Configuration, Tips & Tricks

Access Home Assistant through Apache Proxy

I have been securing my Home Assistant system using a Certificate and a configuration that was entered directly in to the configuration.yaml file. And that has worked like a charm and I could access my setup from outside the LAN network using a secure SSL encrypted connection. But recently I wanted to install an Add-On to Home Assistant, that did not deal very well with a https connection to Home Assistant, so I was looking for another way to configure access. I needed to have a LAN connection that was running unencrypted, but I still wanted to have my WAN connection encrypted.

The solution to this problem was to configure the Apache server that is my main Web Server setup, to use its built-in Proxy function. It is very well explained in this article in the Home Assistant Documentation, but I just wanted to share my setup, for others to be able to copy. So find below a Step-by-Step guide:

  1. Edit your configuration.yaml file in the Home Assistant root folder, and make sure that the http section looks like this:
    http:
      api_password: your_secret_password
  2. If you changed anything, restart Home Assistant, and you can now access Home Assistant using: http://IP_ADDRESS:8123
  3. Now make sure you have the correct modules enabled so that Apache proxy can run. Log in to your server using SSH and type the following:
    sudo a2enmod proxy
    
    sudo a2enmod proxy_http
    
    sudo a2enmod proxy_balancer
    
    sudo a2enmod lbmethod_byrequests
    
    sudo a2enmod rewite
    
    sudo systemctl restart apache2 (Restart your apache server to activate the modules)
  4. Now we need to create a virtual hosts file that defines the external pointer. Create a .conf file in the /etc/apache2/sites-available.
    F.ex /etc/apache2/sites-available/hass.conf and enter the following in the file (Remember to change items with CAPITAL letters):

    <VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/NAME_OF_CERTIFICATE.crt
        SSLCertificateKeyFile /etc/ssl/private/NAME_OF_CERTIFICATE.key
        SSLCertificateChainFile /etc/ssl/certs/NAME_OF_CERTIFICATE.ca-bundle
     
        ServerAdmin yourmail@example.com
        ServerName YOUR_EXTERNAL_DOMAIN_ADDRESS
     
        ProxyPreserveHost On
        ProxyRequests off
        ProxyPass / http://IP_OF_HASS:8123/ disablereuse=on
        ProxyPassReverse / http://IP_OF_HASS:8123/
        ProxyPass /api/websocket ws://IP_OF_HASS:8123/api/websocket disablereuse=on
        ProxyPassReverse /api/websocket ws://IP_OF_HASS:8123/api/websocket
     
        RewriteEngine on
        RewriteCond %{HTTP:Upgrade} =websocket [NC]
        RewriteRule /(.*)  ws://IP_OF_HASS:8123/$1 [P,L]
        RewriteCond %{HTTP:Upgrade} !=websocket [NC]
        RewriteRule /(.*)  http://IP_OF_HASS:8123/$1 [P,L]
     
        ErrorLog /A_DIRECTORY_TO_STORE_LOG_FILE/error.log
        CustomLog /A_DIRECTORY_TO_STORE_LOG_FILE/access.log combined
     
    </VirtualHost>

    You can skip the first 4 lines starting with SSL if you don’t have a SSL Certificate

  5. Enable the new site by issuing the following command (Using the filename you just entered above:
    sudo a2ensite FILENAME.conf
  6. Restart Apache and you should be good to go
    sudo systemctl restart apache2

 

Tagged ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.