10
Secure way to allow external access to Home Assistant (lemmy.ca)
submitted 1 year ago by sikhness@lemmy.ca to c/homeassistant@lemmy.world
26 comments fedilink hide all child comments

Hey all!

I'm fairly new to Home Assistant and have just created a few dashboards to be able to view my router statistics and be able to restart them via REST if need be. Love being able to do this seamlessly from one place.

It got me thinking however, that I can only really access the dashboard when I'm on my internal network. I know that there is a paid Home Assistant cloud that would enable me to view my dashboards and such publicly and securely, but I was wondering if this community has set it up themselves for free and securely.

Would anyone be able to guide me in the right direction?

you are viewing a single comment's thread
view the rest of the comments
[-] MystikIncarnate@lemmy.ca 3 points 1 year ago

I'm thinking to expose HA via a cloudflare tunnel; but I'm concerned as to what security implications this may have. I'm not sure what, if any, security issues the HA login page may have. I can easily put everything through a reverse proxy, which I already have set up for other reasons. I may migrate all my externally exposed webpages via cloudflare.

Have any lemmings used cloudflare for this? what is your experience with it?

[-] redcalcium@c.calciumlabs.com 3 points 1 year ago* (last edited 1 year ago)

Security is a rabbit hole and you can go very deep depending on your risk model (an ordinary middle class people has different cybersecurity risk than, say, a CEO of a major bank). Let's say you are an ordinary lemming that don't have to be worry about being specifically targeted by a hacker group or a nation state, you just don't want some botnets get into your network and take over your IoT stuff, I think the following is reasonable enough:

  • by deploying your HA instance using docker or VM, if it somehow got compromized by an automated botnets / malware, the infection will be contained and you can easily wipe it off and start again. Real hackers might be able to escape the sandbox but run of the mills botnets that always scan the internet for exploits usually don't.
  • setup OTP: https://www.home-assistant.io/docs/authentication/multi-factor-auth/
  • you can max out security level of HA login page (or the entire HA) using cloudflare's firewall rule: https://developers.cloudflare.com/firewall/cf-dashboard/create-edit-delete-rules/ . This should stop most bots from trying to bruteforce your login page.
  • assuming you're using cloudflare tunnel, you aren't actually exposing your entire machine to the internet, but just the homeassistant port. That being said, it'll be nice if you take some precaution and disable root ssh login and perhaps disallow password login too, just for peace of mind.
this post was submitted on 04 Jul 2023
10 points (91.7% liked)

homeassistant

11833 readers
14 users here now

Home Assistant is open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server. Available for free at home-assistant.io

founded 1 year ago
MODERATORS
GreatAlbatross@feddit.uk