Web_hook with alternate port

Hello all,

some external services are unable to send HTTP traffic to a web_hook which is different from ports 80 or 443, for example the withings notification platform.

When external_url includes a port number which is neither 80 nor 443 (let say 9999), how can an integration create a web_hook pointing to the external URL but on port 443 instead of 9999?

You’re probably wondering: why not change external_url and have it pointed to port 443 simply?

I (and many others as far as I can tell) consider using an alternate port a security improvement. Very little bots will try all 65000 port numbers of an IP, it’s too expensive. Additionally, if a bot would attempt to do so, it would have to spread the attempts over time to avoid being blocked by fail2ban and similar protections.

It is also possible in firewall configuration to whitelist the source IPs the HTTP POST messages are sent from (Withings for example uses 89.30.121.0/24) so that only this specific IP range is allowed to access port 443 of external_url.

Hence the only missing piece here is the ability for an integration such as netatmo or withings to define a port different than what is configured in external_url. Is there a recommended way for such integratios to implement this?

Proxy, like NGinX or NAT.

Could you detail this?

The problem is at the moment that external_url=https://my-ha.domain.com:9999 and withings will throw an error when trying to setup a notification to webhook on port 9999.

I don’t understand how the proxy can help here?

A proxy and also NAT (like portforwarding) can take a connection from one port and redirect it to another and vice versa.

Thanks but the problem is that the integration is telling Withings cloud “please send notification to web_hook https://my-ha.domain.com:9999/api/webhook/12a0a84e515179979becf5e05369cb89ebe0e4bdced1abf41ab5e118fa73f941” and the withing cloud responds with an error.

So what I want is for the withings extension to be able to ask Withings cloud to send notification to the same URL without the “9999” port.

I think though this is the wrong place to discuss this. In conversation with the withings integration developer it seemed like the issue was broader that just his integration’s code, rather that something the Home Assistant code needed changing for him to be able to use something different that external_url

I do not know the withings protocol setup, but it sounds like 9999 is not the standard port for withings, which means the 9999 must come from your end somehow.
If it comes from your end, then you can probably change it with a proxy or NAT.

9999 is the port I use for external URL of Home Assistant, it’s the port number Withings would have to send data toward, it is not a port in Withings infra.

But I see which modification is required in the code now, all good.