Locally and externally available Home Assistant

Posted on December 28, 2024 by jonas

Warning issued; Another tech related niche post…

So you have set up Home Assistant and went with Duck DNS and Let’s Encrypt which is the standard solution but is only 95 % happy since it is not great when you are accessing your instance locally. What to do, aim for 100 % and spend the time to find a better solution or move on with your life. Since you have read this far, you are obviously going the extra mile…

You are not alone my friend, I walk with you. (Ok, I stop the cheesey writing style now and switch to dry technical writing…). So, we do not want to rely on the Duck DNS entry and take control of things and use our own hosted domain name (ha.webbservern.se in my case) for the Home Assistant instance. At least for me, I did sometimes notice weird connection issues and finally got tired of it and decided to set up my own DNS entry (also using Let’s Encrypt btw, Let’s Encrypt is fantastic) and this Apache configuration (without fiddling with the currently almost working Duck DNS/Let’s Encryt setup) which I think is the actual meat of this blog post:

<VirtualHost *:443>
ServerAlias ha.webbservern.se
ServerName ha.webbservern.se
SSLEngine on
	Include /etc/letsencrypt/options-ssl-apache.conf

SSLProxyEngine on
SSLProxyVerify none 
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On

ProxyPass /api/websocket wss://homeassistant:8123/api/websocket
ProxyPassReverse /api/websocket wss://homeassistant:8123/api/websocket
ProxyPass /  https://homeassistant:8123/
ProxyPassReverse /  https://homeassistant:8123/
CustomLog ${APACHE_LOG_DIR}/vhosts/ha.log combined

RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) wss://homeassistant:8123/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*)  https://homeassistant:8123/$1 [P,L]
SSLCertificateFile /etc/letsencrypt/live/yourdomain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain/privkey.pem
</VirtualHost>

I won’t say each and every line is correct or needed, but yes, it works great, also with the Android Companion app. It is indeed the result of a fair bit of trial and error but I do think it could help others, if search engines will help to index this, since I did see that people have similar issues in various forums when trying to set up a virtual host proxying a https exposed backend with a certificate valid for the default Duck DNS/Let’s Encrypt setup. Nota bene, it might be needed to enable the Apache module wstunnel: sudo a2enmod proxy_wstunnel

Some people might be scared by the SSLProxy relaxations above but in this kind of set up this is not a concern for me, we are talking about connections within the LAN and the attack vector is not significantly increased…

This entry was posted in datorer, webbservern and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *