0x07 Exposing HomeAssistant to the Internet
Introduction
We’re having our first child soon and so I wanted a way to monitor the baby with a video feed that wasn’t one of those dodgy wifi baby cameras (they’re all dodgy, including VTECH). Easy peasy, add an RSTP camera to Home Assistant and expose it to the public internet so the wife doesn’t have to deal with VPNs and all the other bullshit I already put her through.
The Layout
graph TD
ExternalUser[External User]
InternalUser[Internal User]
ExternalDNS[External DNS]
InternalDNS[Internal DNS]
SynologyProxy[Synology NAS Reverse Proxy - HTTPS]
HomeAssistant[Home Assistant - HTTP]
ExternalUser -->|Access https://ha.MINE.synology.me| ExternalDNS
InternalUser -->|Access https://ha.MINE.synology.me| InternalDNS
ExternalDNS -->|Resolves to Public IP| Router
InternalDNS -->|Resolves to 192.168.1.LOCAL_NAS_IP| SynologyProxy
Router -->|Port forwards 8123| SynologyProxy
SynologyProxy -->|Forward to http://192.168.1.HA_IP:8123| HomeAssistant
This allows me to use the certificate from the Synology NAS (the reverse proxy only accepts HTTPS request on port 8123) and then can proxy to HomeAssistant (which still runs on HTTP).
Would it be more secure to have HTTPS on HomeAssistant? Probably. Am I going to do it? Probably not…
Home Assistant Config
http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.1.LOCAL_NAS_IP
- 127.0.0.1
cors_allowed_origins:
- https://ha.MINE.synology.me
ip_ban_enabled: true
login_attempts_threshold: 3
This is the current setup in my HomeAssistant configuration.yaml. It works well. You need both trusted_proxies and use_x_forwarded_for when you do a proxy setup. The cors_allowed_origins just helps protect my HA instance a little more.
Synology Config
This is what the Reverse Proxy Rule looks like:
Alas, we can login but then we’re faced with a broken HomeAssistant!
The issue is that we can’t create websocket connections through the Synology Reverse Proxy… Or can we…? In the reverse proxy config for HomeAssistant, you can specify headers. Luckily Synology has a “Websocket headers” button that automatically adds what’s needed. It should look like this:
Bing bang boom! You’re done (don’t forget to enable 2FA on your HA instance!). Now to find a camera…