Skip to content

Latest commit

 

History

History
362 lines (271 loc) · 13.7 KB

DOCS.md

File metadata and controls

362 lines (271 loc) · 13.7 KB
Raw

Home Assistant Add-on: Cloudflared

Cloudflared connects your Home Assistant Instance via a secure tunnel to a domain or subdomain at Cloudflare. This allows you to expose your Home Assistant instance and other services to the Internet without opening ports on your router. Additionally, you can utilize Cloudflare Zero Trust to further secure your connection.

Disclaimer

Please make sure you comply with the Cloudflare Self-Serve Subscription Agreement when using this add-on.

Initial setup

Prerequisites

  1. A domain name (e.g. example.com) using Cloudflare for DNS. If you don't have one see Domain name and Cloudflare set up. Please be aware that domains from Freenom do not work anymore, so you have to chose / migrate to another registrar.
  2. Decide between a local tunnel (managed by the add-on) or a remote tunnel (managed in Cloudflare's interface). Learn more.
  3. This add-on should be installed but not started yet.

After completing the prerequisites, proceed below based on the type of tunnel you chose.

Local tunnel add-on setup (recommended)

In the following steps a Cloudflare Tunnel will be automatically created by the add-on to expose your Home Assistant instance.

If you only want to expose other services, you can leave external_hostname empty and set additional_hosts as described below.

  1. Configure the http integration in your Home Assistant config as described below
  2. Set external_hostname add-on option to the domain/subdomain you want to use for remote access e.g. ha.example.com
  3. Start the add-on (this will overwrite any existing DNS entries matching external_hostname or additional_hosts)
  4. Paste the URL from the add-on logs in a new tab to authenticate with Cloudflare
  5. Access your Home Assistant via the remote URL without port e.g. https://ha.example.com/

A tunnel should now be listed in your Cloudflare Teams dashboard. Please review the additional configuration options below.

Remote tunnel add-on setup (advanced)

In the following steps you will manually create a Cloudflare Tunnel in the Zero Trust Dashboard and provide the token to the add-on.

  1. Configure the http integration in to your Home Assistant config as described below
  2. Create a Cloudflare Tunnel in the Cloudflare Teams dashboard following this how-to
  3. Set tunnel_token add-on option to your tunnel token (all other configuration will be ignored)
  4. Start the add-on, check the logs to confirm everything went as expected
  5. Access your Home Assistant via the remote URL without port e.g. https://ha.example.com/

Your tunnel should now be associated with the Cloudflared add-on. Any configuration changes should be made in the Cloudflare Teams dashboard.

Configuration

These configuration options only apply to the local tunnel setup. More advanced config can be achieved using the remote tunnel setup.

Overview: Add-on configuration

Note: Remember to restart the add-on when the configuration is changed.

Example add-on configuration:

external_hostname: ha.example.com
additional_hosts:
  - hostname: router.example.com
    service: http://192.168.1.1
  - hostname: website.example.com
    service: http://192.168.1.3:8080

Note: This is just an example, don't copy and paste it! Create your own!

Option: external_hostname

Set the external_hostname option to the domain name or subdomain that you want to use to access Home Assistant on.

This is optional, additional_hosts can be used instead to only expose other services.

Note: The tunnel name needs to be unique in your Cloudflare account.

external_hostname: ha.example.com

Option: additional_hosts

You can use the internal reverse proxy of Cloudflare Tunnel to define additional hosts next to Home Assistant. That way, you can use the tunnel to also access other systems like a diskstation, router or anything else.

Like the external_hostname option used for Home Assistant, DNS entries will be automatically created at Cloudflare.

Add the (optional) disableChunkedEncoding option to a hostname, to disable chunked transfer encoding. This is useful if you are running a WSGI server, like Proxmox for example. Visit Cloudflare Docs for further information.

Please find below an example entry for three additional hosts:

additional_hosts:
  - hostname: router.example.com
    service: http://192.168.1.1
  - hostname: diskstation.example.com
    service: https://192.168.1.2:5001
  - hostname: website.example.com
    service: http://192.168.1.3:8080
    disableChunkedEncoding: true

Note: If you delete a hostname from the list, it will not be served anymore. Nevertheless, you should also manually delete the DNS entry from Cloudflare since it can not be deleted by the add-on.

Option: tunnel_name

The tunnel_name option allows changing the tunnel name to something other than the default of homeassistant.

Note: The tunnel name needs to be unique in your Cloudflare account.

tunnel_name: myHomeAssistant

Option: catch_all_service

If you want to forward all requests from any hostnames not defined in the external_hostname or the additional_hosts, you can use this option and define a URL to forward to. For example, this can be used for reverse proxies.

Note: If you want to use the HA add-on Nginx Proxy Manager as reverse proxy, you should set the flag nginx_proxy_manager (see below) and not use this option.

catch_all_service: http://192.168.1.100

Note: This will still route your defined external_hostnameto Home Assistant as well as any potential additional_hosts to where you defined in the config. Any other incoming traffic will be routed to the defined service.

In order to route hostnames through the tunnel, you have to create individual CNAME records in Cloudflare for all of them, pointing to your external_hostname or directly to the tunnel URL that you can get from the CNAME entry of external_hostname.

Alternatively you can add a wildcard DNS record in Cloudflare by adding a CNAME record with * as name.

Option: nginx_proxy_manager

If you want to use Cloudflare Tunnel with the add-on Nginx Proxy Manager, you can do so by setting this option. It will automatically set the catch_all_service to the internal URL of Nginx Proxy Manager. You do not have to add the option catch_all_service to your config (if you add it anyways, it will be ignored).

nginx_proxy_manager: true

Note: As with catch_all_service, this will still route your defined external_hostnameto Home Assistant as well as any potential additional_hosts to where you defined in the config. Any other incoming traffic will be routed to Nginx Proxy Manager.

In order to route hostnames through the tunnel, you have to create individual CNAME records in Cloudflare for all of them, pointing to your external_hostname or directly to the tunnel URL that you can get from the CNAME entry of external_hostname.

Alternatively you can add a wildcard DNS record in Cloudflare by adding a CNAME record with * as name.

Finally, you have to set-up your proxy hosts in Nginx Proxy Manager and forward them to wherever you like.

Option: post_quantum

If you want Cloudflared to use post-quantum cryptography for the tunnel, set this flag.

Note: When post_quantum is set, cloudflared restricts itself to QUIC transport for the tunnel connection. This might lead to problems for some users. Also, it will only allow post-quantum hybrid key exchanges and not fall back to a non post-quantum connection.

post_quantum: true

Option: run_parameters

You can add additional run parameters to the cloudflared demon using this parameter. Check the Cloudflare documentation for all available parameters and their explanation.

Valid parameters to add are:

  • --​​edge-bind-address
  • --edge-ip-version
  • --grace-period
  • --logfile
  • --loglevel
  • --pidfile
  • --protocol
  • --region
  • --retries
  • --tag
  • --ha-connections

Note: These parameters are added to the by default present parameters "no-autoupdate", "metrics" and "loglevel". Additionally, for a locally managed tunnel "origincert" and "config" are added while "token" is added for remote managed tunnels. You cannot override these parameters with this option.

Note: If you are using an option that requires a path, you can use /config as root. This path can be accessed, for example, via the VS-code add-on via /addon_configs.

run_parameters:
  - "--region=us"
  - "--protocol=http2"
  - "--loglevel=debug"

Option: log_level

The log_level option controls the level of log output by the addon and can be changed to be more or less verbose, which might be useful when you are dealing with an unknown issue.

Note: If you want to change the log level of the tunnel itself you can use the run_parameters --loglevel option.

log_level: debug

Possible values are:

  • trace: Show every detail, like all called internal functions.
  • debug: Shows detailed debug information.
  • info: Normal (usually) interesting events.
  • warning: Exceptional occurrences that are not errors.
  • error: Runtime errors that do not require immediate action.
  • fatal: Something went terribly wrong. Add-on becomes unusable.

Please note that each level automatically includes log messages from a more severe level, e.g., debug also shows info messages. By default, the log_level is set to info, which is the recommended setting unless you are troubleshooting.

Home Assistant configuration

configuration.yaml

Since Home Assistant blocks requests from proxies/reverse proxies, you need to tell your instance to allow requests from the Cloudflared add-on. The add-on runs locally, so HA has to trust the docker network. In order to do so, add the following lines to your /config/configuration.yaml:

Note: There is no need to adapt anything in these lines since the IP range of the docker network is always the same.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

Remember to restart Home Assistant when the configuration is changed.

If you need assistance changing the config, please follow the Advanced Configuration Tutorial.

Add-On Wiki

For more advance How-Tos and a Troubleshooting Section, please visit the Add-On Wiki on GitHub.

Authors & contributors

The original setup of this repository is by Tobias Brenner.

For a full list of all authors and contributors, check the contributor's page.

License

MIT License

Copyright (c) 2024 Tobias Brenner

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.