Update seems to require port 80 open in firewall?

Lars_IH · August 9, 2022, 11:13am

So I had my pi4 running latest and greatest Home Assistant for a while now. Just works perfect.

Out of random reason I decided to put packet filtering ON in my firewall, and well I don’t seem to like port 80 (http) communication anymore, so I only allowed port 443 (https). Everything seems to work, except the upgrade process in Home Assistant. After some digging around I noticed that Home Assistant during the upgrade process seems to like to open port 80 against IP 104.26.4.238 (Cloudflare as far as I can tell). And port 443 of course…

So why do the upgrade process need port 80? Could this be changed to only use port 443? I can see no real reason to why port 80 is needed???

tmjpugh · August 9, 2022, 2:41pm

Possibly related to this?? Same cause I mean

EDIT:
Short answer from link (re:addons needing port 80 for update) seemed to be that network manager uses it…its standard practice…further discussion needed before consider changing

github.com/home-assistant/operating-system

Can't install add-ons if port 80 is blocked

opened 12:31AM - 21 Dec 21 UTC

mtdcr

bug

### Describe the issue you are experiencing There's a connectivity check in `…buildroot-external/rootfs-overlay/etc/NetworkManager/NetworkManager.conf` using `http://version.home-assistant.io/online.txt` as its target. If this check fails, because port 80 is firewalled, Cloudflare is down or nic.io has problems, Home Assistant will complain about being offline and won't allow installing any add-ons. Curiously, I was able to install one add-on on a fresh setup before this check became a problem. Supervisor was already modified to use HTTPS in June (https://github.com/home-assistant/supervisor/commit/bcef34012d6c93b05b547281eba20c152e39e505). With most services being available over HTTPS today, it doesn't seem appropriate to require HTTP for this check. A way to disable/override this test would be useful, as most machines running Home Assistant are probably on a permanent internet connection, and a check from the past doesn't say anything about connectivity now or in the near future. At least, the result of this check should not prevent people to operate Home Assistant normally. ### What operating system image do you use? ova (for Virtual Machines) ### What version of Home Assistant Operating System is installed? 7.0 ### Did you upgrade the Operating System. No ### Steps to reproduce the issue 1. Block outgoing traffic on port 80 2. Install haos 3. Try to install add-ons, wait a while, try again ### Anything in the Supervisor logs that might be useful for us? ```txt 21-12-21 00:55:17 WARNING (MainThread) [supervisor.jobs] 'AddonManager.install' blocked from execution, no host internet connection ``` ### Anything in the Host logs that might be useful for us? ```txt Sorry, can't choose any log provider in current /hassio/system, but I guess there's not much info needed anyway. ``` ### System Health information _No response_ ### Additional information _No response_

grey-trunk · August 9, 2022, 2:58pm

Not directly related to HA, but things like linux packages are often sent over http, so this isn’t unusual for HA to do something similar.

Lars_IH · August 10, 2022, 8:53pm

Yepp, that bug is the same for sure. It was a plugin at the two times I have encountered it so far.

Lars_IH · August 10, 2022, 8:54pm

Strange to call it standard practice, when it comes to security - MITM in all good and bad, but http (port 80) is a joke.