First of all I run Home Assistant behind a pfSense firewall. To control HA from a remote location I VPN into my network which works great.
I picked up an Echo Dot and thought it might be fun to add Alexa functions to Home Assistant however best I can tell I need to expose the Home Assistant Raspberry Pi port (8123) to the internet. Is that a correct assumption?
I’m working through the config and am stumped at Domain List, Scope, and Privacy Policy URL on the developer page. Can’t get a green check mark there and pretty sure I have to be internet facing. Not sure I want to do that.
I am facing the same dilemma. In order to have custom skills for Alexa, I need to open up my HA to the Internet. Without this, it will not work and I cannot any other way around this. I would love to know as well if there is any way to create custom skills for Alexa without exposing my HA to the Internet.
It’s a deal breaker for me at least at the moment. I’m dabbling around with various ESP8266 outlets, GE Switches, and wifi bulbs, not to mention multiple other IoT ESP8266 devices. I just don’t want to be internet facing. I’m on my primary network for now while I’m configuring all this and then I have to migrate over to my “guest” network.
I think I can have on and off functions with the emulated hue but not 100% sure about that. That will have to do for now. I’m not going internet facing.
It’s simply not possible for a custom skill to be available without being open to the internet because the AVS (Amazon Voice Service) needs to interpret what has been said and call the webhook. You could possibly create a proxy device which is open to the internet in your network tho. This way only this device would be “open” to the internet with port forwarding.
No point in getting Alexa if you don’t want anything to face the internet. All you can do is turn on and off lights (unless that’s all you want). I’m not even sure if that will work if the echo isn’t connected to the internet.
With emulated hue you can control the thermostat as well as lights over your network, but I still think the echo needs internet connection.
I could be wrong but i think Alexa skills need to connect over HTTPS (port 443). You would need to port foward 443 on your router to HASS-IP:8123 on your LAN.
As long as you are password protected on your front end i dont see any worry to expose port 443 to the internet.
I don’t know what the restrictions are if you are only emulating a Hue Bridge. In that case you aren’t hosting a web service for a skill (you’re just controlling a device), so you might have more flexibility with ports. Amazon still needs some way to send commands from the internet to your Pi, though…
This! Nothing runs locally except the echo and HA.
The actual intent and things doing the work for the echo run on Amazon servers and needs to be able to talk to your HA instance, hence it has to be open to the internet.
But as others have said, a strong password with SSL and there isn’t much to worry about.
Are you sure that is the case? I’ve enabled SSL on HA, and in order to use google tts I simply had to add a base url to my http section of configuration.yaml per the note on this page.
As far as I can see for both Alexa and google home api.ai the requested address is to /api so I’d suggest that you run home assistant on 8123 and expose to the internet an apache or nginx on port 443 which redirects locally to http://localhost:8123/api/…
This will expose only the api and not the management interface.
I haven’t tried this yet but let me know what you thing.
Thanks. I believe Google TTS doesn’t work only on self-signed certificate. All external certificate with CA will work fine. Anyway, Im using Let’s Encrypt now.
Back to the topic. I still uncomfortable using Alexa custom skill because I have to write in my http component password.
I can understand that and I only see one way to prevent that…that is adding AWS IPs to your whitelist network. You can figure out the IPs AWS is using via this: http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html although this opens your HA up for all aws services. So this is actually imho a lot unsecurer than just entering your password there were only Amazon can see it.
Also to note: Your HTTP password will never be visible to anyone else except you and amazon. If you are using SSL the URL parameters are encrypted as well.
Yeah. The problem is now whoever has my Amazon password will have access to my home and it is not uncommon for big corporations to lose their users passwords.
I personly don’t have a problem with that but I can see your concern. The only possible solutions for you I can see is using the hue_bridge which iirc operates locally but only works with original Echo devices, waiting for third party software echos to implement hue compatibilty or host your own local speech recognition service.
@PhyberApex I am running pfsense firewall and thanks to your reference link, have created an alias AWS_us_east_1 by importing the list of IPv4 address ranges from Get-AWSPublicIpAddressRange -region us-east-1 | where {$_.IpAddressFormat -eq "Ipv4"} | select IpPrefix and the Alexa Custom Skill can now access my HA devices and Alexa Actionable Notifications also works.
Thank you!