Telegram Webhook without exposing Home Assistant?

Hi,

I am using wireguard to connect to my HA when I am outside my network and ideally I would like to keep it that way. But what I would also like to do is to use a webhook to communicate with my telegram bot. Is there a way? Like a reverse proxy maybe?

It would be great if the program/service that is exposed to the outside only allowed connections from telegram but I am not sure whether that’s at all possible.

Any ideas?

Thanks!

What I ended up doing was using nginx as a reverse proxy.

nginx site-config:

server {
  listen 1443 ssl http2;
  server_name SUBDOMAIN.DOMAIN.duckdns.org www.SUBDOMAIN.DOMAIN.duckdns.org;
  include /config/nginx/ssl.conf;
  root /usr/share/nginx/html;
  index index.html index.htm;

        location /api/telegram_webhooks {
                proxy_pass http://INTERNAL_IP/api/telegram_webhooks;
                proxy_set_header Host $http_host;
                proxy_redirect off;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Scheme $scheme;
                allow 192.168.178.1/32; #requests are routed by my well... router
                deny all;
        }
}

telegram.yaml

- platform: webhooks
  url: https://SUBDOMAIN.DOMAIN.duckdns.org:8443
  api_key: !secret telegram_apikey
  parse_mode: html
  allowed_chat_ids:
    - ID1
    - ID2
    - ...
  trusted_networks:
    - 172.23.0.5/32 #IP OF DOCKER CONTAINER RUNNING NGINX

I didn’t have an external_url set in my configuration.yaml, so I had to set that too:

homeassistant:
  external_url: https://DOMAIN.duckdns.org

Without that the setup of the component failed with

homeassistant.helpers.network.NoURLAvailableError

Change the config in the places where I wrote in bold.

Hey guys, how much of this still applies today? Because I have a similar NGINX HTTPS setup in front of a HTTP-HA… and I 've followed all the instructions I can find but I still don’t get my callbacks working.

The sad thing is that I don’t get errors in the logs as well. My telegram bot logs are set to DEBUG and yet all seem ‘fine’.

That setup still works for me.

Nothing on the logs makes me think that you aren’t forwarding the incoming messages correctly from your router or that you have used the setWebhook with the wrong parameters.

Seems to be an SSL issue with my NGINX. Apparently I am not using the correct SSL certificate that Telegram wants. I am using a plain Let’s Encrypt certificate whereas according to several Google Searches , Telegram requires that I use the full certificate chain.

Which I don’t even know how to… I created my “chain” (in quotes) certificate from stuff copied and pasted from several files that Let’s Encrypt provides (without being clear whether and how they are needed) and I replaced my plain certificate.

I can’t say if that worked (my NGINX accepted the new file) however the webhook now returns a different more vague error of 401 Unauthorized. Now is it unauthorized because of my certificate? Is it unauthorized because of another configuration? Who can tell?

The vagueness is all around! :stuck_out_tongue:

Yeah, this definitely is something you can sink hours into.

I am using linuxservers swag container (I dockerized everything) so unless you want to do that I am not sure of how much assistance I can be, but:

Maybe this helps?