Support multiple TLS/SSL configurations on the webserver

aiohttp already supports multiple `TCPSite`s for a single server

This allows Home Assistant to listen on multiple ports with different ssl configuration per port so that devices that need a less secure configuration can be isolated to a single port.

Motivation:
 - No need downgrade entire ssl configuration for a single device that needs a less secure configuration
 - Make external access require a client certificate but internal access allowed without it
 - Support an ONVIF camera that does not do SSL
 - Webhooks that do not work with SSL (ie Reolink)
This commit is contained in:
J. Nick Koston 2023-05-19 14:21:39 -05:00
parent f631b6e5db
commit 745541b901
No known key found for this signature in database

View File

@ -31,28 +31,34 @@ http:
```
{% configuration %}
server_host:
description: "Only listen to incoming requests on specific IP/host. By default the `http` integration auto-detects IPv4/IPv6 and listens on all connections. Use `server_host: 0.0.0.0` if you want to only listen to IPv4 addresses. The default listed assumes support for IPv4 and IPv6."
required: false
type: [list, string]
default: "0.0.0.0, ::"
server_port:
description: Let you set a port to use.
required: false
type: integer
default: 8123
ssl_certificate:
description: Path to your TLS/SSL certificate to serve Home Assistant over a secure connection. If using the [Let's Encrypt add-on](https://github.com/home-assistant/addons/tree/master/letsencrypt) this will be at `/ssl/fullchain.pem`. We recommend to use the [NGINX add-on](https://github.com/home-assistant/addons/tree/master/nginx_proxy) instead of using this option.
required: false
type: string
ssl_peer_certificate:
description: Path to the client/peer TLS/SSL certificate to accept secure connections from.
required: false
type: string
ssl_key:
description: Path to your TLS/SSL key to serve Home Assistant over a secure connection. If using the [Let's Encrypt add-on](https://github.com/home-assistant/addons/tree/master/letsencrypt) this will be at `/ssl/privkey.pem`.
required: false
type: string
servers:
server_host:
description: "Only listen to incoming requests on specific IP/host. By default the `http` integration auto-detects IPv4/IPv6 and listens on all connections. Use `server_host: 0.0.0.0` if you want to only listen to IPv4 addresses. The default listed assumes support for IPv4 and IPv6."
required: false
type: [list, string]
default: "0.0.0.0, ::"
server_port:
description: Let you set a port to use.
required: false
type: integer
default: 8123
ssl_certificate:
description: Path to your TLS/SSL certificate to serve Home Assistant over a secure connection. If using the [Let's Encrypt add-on](https://github.com/home-assistant/addons/tree/master/letsencrypt) this will be at `/ssl/fullchain.pem`. We recommend to use the [NGINX add-on](https://github.com/home-assistant/addons/tree/master/nginx_proxy) instead of using this option.
required: false
type: string
ssl_peer_certificate:
description: Path to the client/peer TLS/SSL certificate to accept secure connections from.
required: false
type: string
ssl_key:
description: Path to your TLS/SSL key to serve Home Assistant over a secure connection. If using the [Let's Encrypt add-on](https://github.com/home-assistant/addons/tree/master/letsencrypt) this will be at `/ssl/privkey.pem`.
required: false
type: string
ssl_profile:
description: The [Mozilla SSL profile](https://wiki.mozilla.org/Security/Server_Side_TLS) to use. Only lower if you are experiencing integrations causing SSL handshake errors.
required: false
type: string
default: modern
cors_allowed_origins:
description: "A list of origin domain names to allow [CORS](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) requests from. Enabling this will set the `Access-Control-Allow-Origin` header to the Origin header if it is found in the list, and the `Access-Control-Allow-Headers` header to `Origin, Accept, X-Requested-With, Content-type, Authorization`. You must provide the exact Origin, i.e., `https://www.home-assistant.io` will allow requests from `https://www.home-assistant.io` but __not__ `http://www.home-assistant.io`."
required: false
@ -76,11 +82,6 @@ login_attempts_threshold:
required: false
type: integer
default: -1
ssl_profile:
description: The [Mozilla SSL profile](https://wiki.mozilla.org/Security/Server_Side_TLS) to use. Only lower if you are experiencing integrations causing SSL handshake errors.
required: false
type: string
default: modern
{% endconfiguration %}
The sample below shows a configuration entry with possible values:
@ -88,9 +89,11 @@ The sample below shows a configuration entry with possible values:
```yaml
# Example configuration.yaml entry
http:
server_port: 12345
ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem
servers:
- server_port: 12345
ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem
ssl_profile: modern
cors_allowed_origins:
- https://google.com
- https://www.home-assistant.io
@ -104,6 +107,29 @@ http:
The [Set up encryption using Let's Encrypt](/blog/2015/12/13/setup-encryption-using-lets-encrypt/) blog post gives you details about the encryption of your traffic using free certificates from [Let's Encrypt](https://letsencrypt.org/).
## TLS/SSL Configuration per port
The below sample will listen on multiple ports which can be useful for devices that use webhooks that do no work with SSL or use an older TLS/SSL standard.
8123 - TLS with the modern TLS/SSL profile
8124 - TLS with the intermediate TLS/SSL profile
8125 - No TLS/SSL
```yaml
# Example configuration.yaml entry
http:
servers:
- server_port: 8123
ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem
ssl_profile: modern
- server_port: 8124
ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem
ssl_profile: intermediate
- server_port: 8125
```
## Reverse proxies
When using a reverse proxy, you will need to enable the `use_x_forwarded_for` and `trusted_proxies` options. Requests from reverse proxies will be blocked if these options are not set.