Additionally secure home assistant cloudflared instance by password before entering home network.

[DarthSonic]

See: https://www.maxivanov.io/how-to-password-protect-your-website-with-cloudflare-workers/

Maybe this is an addition to your documentation how to further secure cloudflared home assistant instance. The WAF is fine but if you really want to secure your instance and home network to specific users, before the attacker enters the network, you need to configure client certificate - which can be difficult on some devices and limits access to device with this certificate installed - or you can add a worker to your custom domain that needs additional username and password (basis auth) BEFORE accessing your home network.

Should be alternate username and password. Different from the one used for HA ;-)

Worker is free for a limited amount of request (100,000 / day) and processing time (10 ms CPU time / invocation). Both should never be reached for this use case.

Maybe something for your documentation.

Regards,
Sven

[brenner-tobias]

Thanks a lot for pointing this out. To be honest, I think adding a Cloudflare application with another login method to even access HomeAssistant (for me, this is GitHub with 2FA enabled) is secure enough as we have linked in our Wiki.
Now reading the wiki there, it might be a good idea to extend this and also position it clearly in the general documentation, so I will look into this when changing documentation.

[DarthSonic]

I see your point, but with access to home assistant login, the attacker has the possibility to exploit possible vulnerabilities of home assistant and the OS even before authentication to home assistant. This is why I added the extra layer of security.

And when you add additional hosts, they could be exploited as well once the attacker has access to them (authenticated or not).

It is only a recommendation for extra security.

[brenner-tobias]

I agree and this is exactly what you are preventing if you are creating a Cloudflare Application with an additional identity provider:
Before the HA login is even showing, you have to identify agains the Cloudflare Reverse Proxy with whatever identity provider you are choosing, including 2FA. Only after you have identified (and also access with this specific account) you are forwarded to the HA login.
The same goes for the additional hosts, since you can configure individual applications in Cloudflare for that as well.

[DarthSonic]

Ah okay. Then I will inform me about that "Identity Provider" feature of Cloudflare. That should help. Sorry for bothering you. But that would really make a nice addition to you documentation ;-)

[rlause]

Securing access to Home Assistant with Cloudflares ZeroTrust is a simple way to achive more security.

I wonder how access by Google is possible after adding this. As when you want to use Google Assistant and Google Home, the Google cloud will need to have free access to your local Home Assistant installation...

[DarthSonic]

You could whitelist the API URL needed for that. You still have auth of HA and secure tunnel working but without additional identity provider.

But this use case was not in my mind when setting up a tunnel to access my HA instance from external. I keep all my devices and automations local currently.

I never used Google Home or Assistant with HA. Using Alexa is no problem with Node Red as it will provide a new device that can be triggered by voice then. Alexa does not require direct access to HA instance. Maybe this can be done with Google Home also.

For me I am using Client Certificate to authenticate at Cloudflare Access due to problems with Google Login. HA app does load within a webview and that is not permitted for Google Login.