I spent some time getting the Apache httpd (Apache/2.4.57 (Red Hat Enterprise Linux)) reverse proxy config for HomeAssistant (2024.3.0) just right, so I thought I’d document it for future use.
httpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<VirtualHost *:80> (1)
ServerName homeassistant.your.domain
CustomLog /var/log/httpd/homeassistant_80_access.log combined
ErrorLog /var/log/httpd/homeassistant_80_error.log
Redirect permanent / https://homeassistant.your.domain
</VirtualHost>
<VirtualHost *:443> (2)
ServerName homeassistant.your.domain
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live.your.domain/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live.your.domain/privkey.pem"
SSLCipherSuite HIGH:!aNULL:!MD5
CustomLog /var/log/httpd/homeassistant_443_access.log combined
ErrorLog /var/log/httpd/homeassistant_443_error.log
<Location /api/webhook> (3)
</Location>
<Location /> (4)
<If "%{HTTP:X-Auth-Token} != 'some_arbitrary_password'"> (5)
#Allow specific User Agents to skip authentication (6)
BrowserMatchNoCase HomeAssistant noauth=1
BrowserMatchNoCase Home Assistant noauth=1
BrowserMatchNoCase Home%20Assistant noauth=1
BrowserMatchNoCase AppleWebKit noauth=1 (7)
#Allow Google PubSubHubbub to access /feed/webhook/v1 to push notifications (https://github.com/iv-org/homeassistant/blob/master/config/config.example.yml#L424)
SetEnvIf Request_URI "/api/webhook" noauth=1 (8)
Order Allow,Deny
Allow from env=noauth (9)
AuthType openid-connect
Require claim "email:allowed@email.address"
Require claim "email:another@allowed.email.address"
Satisfy any
</If>
</Location>
ProxyPass /api/websocket ws://127.0.0.1:8123/api/websocket (10)
ProxyPassReverse /api/websocket ws://127.0.0.1:8123/api/websocket
ProxyPass / http://127.0.0.1:8123/
ProxyPassReverse / http://127.0.0.1:8123/
RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:8123/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://127.0.0.1:8123/$1 [P,L]
ProxyPreserveHost on
ProxyRequests off
</VirtualHost>
| 1 | Redirect all http traffic |
| 2 | Standard TLS stuff |
| 3 | Exclude /api/webhook from the default configuration |
| 4 | Put everything behind authentication, with some exceptions |
| 5 | Bypass all authentication if the correct X-Auth-Token header is set (useful for internal clients) |
| 6 | The HomeAssistant app doesn’t support openid-connect authentication, so we just bypass all proxy authentication for these clients |
| 7 | Unfortunately, the iOS app uses webkit for logins, so we’ll have to allowlist all webkit clients as well. |
| 8 | Enable access to webhooks (for push notifications etc.) |
| 9 | If any of the exceptions above are satisfied, we allow access. Otherwise, require openid-connect |
| 10 | HomeAssistant requires specific websocket config, as included here. |