally not the
trusting type so I prefer to avoid using cloud services where possible :face_with_monocle:.
Also, I don’t want to expose my home assistant installation to the internet, so the idea is to set up a reverse proxy that specifically only forwards to the Smartthings Webhook URL.

My setup:

Note: If you already have a publicly accessible reverse proxy set up for a different server, you don’t need a new domain. Instead you can just extend your existing proxy’s config to forward the webhook URL to your home assistant server. Make sure to set your existing reverse proxy’s address as home assistant’s external address.

Steps to make things work:

  1. Create a suitable sub domain, e.g. smartthings.example.com
  2. Use a DynDNS service to bind your local server’s public IP address to the sub domain.
    Note: if you already have a DynDNS service running, say for public.example.com, then you can just set the CNAME of your new sub domain to public.example.com
  3. Get an SSL certificate for your new sub domain.
    Note: I’m not 100% sure but I think you need to have a separate certificate (file) for each domain, so if you already have a certificate for public.example.com make sure you get a separate certificate. The ini script from the article about Nginx and docker resulted in a single certificate for both domains. While this works, it seems to prevent Nginx’s SNI and it thus cannot distinguish between our server/proxy config for the existing public.example.com and the new smartthings.example.com reverse proxy.
  4. In your home assistant, set the external address to https://smartthings.example.com
    Note: you might have to reload the YAML config, not sure here (I did it just in case).
  5. Begin installing the Smartthings integration
    a) follow the steps in the documentation to obtain a personal access token
    b) on the integrations page (settings) click on the plus to add an integration and search for the Smartthings integration.
    Note: if you get an error message here, you most likely forgot to set the external address of your home assistant installation.
    c) on the dialog that comes up, copy the webhook URL. It has the form https://{EXTERNAL_URL}/api/webhook/{WEBHOOK_ID}
  6. Create a Nginx reverse proxy config for your subdomain based on the example config below.
    • This will make only your webhook URL publicly available and forward it to your home assistant server.
    • make sure
      • to check the path to your SSL certificate.
      • to have the ssl-dhparams there, too.
      • to double check whether the ciphers are OK (I took it from ssl - NGINX enable only TLS v1.2 - Server Fault)
      • to check whether the additional headers are needed (I suspect they’re not). I copied the config from my reverse proxy config and the headers were already there…
      • to proxy_pass to your actual home assistant server
      • that there is no trailing slash in the location
      • there’s no trailing slash in the proxy_pass
# Reverse proxy config for smartthings.example.com

server {
    listen 443 ssl;
    server_name homeassistant-smartthings.kdke.de;
    server_tokens off;

    ssl_certificate             /etc/letsencrypt/live/smartthings.example.com/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/live/smartthings.example.com/privkey.pem;
    ssl_dhparam                 /etc/letsencrypt/ssl-dhparams.pem;

    ssl_session_cache shared:le_nginx_SSL:10m;
    ssl_session_timeout 1440m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers off;
    ssl_ciphers "EECDH+AESGCM,EDH+AESGCM";

    # Smartthings webhook
    location /api/webhook/WEBHOOK_ID {

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_ssl_name $host;

      proxy_pass https://192.168.1.2:443;
    }

}

# vim: syntax=nginx
  1. Continue with the installation of the Smartthings integration. You should be able to finish the installation process and find your Smartthings devices in home assistant :partying_face:.
5 Likes
2

Hi, when I try to install the SmartThings Integration, Iget the following error after input of a new valid token:

There are no available SmartThings Locations

How can I solve this problem?

3

Hi,

I would like to thank you for the idea and share what I did in my setup.

Given that I don’t like the idea of exposing the whole Home Assistant instace on the web, I’ve decided to run it locally on a Raspberry Pi 3B+ behind a Wireguard VPN (always hosted on the same device).
I did not configure the SmartThings integration because I should have exposed my Home Assistant… until I read this post!

Before starting, I’d like to highlight that I already had a DDNS and a port forward configured on my router to run properly my home Wireguard VPN. I also have a VPS and a domain.

The first step was to add the VPS as a peer (client) on the Wireguard VPN, then I configured a few docker images on it (using docker compose):

  • nginx-proxy: to handle the reverse proxy
  • Acme companion: to handle automatically the renewal of the HTTPS certificate, and an instance of nginx
  • nginx: to do the real proxy-pass using the Wireguard peer (server) IP

Here is the docker-compose.yaml sample

The configuration stub for nginx is here

As mentioned in both gists, remember to trust the proxy in Home Assistant!

Thanks again for the inspiration!

PS: to be honest Acme companion and the reverse proxy were already configured because I run another website, but they are included to provide a fully functional setup.