rem

.co

Homeassistant Apache Httpd Proxy Configuration

 |  400 words — 2 minutes  |  homeassistant apache httpd

I spent some time getting the Apache httpd (Apache/2.4.57 (Red Hat Enterprise Linux)) reverse proxy config for HomeAssistant (2024.3.0) just right, so I thought I’d document it for future use.

httpd.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

<VirtualHost *:80> (1)
    ServerName homeassistant.your.domain
    CustomLog /var/log/httpd/homeassistant_80_access.log combined
    ErrorLog /var/log/httpd/homeassistant_80_error.log
    Redirect permanent / https://homeassistant.your.domain
</VirtualHost>

<VirtualHost *:443> (2)
    ServerName homeassistant.your.domain
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live.your.domain/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live.your.domain/privkey.pem"
    SSLCipherSuite HIGH:!aNULL:!MD5
    CustomLog /var/log/httpd/homeassistant_443_access.log combined
    ErrorLog /var/log/httpd/homeassistant_443_error.log

    <Location /api/webhook> (3)
    </Location>

    <Location /> (4)
        <If "%{HTTP:X-Auth-Token} != 'some_arbitrary_password'"> (5)
            #Allow specific User Agents to skip authentication (6)
            BrowserMatchNoCase HomeAssistant noauth=1
            BrowserMatchNoCase Home Assistant noauth=1
            BrowserMatchNoCase Home%20Assistant noauth=1
            BrowserMatchNoCase AppleWebKit noauth=1 (7)
            #Allow Google PubSubHubbub to access /feed/webhook/v1 to push notifications  (https://github.com/iv-org/homeassistant/blob/master/config/config.example.yml#L424)
            SetEnvIf Request_URI "/api/webhook" noauth=1 (8)
            Order Allow,Deny
            Allow from env=noauth (9)

            AuthType openid-connect
            Require claim "email:allowed@email.address"
            Require claim "email:another@allowed.email.address"

            Satisfy any
        </If>
    </Location>
    ProxyPass /api/websocket ws://127.0.0.1:8123/api/websocket (10)
    ProxyPassReverse /api/websocket ws://127.0.0.1:8123/api/websocket
    ProxyPass / http://127.0.0.1:8123/
    ProxyPassReverse / http://127.0.0.1:8123/

    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)  ws://127.0.0.1:8123/$1 [P,L]
    RewriteCond %{HTTP:Upgrade} !=websocket [NC]
    RewriteRule /(.*)  http://127.0.0.1:8123/$1 [P,L]

    ProxyPreserveHost on
    ProxyRequests off
</VirtualHost>