Why the Heck does HA run on port 8123

Exactly, security should be paramount. But having an option with disclaimers could be useful for some people.

What’s so useful about this? Your taking security risks and high probability of port conflicts just to not have to type :8123 at the end of an URL? People who are not able to edit a file and change the port AND are not willing to put :8123 at the end of an URL, should not be messing with HA at this point.

5 Likes

The one reason I could see using port 80/443 is if you need to traverse an overly strict corporate firewall or crummy public wifi that blocks certain port ranges. Port 8080 would be good second choice that isn’t blocked as much. If you really want port 443, use nginx as a reverse proxy. Use of unencrypted http:// over a WAN is not recommended.

Exposeing port 80 or 443 or any other for other than letsencrypt is not a clever idea. That’s why we use reverse proxy, if you what to be secured for external connection.

I appreciate everyone’s input. From taking those comments it appears that if if there was a container(on by default or not) that came with Home assistant operating system running nginx providing a reverse proxy and encryption, it would both improve security and accessibility to the system.

1 Like

There are already add-ons for nginx and letsencrypt, if you are running supervisor. You just need to enable them. These addons are actually containers for HA.

How about there’s a configuration option in onboarding?

1 Like

That’s not entirely true. If it runs in safe mode you can’t change it from what I recall. In that case you have to go in .storage and muck around.

Safe mode is only used when the system doesn’t start correctly, it doesn’t hinder you to change configuration.yaml. You don’t need to mess with .storage files to change the IP. All you need is this somwhere in configuration.yaml:

http:
  server_port: 1234

The time it takes to send TCP Syns to all the ports is: 65,536 / 1,488,000 = 44ms.
I’m not disagreeing with you, but security through obscurity blah blah blah…
It should be secure whether is is hard to find or not.

4 Likes

Of course! But having an open front door makes you an easy target. Security is multi-layered…

1 Like

“I’m just gonna throw this out there: if you can’t handle adding :8123 onto a url/ip address you have no business messing with HA. HA isn’t a Samsung Smarthings or Wink or . I’d put my tech acumen in the 90%+ range and it was, at times, maddening for me. I can tell you it isn’t something I’d recommend for any of my family and they aren’t luddites by any means. I set my parents up with a Smarthings hub because it is much more basic and intuitive and frankly they won’t need or do any of the advanced automations we can do with HA.”

I really do not understand this line of reasoning. For comparison I know how to rebuild a carburetor but I will never buy a daily driver that has one, I also would not recommend anyone else to buy a car just because it has a carburetor.

Good software design is not to make people jump through hoops or showing off technical prowess, it is to get stuff done and enable as many people as possible to solve their problems with a minimal amount of friction.

Why should Home Assistant not be good enough for your parents? Why should what they want to be considered “basic” compared to the work you do? Why don’t we work together to make this better for everyone who wants to get things done?

5 Likes

It should be and it’s also the goal of HA to make it accessoble for everyone. However it’s not there yet and will take a lot of time and coding to reach this stage. It already has been a enormous development in this direction since I started around 3 years ago.
However, running HA per default on port 80 is not one of these things that makes it more accessible in my opinion. It only adds risks as multiple people explained already.

1 Like

glad its not on 80. Some isps block 80 . Cox is a major one. Also means I cannot use letsencrypt it or have certs.

For letsencrypt, you can use domain validation instead of port 80.

No matter what it runs on internally, you can forward any non-blocked port above 1024 to 80 (or 8123 or 443 or whatever you want to run HA on) internally.

1 Like

Hi Francis, can you please tell me what “lets encrypt domain validation” is? I have googled and searched but do not yet fully understand. I think following the name it should be something like "getting a valid letsencrypt cert without the need of having port 80 (or 443?) open to the requesting server? Exactly what I need. Stop the hassle of temporarily forwarding port 80 to several devices…

It is explained here :

2 Likes
To reiterate, this does not allow you to access your services outside your network.

Pointless to me then.

I actually have duckdns url working, a noip.org url and nabucasa. I can also just go straight to my ip:port internal and externally.

… just no ssl.

I live on the edge. :smiley:

To reiterate, this does not allow you to access your services outside your network.

I just used that guide, and then forwarded in my router port 443 to the nginx on port 443. Everything is accessible from outside.

1 Like