To HTTPs or not HTTPs (within home network) that is the question

obrien.craig · August 7, 2024, 9:15am

HI.

I was wondering what everyone does to access their HA when they are in their home network.
So, a bit of background. Back in 2017 when I started with HA, I setup duckdns and port forwarding to allow external access to my HA.

I removed this a few years ago, as I was worried that port forwarding was a way for hackers to get into your network, so I use Nabu Casa to access it externally.

However, I still have the duckdns URL and certificates and access it on my home network, I do this by adding a manual DNS record for my HA so that https://xxxxx.duckdns.org:8123 goes to my internal IP (192.168.x.x)

I am thinking if I should either look at setting up lets encrypt and Cloudflare and use that certificate, or remove HTTPs completely from within my home network, which seems like a backward step considering how HTTPS is everywhere these days.

So, what do people here do when access their HA from within their home network. is it URL or IP, is it HTTP or HTTPS

tom_l · August 7, 2024, 9:37am

I use http because the likelihood of a bad actor on my local network is so low as to be negligible.

I’m physically remote enough that wifi hacking is exceedingly unlikely.

The very few uneducated criminals here would take one look at my security cameras and take their window smashing brick elsewhere.

And I have an excellent firewall in my router.

Maximo · August 7, 2024, 9:42am

I trust my own network, so everything is run on insecure ports. For external access into my network I place a reverse proxy that terminates an SSL connection. When it comes to any form of troubleshooting being able to run packet capture is very useful.

Using a reverse proxy also means I can hide all of the internal ports used, giving me an additional level of security.

tom_l · August 7, 2024, 9:45am

Indeed it is. Mirror a port on my switch and everything is captured with Wireshark.

And yeah I use SSL for remote obvs.

CO_4X4 · August 7, 2024, 2:01pm

I started down the path of local HTTPS, mostly for ESPHome to do updates before the improvements were made that didn’t require it. I found it to be a PITA to set up and abandoned the idea. I have so many levels of protection from the outside world that the chance of hacking into my local network is infinitesimal.

WallyR · August 7, 2024, 3:21pm

I have a domain just for internal use and run https on that.
The annual price for a domain name here is less than a beer cost at a pub.
Having your own domain name and therefore being able to do wildcard certificates makes it a whole lot easier to o use and maintain.

stefan1982 · August 8, 2024, 3:46am

Is there a tutorial you used to set this up? I Googled around, found a lot of things, but none of them seem todo the https/SSL part with your own domainname and gives you the opportunity to not rely on the Nabu Casa payed subscription for external access.

WallyR · August 8, 2024, 7:18am

You do not use HTTP for the challenge, but DNS instead.
You add the domain to a DNS-challenge supported, like Cloudflare, and then just set up the Let’s Encrypt DNS challenge.
CloudFlare is free for DNS service and you just need that. I have one A host listed for my public IP with VPN access, but the certificate is a wildcard, so it will go for anything internally that use the same domain name with another hostname.