A traditional approach for an app server is to use a basic front-end, such as Apache, nginx, etc., on port 80 and do a reverse proxy to your app server on the high-numbered ports. Typically, when you attach a process to 80 or 443, you want it to be pretty bullet-proof, and focused on managing HTTP, SSL, etc.
2 Likes
I mean 80 would be the first port on the list to scan…
1 Like
It is likely due to processes using ports below 1024 requiring root privileges on linux based systems. And running with root privileges presents a lot of security concerns. So it is easier to run on a non-standard port, usually 8080 or 8443 depending on protocol, but that is just a rule of thumb.
6 Likes
I’m just gonna throw this out there: if you can’t handle adding :8123 onto a url/ip address you have no business messing with HA. HA isn’t a Samsung Smarthings or Wink or . I’d put my tech acumen in the 90%+ range and it was, at times, maddening for me. I can tell you it isn’t something I’d recommend for any of my family and they aren’t luddites by any means. I set my parents up with a Smarthings hub because it is much more basic and intuitive and frankly they won’t need or do any of the advanced automations we can do with HA.
5 Likes
Exactly, security should be paramount. But having an option with disclaimers could be useful for some people.
What’s so useful about this? Your taking security risks and high probability of port conflicts just to not have to type :8123 at the end of an URL? People who are not able to edit a file and change the port AND are not willing to put :8123 at the end of an URL, should not be messing with HA at this point.
5 Likes
The one reason I could see using port 80/443 is if you need to traverse an overly strict corporate firewall or crummy public wifi that blocks certain port ranges. Port 8080 would be good second choice that isn’t blocked as much. If you really want port 443, use nginx as a reverse proxy. Use of unencrypted http:// over a WAN is not recommended.
Exposeing port 80 or 443 or any other for other than letsencrypt is not a clever idea. That’s why we use reverse proxy, if you what to be secured for external connection.
I appreciate everyone’s input. From taking those comments it appears that if if there was a container(on by default or not) that came with Home assistant operating system running nginx providing a reverse proxy and encryption, it would both improve security and accessibility to the system.
1 Like
There are already add-ons for nginx and letsencrypt, if you are running supervisor. You just need to enable them. These addons are actually containers for HA.
How about there’s a configuration option in onboarding?
That’s not entirely true. If it runs in safe mode you can’t change it from what I recall. In that case you have to go in .storage and muck around.
Safe mode is only used when the system doesn’t start correctly, it doesn’t hinder you to change configuration.yaml. You don’t need to mess with .storage files to change the IP. All you need is this somwhere in configuration.yaml:
http:
server_port: 1234
The time it takes to send TCP Syns to all the ports is: 65,536 / 1,488,000 = 44ms.
I’m not disagreeing with you, but security through obscurity blah blah blah…
It should be secure whether is is hard to find or not.
4 Likes
Of course! But having an open front door makes you an easy target. Security is multi-layered…
1 Like
“I’m just gonna throw this out there: if you can’t handle adding :8123 onto a url/ip address you have no business messing with HA. HA isn’t a Samsung Smarthings or Wink or . I’d put my tech acumen in the 90%+ range and it was, at times, maddening for me. I can tell you it isn’t something I’d recommend for any of my family and they aren’t luddites by any means. I set my parents up with a Smarthings hub because it is much more basic and intuitive and frankly they won’t need or do any of the advanced automations we can do with HA.”
I really do not understand this line of reasoning. For comparison I know how to rebuild a carburetor but I will never buy a daily driver that has one, I also would not recommend anyone else to buy a car just because it has a carburetor.
Good software design is not to make people jump through hoops or showing off technical prowess, it is to get stuff done and enable as many people as possible to solve their problems with a minimal amount of friction.
Why should Home Assistant not be good enough for your parents? Why should what they want to be considered “basic” compared to the work you do? Why don’t we work together to make this better for everyone who wants to get things done?
5 Likes
It should be and it’s also the goal of HA to make it accessoble for everyone. However it’s not there yet and will take a lot of time and coding to reach this stage. It already has been a enormous development in this direction since I started around 3 years ago.
However, running HA per default on port 80 is not one of these things that makes it more accessible in my opinion. It only adds risks as multiple people explained already.
1 Like
glad its not on 80. Some isps block 80 . Cox is a major one. Also means I cannot use letsencrypt it or have certs.
For letsencrypt, you can use domain validation instead of port 80.
No matter what it runs on internally, you can forward any non-blocked port above 1024 to 80 (or 8123 or 443 or whatever you want to run HA on) internally.
1 Like