Using Cloudflare, Home Assistant Core and SSL

ExperiorGG · February 18, 2025, 10:40pm

I want to pre-face this all with, yes, I have searched and search and cannot seem to get an answer to what I am dealing with.

All referenced software/containers/etc. is running in UNRaid.
This is Home Assistant CORE, so no Add-On store.
I am not using cloudflare tunnels because Home Assistants needs to be Secure via HTTPS in order to do voice stuff and some casting, etc.
No, I will NOT pay for the Nabu Casa Cloud.

Here is what I have going on: I have a cloudflare domain > A record pointing to my homes IP address, proxied through cloudflare (same results on or off) > pointing to my NGINX Proxy Manager (NPM) > Which points internally to my HA IP.

No matter what I do, it cannot be accessed via my sub-domain. I have added the URL to Home Assistant, no dice. Added trusted proxies in the config file, also no dice (Yes, NPM is port-forwarded to allow HTTPS)

Additionally, when I attempt to add SSL certs to the config, I am greeted with HA being in recovery mode, and this message:

2025-02-18 14:39:38.665 WARNING (MainThread) [homeassistant.helpers.frame] Detected that integration ‘cloud’ attempted to create another Zeroconf instance. Please use the shared Zeroconf via await homeassistant.components.zeroconf.async_get_instance(hass) at homeassistant/components/cloud/init.py, line 263: websession = async_get_clientsession(hass). Please create a bug report at GitHub · Where software is built

I am at a loss for what to do. I don’t even neccessarily need this exact config to work, I just want to be able to access HA via outside my network on both computers and phones, with HTTPS, with my domain. Any and all suggestions and help is welcomed.

pedrobuenoxs · March 7, 2025, 4:48am

Hi everyone,

I’ve been troubleshooting the exact same issue from past 3~4 hours and just dropped on this post. This post made me signup on the community to enforce the thread. Why is that so difficult?

What i have until now:

configuration.yaml:

# Loads default set of integrations. Do not remove.
default_config:

# Load frontend themes from the themes folder
frontend:
  themes: !include_dir_merge_named themes

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.15.44      # my localhost

I have a cloudflare tunnel active and healthy on my home server pointing to:
https://home.mydomain.dev/ → http://localhost:8123

reaching my subdomain i got:

502 Bad Gateway
Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared

We have something else to notest:
HTTP Integration Doc

It says:

Reverse proxies 
When using a reverse proxy, you will need to enable the use_x_forwarded_for and trusted_proxies options. Requests from reverse proxies will be blocked if these options are not set.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.0.0.200      # Add the IP address of the proxy server
    - 172.30.33.0/24  # You may also provide the subnet mask

If i add the subnet mask will completely break HA docker deployment. No clues what to do next, any ideas would be awesome.

LiQuid_cOOled · March 7, 2025, 4:53am

Try without - 10.0.0.200

http:
  use_x_forwarded_for: true
  trusted_proxies:
     - 172.30.33.0/24

The proxy is most likely the issue. I run a Cloudflare tunnel using my own domain, but not with a proxy. I have no issues with casting or voice so I am little confused by this statement.

pedrobuenoxs · March 7, 2025, 5:04am

That snippet is from HA HTTP integration documentation.

This is my code:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.15.44      # my localhost

Digging a little bit i just found a solution and it just fucking working. with https

on cloudflare tunnel i changed :http://localhost:8123 tohttp://192.168.15.44:8123

on my home server i ran the command
docker network inspect bridge and got the docker subnet mask.

i went to configuration.yaml file and updated from:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.15.44      # my localhost

to:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.15.44    # Your host's IP
    - 172.17.0.0/16    # Docker bridge network range

i cant believe it’s working i can sleep

LiQuid_cOOled · March 7, 2025, 5:06am

Glad you figured it out!

pedrobuenoxs · March 7, 2025, 4:41pm

well… Not always a bed of roses…

tuya devices cannot resolve dns throught cloudflare tunnel… they unusable from my home assistant core right now