jeans/home-assistant.io
jeans/home-assistant.io
1
0
Fork 0
mirror of https://github.com/home-assistant/home-assistant.io.git synced 2025-07-28 03:37:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Support multiple TLS/SSL configurations on the webserver

Browse Source 
aiohttp already supports multiple `TCPSite`s for a single server

This allows Home Assistant to listen on multiple ports with different ssl configuration per port so that devices that need a less secure configuration can be isolated to a single port.

Motivation:
 - No need downgrade entire ssl configuration for a single device that needs a less secure configuration
 - Make external access require a client certificate but internal access allowed without it
 - Support an ONVIF camera that does not do SSL
 - Webhooks that do not work with SSL (ie Reolink)
This commit is contained in:
J. Nick Koston 2023-05-19 14:21:39 -05:00
parent f631b6e5db
commit 745541b901
No known key found for this signature in database
1 changed files with 56 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
source/_integrations/http.markdown
View File

@ -31,28 +31,34 @@ http:
``` ```
{% configuration %} {% configuration %}
server_host: servers:
description: "Only listen to incoming requests on specific IP/host. By default the `http` integration auto-detects IPv4/IPv6 and listens on all connections. Use `server_host: 0.0.0.0` if you want to only listen to IPv4 addresses. The default listed assumes support for IPv4 and IPv6." server_host:
required: false description: "Only listen to incoming requests on specific IP/host. By default the `http` integration auto-detects IPv4/IPv6 and listens on all connections. Use `server_host: 0.0.0.0` if you want to only listen to IPv4 addresses. The default listed assumes support for IPv4 and IPv6."
type: [list, string] required: false
default: "0.0.0.0, ::" type: [list, string]
server_port: default: "0.0.0.0, ::"
description: Let you set a port to use. server_port:
required: false description: Let you set a port to use.
type: integer required: false
default: 8123 type: integer
ssl_certificate: default: 8123
description: Path to your TLS/SSL certificate to serve Home Assistant over a secure connection. If using the [Let's Encrypt add-on](https://github.com/home-assistant/addons/tree/master/letsencrypt) this will be at `/ssl/fullchain.pem`. We recommend to use the [NGINX add-on](https://github.com/home-assistant/addons/tree/master/nginx_proxy) instead of using this option. ssl_certificate:
required: false description: Path to your TLS/SSL certificate to serve Home Assistant over a secure connection. If using the [Let's Encrypt add-on](https://github.com/home-assistant/addons/tree/master/letsencrypt) this will be at `/ssl/fullchain.pem`. We recommend to use the [NGINX add-on](https://github.com/home-assistant/addons/tree/master/nginx_proxy) instead of using this option.
type: string required: false
ssl_peer_certificate: type: string
description: Path to the client/peer TLS/SSL certificate to accept secure connections from. ssl_peer_certificate:
required: false description: Path to the client/peer TLS/SSL certificate to accept secure connections from.
type: string required: false
ssl_key: type: string
description: Path to your TLS/SSL key to serve Home Assistant over a secure connection. If using the [Let's Encrypt add-on](https://github.com/home-assistant/addons/tree/master/letsencrypt) this will be at `/ssl/privkey.pem`. ssl_key:
required: false description: Path to your TLS/SSL key to serve Home Assistant over a secure connection. If using the [Let's Encrypt add-on](https://github.com/home-assistant/addons/tree/master/letsencrypt) this will be at `/ssl/privkey.pem`.
type: string required: false
type: string
ssl_profile:
description: The [Mozilla SSL profile](https://wiki.mozilla.org/Security/Server_Side_TLS) to use. Only lower if you are experiencing integrations causing SSL handshake errors.
required: false
type: string
default: modern
cors_allowed_origins: cors_allowed_origins:
description: "A list of origin domain names to allow [CORS](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) requests from. Enabling this will set the `Access-Control-Allow-Origin` header to the Origin header if it is found in the list, and the `Access-Control-Allow-Headers` header to `Origin, Accept, X-Requested-With, Content-type, Authorization`. You must provide the exact Origin, i.e., `https://www.home-assistant.io` will allow requests from `https://www.home-assistant.io` but __not__ `http://www.home-assistant.io`." description: "A list of origin domain names to allow [CORS](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) requests from. Enabling this will set the `Access-Control-Allow-Origin` header to the Origin header if it is found in the list, and the `Access-Control-Allow-Headers` header to `Origin, Accept, X-Requested-With, Content-type, Authorization`. You must provide the exact Origin, i.e., `https://www.home-assistant.io` will allow requests from `https://www.home-assistant.io` but __not__ `http://www.home-assistant.io`."
required: false required: false
@ -76,11 +82,6 @@ login_attempts_threshold:
required: false required: false
type: integer type: integer
default: -1 default: -1
ssl_profile:
description: The [Mozilla SSL profile](https://wiki.mozilla.org/Security/Server_Side_TLS) to use. Only lower if you are experiencing integrations causing SSL handshake errors.
required: false
type: string
default: modern
{% endconfiguration %} {% endconfiguration %}
The sample below shows a configuration entry with possible values: The sample below shows a configuration entry with possible values:
@ -88,9 +89,11 @@ The sample below shows a configuration entry with possible values:
```yaml ```yaml
# Example configuration.yaml entry # Example configuration.yaml entry
http: http:
server_port: 12345 servers:
ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem - server_port: 12345
ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem
ssl_profile: modern
cors_allowed_origins: cors_allowed_origins:
- https://google.com - https://google.com
- https://www.home-assistant.io - https://www.home-assistant.io
@ -104,6 +107,29 @@ http:
The [Set up encryption using Let's Encrypt](/blog/2015/12/13/setup-encryption-using-lets-encrypt/) blog post gives you details about the encryption of your traffic using free certificates from [Let's Encrypt](https://letsencrypt.org/). The [Set up encryption using Let's Encrypt](/blog/2015/12/13/setup-encryption-using-lets-encrypt/) blog post gives you details about the encryption of your traffic using free certificates from [Let's Encrypt](https://letsencrypt.org/).
## TLS/SSL Configuration per port
The below sample will listen on multiple ports which can be useful for devices that use webhooks that do no work with SSL or use an older TLS/SSL standard.
8123 - TLS with the modern TLS/SSL profile
8124 - TLS with the intermediate TLS/SSL profile
8125 - No TLS/SSL
```yaml
# Example configuration.yaml entry
http:
servers:
- server_port: 8123
ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem
ssl_profile: modern
- server_port: 8124
ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem
ssl_profile: intermediate
- server_port: 8125
```
## Reverse proxies ## Reverse proxies
When using a reverse proxy, you will need to enable the `use_x_forwarded_for` and `trusted_proxies` options. Requests from reverse proxies will be blocked if these options are not set. When using a reverse proxy, you will need to enable the `use_x_forwarded_for` and `trusted_proxies` options. Requests from reverse proxies will be blocked if these options are not set.