Thank ive tried but my router doesnt offer that option only port ranges. And I believe running HASS under a certain port has to be run as sudo and its not recommended.
Since you have followed lets encrypt tutorial I’m guessing that you have a signed certificate for your external duckdns address.
Then you normally want to use SSL when you are using the duckdns address and NOT when you are using an internal address since the certificate will be invalid then. (I take it that you local internal network is safe here)
So best is to install a webserver on the same machine as Hass with the following rules (how to implement it depend on webserver):
port 80, called from yourchoosen.duckdns.org
redirect to port 443;
port:80 from your external ip-address
deny;
port 80 from everything else
proxy to localhost:8123
port 443 from yourchoosen.duckdns.org (or everything, will just get a warning)
include ssl;
proxy to localhost:8123
Hass should be password protected but not include ssl, thats done from the proxy above
1 Like
I am good with everything, the problem is that I cannot redirect port 443 to 8123 in my router. Is there anything I can do on the Raspberry to do this?
Maybe IP TABLES?
Hi Alvaro, what router do you have? I ask because every consumer router I’ve worked with has ability to do port translation. My HaSS listens on port 8123 but my router redirects traffic inbound on port 443. AFAIK, the only other option you have would be to get HaSS to listen on a port other than 8123 and I haven’t come across any document on how to do that. If you let me know the router model you have, I can look have a look at the docs and see if what you want to do is possible.
Thank you very much, I have a Xfinity Router (If you google it, its the only one that shows up, in Google Images). By the way to run HASS in another port just add server_port in the http component part of the configuration file, followed by the port you want to run it on. I believe under a certain port it has to be run as root, which is not preferable.
I dont understand why you don’t do as I said. There is no problem installing nginx on a raspberry and use it as a proxy on port 443 to port 8123. Example nginx config (for just that):
server {
# Update this line to be your domain
server_name duckdns.org;
# Ensure these lines point to your SSL certificate and key
ssl_certificate /etc/letsencrypt/live/myaddress.duckdns.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myaddress.duckdns.org/privkey.pem;
# Use these lines instead if you created a self-signed certificate
# ssl_certificate /etc/nginx/ssl/cert.pem;
# ssl_certificate_key /etc/nginx/ssl/key.pem;
# Ensure this line points to your dhparams file
#ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# These shouldn't need to be changed
listen 443 default_server;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
proxy_buffering off;
location / {
proxy_pass http://localhost:8123;
proxy_set_header Host $host;
proxy_redirect http://localhost:8123 https://myaddress.duckdns.org;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}I’ll have a look. I am running with port translation. Initially I wanted HaSS to listen on 443 because I do my own DNS internally and I like to use the same name URL externally and externally. I couldn’t configure HaSS properly using server_port. I think this might have to do with fact HTTPS protocol is in use instead of HTTP. I gave up and just went with port translation. Then I removed internal forward lookup zone.
malx122 offers a good solution and if port translation isn’t something you can/want to do, I think it might be your best bet.
Possible solution - https://www.youtube.com/watch?v=5TRnX2RdPOQ
Here is another link of someone saying there is no port translation. So it might be Xfinity thing 
Appreciate all, thank you very much, ill definitely check it out.
I will give that a try as well, I didnt understand it at first but seems straight forward and my router has no port translation. Thank you.
Also what parameters should I change?
The host domain?
I missed that you need this in the config before everything (before server {):
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
Yes, you change myaddress.duckdns.org to your adress on every place that exists. Also change the path for the ssl_certificate:s to the same address you have used. (Uncomment and use dhparams.pem if you have created that part as well)
I haven’t read the entire thread, but SSL works fine without port mapping.
I run SSL on lots of ports besides 443. Just type https://example.com:8123 in and you’ll use https over that port and the connection will be work fine. 443 is just the default port.
If you want to drop the :8123 off of your web address then you have to get port mapping working.
As I wrote, the internal hass ssl support works good if you ONLY want to access hass with the external address, something that also requires you to have internet access all the time.
I access my hass externally by using my external address “xxx.dyndns.tv” and then by ssl with a certificate for xxx.dyndns.tv. But internally, any device connected to my router can access hass with just writing “ha.tv” in the webbrowser, then without ssl.
If I just use portforwarding to :8123 for both adresses and activate ssl support in hass so everyone get ssl it would give warnings to internal devices since the certificate would be invalid for “ha.tv”
The problem was that I needed access throug the default port 443 and not 8123. What I ended up doing was iptables, two simple commands in the machine running hass and seems to work. I tried nginx but was confused about the configuration. Thank u so much anyways!
Internal SSL still works fine. Just enable NAT Loopback or add a DNSMasq entry on your router so you use the same address for both (I use the DNSMasq option myself), or create your certificate so it has both domains (easiest of the options). All of those solutions would work for you without relying on a proxy to provide SSL.
I mean, I love NGINX (I use it for proxies and web hosting), but not everyone wants to learn another system and the HA SSL support is good enough. The big advantage of using a proxy is that you can setup other services easier like HTML5 Push notifications, Geolocation IP banning, etc…
I don’t think you can create a certificate for an all internal dns address or the internal ip number since it can’t be verified. But a DNSMasq might work.
You are right, I realize I was thinking of my two external domain names.
I personally use DNSMasq because it was easier to setup than NAT loopback. I access my HA server with the same domain internally and externally which allows me to set a single shortcut on my home screen and not worry about where I’m connecting from.
I want to make sure I understand the result you have here, because I think you’re doing the same thing I want to do.
If you’re away from your home, you can open a web browser and go to https://example.com and access your home assistant over the internet with SSL. But if you are on your local network and you go to https://example.com your router will redirect you over the local network to your home assistant. In both cases you use the same URL and in both cases you use SSL, but if you’re already on the local network it stays on the local network instead of going out over the internet. Is that correct?
I just set up SSL myself, but that messes up local connections to Home Assistant. HA will no longer let me use regular http connections since I’ve added SSL to the config file, and the browser complains if I go directly to the local IP with https because the SSL cert is tied to a domain name, not an IP. Does what you’ve done solve that problem?
Hi Alvaro (or anyone else who has this working),
Can you let me know the IPTABLES commands you used please? I’ve been trying to get port 443 redirected to 8123 for what seems like hours now and it’s still not working 
. The commands I have been using are:
iptables -I INPUT 1 -p tcp --dport 8123 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8123
Yet when I navigate to my URL on port 443 it doesn’t connect. It works perfectly on port 8123 and both ports 8123 and 443 are re-directed by my router to my Raspberry Pi. Unfortunately my router doesn’t support port translation 
.
Did you do something different?
Further to my post above. After some more hours I managed to get it working. In the end all I needed was this line:
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8123
The issue (as it turns out) was the port forwarding rule on my router .
Once that was resolved and after I added the iptables rule I installed a package called iptables-persistent which deals with making the rule persist after reboots.
sudo apt-get install iptables-persistent
Hopefully this helps someone.
2 Likes
This helped me.
I was having the same problem with my Sky hub. I tried this and it now works as it should, thanks!