SSL configuration -- External vs Internal

Hi all,

Is there a way to setup SSL on the external URL only and leave the internal URL non-ssl?

My use case:

  • I have my own registered domain name
  • I have a let’s encrypt wildcard cert registered for it
  • I run my own DNS server on which I created a zone for my domain name with sub-domains corresponding to each services that I run, HA being one of them.
  • My HA instance is not exposed to the internet and I do not wish to do so
  • I want to be able to access my instance using
  • I want HA to be able to cast TTS messages to my Google speakers, which requires SSL to be disabled since cannot be resolved outside my network. It also requires to set the internal url to my instance’s IP address on my network, as Google forces their speakers to use google.dns and not a dhcp provided one.
  • I still require SSL internally because my teenage step son actively tries to get my passwords. I let him try because ultimately it’s a good learning experience for the both of us and kind of a fun game between us, but still want my passwords to remain secure.

Hope how I explained it makes sense. Let me know if I need to clarify anything.


What you need is an nginx proxy running somewhere.

Point your DNS entries to the nginx proxy and install the certs in the proxy. This is your SSL endpoint. The proxy then forwards the traffic to HASS on port 8123.

I run this on my Synology NAS (which in turn runs nginx), here what that config looks like

Yeah I’ve seen that mentioned a couple times around this community but never really understood why people needed it. I’ll poke around it and see. Thanks!