Home Assistant (HA)
Requirements
- You need to set up your own domain
- Point domain DNS servers to Cloudflare DNS (You can register new domain name also Cloudflare to make all manageable in one web interface)
For secure HTTPS connections there are fixed port numbers you can use in Cloudflare, you can see list here https://developers.cloudflare.com/fundamentals/get-started/reference/network-ports/
Chosen port chould not be already in use in your device.
If your Home Assistant is runnin in public IP address, choose one of those for HA. For doign so go to File Editor and click folder icon:
Open configuration.yaml
and add under http section setting server_port : {poert_number you choose}
For activating change HA must be restarted.
If your HA is in private network ip address, then no changes are needed. Just configure your router to forward selected port to internal address and port of HA
Next add subdomain in Cloudflare and point it to your public IP
Now connection between web browser and Clouldflare proxy is encrypted:
But connection from Cloudflare to your server is not yet encrypted. To ensure fully secure connection we need first of all create Origin certificate. Go to SSL/TSL section, choose Origin Server and click on Create Certificate button
Default settions are usually ok :
Click Create button and certificates are generated
Copy down private key and certifictate, both are needed. Do not share private key with anyone! Private key can not be downloaded again later.
Next step is installing certificate and private key to HA server. Open Terminal. If you do not have it then install Terminal add-on and add it to sidebar.
Verify that you are on root folder, commad ls should show you among others ssl directory.
Go to this directory using command cd ssl. With command ls you can see content of this directory (on this screenshot certificate files are already created).
Create file for public certificate with command nano origin.pem
In Nano editor right click (for me it takes clicking two times to avoid nano popup menu from appearing) and paste as plain text content of Origin Certificate. Now hit Ctrl + X, then Y (Yes) and file is saved. Finally hit Enter key and Nano editor is closed.
Now create private key with command nano cfprivatekey.pem, copy private key content, save and exit in a same manner as in previous step. Veryfy with ls command that files are present.
Next We need to add those files to http configuration. Open again File Editor and configuration.yaml file. Add ssl_certificate: /ssl/origin.pem and ssl_key: /ssl/cfprivatekey.pem under http configuration.
Next step is to allow HA use proxies use_x_forwarded_for: true , and list all IP addresses Cloudflare uses
List of Cloudflare IP-s can be found here https://www.cloudflare.com/ips/
From same page you can also get list as text. Add this list under trusted_proxies: section.
Now restart HA.
On Cloudflare set under SSL/TSL overview encryption mode to Full (strict). Now the full path is secured and encypted.
For full security you should allow in your router only Cloudflare IP addresses to access HA port.