Post

Home Assistant Reverse Proxy with traefik

This post assumes traefik is up and running on the docker and Home Assistant is running on another host on a VM.

traefik

file config

traefik providers config should looks like this in traefik.yml

1
2
3
4
5
6
7
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    directory: /config
    watch: true

docker-compose volumes

1
2
3
4
5
6
volumes:
    - /etc/localtime:/etc/localtime:ro
    - /var/run/docker.sock:/var/run/docker.sock:ro
    - /home/user/traefik/traefik.yml:/traefik.yml:ro
    - /home/user/traefik/data/acme.json:/acme.json
    - /home/user/traefik/data/config:/config:ro

traefik would watch any change of files in traefik/data/config (Mounted at /config directory inside the traefik container) and make changes accordingly.

Home Assistant

traefik config

Create a new file hass.yml at /home/user/traefik/data/config/ with the following

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
http:
  routers:
    ha-router:
      entryPoints:
        - "https"
      service: ha-service
      rule: "Host(`hass.example.net`)"
      tls: {}
      middlewares:
        - default-headers
        - https-redirect
  services:
    ha-service:
      loadBalancer:
        servers:
          - url: http://10.20.20.23:8123

  middlewares:
    https-redirect:
      redirectScheme:
        scheme: https
        permanent: true

    default-headers:
      headers:
        frameDeny: true
        sslRedirect: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

    default-whitelist:
      ipWhiteList:
        sourceRange:
        - "10.0.0.0/8"
        - "192.168.0.0/16"
        - "172.16.0.0/12"
        - "100.64.0.0/10"

    secured:
      chain:
        middlewares:
        - default-headers

Make necessary changes such as url, ip of the Home Assistant and ipWhiteList according to your network. Headers are curtesy of Techno Tim.

home assistant will be available are the given url e.g. hass.example.net. But hass throws Bad Request error. Reason being it only allows reverse proxying from whitelisted ip ranges.

configuration

Add following http config to Home Assistant’s configuration.yaml

1
2
3
4
5
6
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.20.20.0/24
    - 192.168.0.0/24
    - 172.30.33.0/24

Please add required networks and docker network both to the trusted_proxies and restart the hass instance.

After few minutes Home Assistant will be available at https://hass.example.net.

Conclusion

Any queries, feel free to drop a comment. Au Revoir.

This post is licensed under MIT by the author.