Secure Remote Access with Home Assistant: Mastering Reverse Proxies and SSL

Why Secure Remote Access Matters

Accessing your Home Assistant instance when you're away from home is essential for true smart home control. While Home Assistant Cloud offers a convenient, subscription-based solution with built-in security and voice assistant integration, many users prefer a self-hosted, free alternative for accessing their instance securely over the internet.

Directly exposing your Home Assistant port (usually 8123) to the internet is highly discouraged due to significant security risks. This is where a reverse proxy comes in.

The Role of a Reverse Proxy

A reverse proxy sits between the internet and your Home Assistant instance. All incoming requests from the internet first go to the reverse proxy, which then forwards them to Home Assistant on your local network. This provides several key benefits:

• Security: The reverse proxy is the only entity exposed to the internet, shielding your Home Assistant instance from direct attacks.
• SSL/TLS Termination: It handles the encryption and decryption of traffic (HTTPS), ensuring your connection is secure. This is crucial for protecting your login credentials and data.
• Single Entry Point: You only need to open standard web ports (80 for HTTP, 443 for HTTPS) on your router, simplifying firewall configuration.
• Custom Domain Access: Allows you to access Home Assistant using a memorable domain name instead of an IP address.
• Load Balancing (Advanced): While overkill for a single Home Assistant instance, reverse proxies are used in larger setups for distributing traffic.

Prerequisites for Self-Hosted Remote Access

Before you set up your reverse proxy, you'll need a few things:

1. A Domain Name: You'll need to own a domain name (e.g., yourname.com) or choose a subdomain from a dynamic DNS provider.
2. Dynamic DNS (DDNS): Most home internet connections have dynamic IP addresses that change periodically. A DDNS service maps your domain name to your dynamic public IP address, automatically updating when the IP changes. Many routers and network attached storage (NAS) devices have built-in DDNS clients, or you can run software on your network.
3. Port Forwarding: You need to configure your router to forward incoming traffic on ports 80 (for certificate validation) and 443 (for HTTPS) from the internet to the internal IP address of the device running your reverse proxy.
4. A Device for the Reverse Proxy: This can be the same machine running Home Assistant (e.g., via a Docker container or Add-on) or a separate machine on your network.

Choosing and Setting Up a Reverse Proxy

Several popular options exist, including Nginx, Apache, Caddy, and specialized tools like Nginx Proxy Manager. For Home Assistant users, Nginx Proxy Manager (NPM) is a popular choice due to its user-friendly web interface for managing proxy hosts and SSL certificates (using Let's Encrypt).

Setting up Nginx Proxy Manager (NPM) as a Home Assistant Add-on (for HA OS/Supervised)

1. Go to Settings -> Add-ons -> Add-on Store.
2. Search for "Nginx Proxy Manager" and install it.
3. Start the add-on.
4. Open the NPM Web UI. The default login is usually [email protected] with password changeme. Change these immediately!

Setting up Nginx Proxy Manager using Docker

If you run Home Assistant in Docker or on a separate server, you can run NPM in Docker:

docker network create <your_network_name>
docker run -d \
  --name nginx-proxy-manager \
  --restart unless-stopped \
  -p 80:80 \
  -p 443:443 \
  -p 81:81 \
  -e PUID=1000 \
  -e PGID=1000 \
  -v <your_data_dir>:/data \
  -v <your_config_dir>:/app/config \
  --network <your_network_name> \
  jc21/nginx-proxy-manager

Replace placeholders with your preferred settings. Connect both NPM and your Home Assistant container to the same Docker network.

Configuring Nginx Proxy Manager for Home Assistant

Once NPM is running and accessible (usually on port 81 internally), log in to the web UI:

1. Go to Hosts -> Proxy Hosts.
2. Click Add Proxy Host.

3. In the Details tab:

   • Domain Names: Enter the domain name or subdomain you set up (e.g., ha.yourname.com).
   • Scheme: Choose http (NPM will handle HTTPS externally).
   • Forward Hostname / IP: Enter the local IP address of your Home Assistant instance (e.g., 192.168.1.100).
   • Forward Port: Enter the Home Assistant port (usually 8123).
   • Ensure Cache Assets, Block Common Exploits, and Websockets Support are enabled. Websocket support is crucial for the Home Assistant UI and features.

4. In the SSL tab:

   • SSL Certificate: Choose Request a new SSL certificate.
   • Enable Force SSL.
   • Enter your email address.
   • Agree to the Let's Encrypt Terms of Service.
   • Enable Use HSTS (Strict Transport Security). This is an important security header that forces browsers to connect via HTTPS once they've visited your site.

5. In the Advanced tab (Optional but Recommended):

   • You can add custom Nginx configuration directives here if needed, but the default settings are usually sufficient for Home Assistant.
6. Click Save. NPM will attempt to obtain a Let's Encrypt certificate. This requires that port 80 and 443 are correctly forwarded to the NPM instance.

If the certificate issuance is successful, you should now be able to access your Home Assistant instance securely using your custom domain name (e.g., https://ha.yourname.com).

Configuring Home Assistant for Reverse Proxy

You need to tell Home Assistant about its external and internal URLs and trust the reverse proxy. Edit your Home Assistant configuration.yaml file:

homeassistant:
  # ... other configurations

  external_url: "https://ha.yourname.com/"
  internal_url: "http://<your_internal_ha_ip>:8123/" # Or https if using internal SSL

http:
  # ... other http configurations

  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1 # Add your reverse proxy's internal IP address
    - ::1 # For IPv6
    # Add the IP address of the machine/container running NPM
    # If NPM is an add-on, 127.0.0.1 or the Docker network gateway might be needed.
    # Check the NPM add-on network settings or your Docker network config.
    - 192.168.1.200 # Example: replace with your NPM internal IP

Replace https://ha.yourname.com/ with your external domain, <your_internal_ha_ip> with Home Assistant's local IP, and add the local IP address of your reverse proxy to the trusted_proxies list. You might need to find the IP address of the Docker network bridge or the host machine if NPM is in a container. Restart Home Assistant after modifying configuration.yaml.

Best Practices for a Reliable and Secure Setup

• Keep Everything Updated: Regularly update Home Assistant, Nginx Proxy Manager (or your chosen reverse proxy software), and the underlying operating system.
• Use Strong Passwords and MFA: Always use strong, unique passwords for Home Assistant and enable multi-factor authentication for all users.
• Regular Backups: Implement a robust backup strategy for your Home Assistant configuration.
• Monitor Logs: Periodically check the logs of Home Assistant and your reverse proxy for any suspicious activity or errors.
• Firewall: Only forward necessary ports (80 and 443) on your router to the reverse proxy. Consider adding firewall rules to restrict access based on geographic location if applicable.
• Internal vs. External URL: Configuring both external_url and internal_url ensures that Home Assistant generates correct links depending on how you access it (locally or remotely), improving reliability and sometimes performance on the local network.
• HSTS: Ensure HSTS is enabled on your reverse proxy. This forces modern browsers to only connect via HTTPS, mitigating man-in-the-middle attacks that try to downgrade your connection to HTTP.
• Dynamic DNS Client: Verify your DDNS client is running correctly and updating your public IP address with the DDNS provider reliably.

Conclusion

Setting up secure remote access to Home Assistant using a reverse proxy and SSL is a powerful way to maintain control over your smart home data and security without relying on cloud services. While it requires a bit more initial setup than cloud alternatives, it provides flexibility, enhanced security, and keeps your sensitive smart home data within your own network boundaries. By following these steps and best practices, you can build a reliable and secure foundation for accessing your smart home from anywhere.