Protected web interface?

📢 Feedback Feature Requests
21

Of course, the reverse proxy has to take care of authentication/authorization as well - I took that for granted.

The most simple method would be to use HTTP authentication (basic, digest, NTLM, Kerberos).

Personally, I use Cloudflare Access, which is quite simple to set up and allows authentication with your Google/Facebook/Github account (for which you can enable 2FA). It's free for up to 5 users.

22

Mmm, interesting offering, I may give it a try... I like Cloudfare as a company and their products, their DNS resolver is quite good.

1 Like
23

@janwerner Thank you! So you already have to run your hubitat behind a reverse proxy for that to work? I've tried that but cannot edit code. Do you have any issues with that? My reverse proxy is Apache 2.

25

I deleted my post by accident, but was able to recover it - so here it is :slight_smile:

Argo Tunnel is not required for Cloudflare Access - it's just more convenient because you don't have to take care of DynDNS, port forwardings etc.

  • You need a static public IP or you some form of DynDNS (I do DNS updates via Cloudflare's API using a script called cfupdater)
  • forward (IPv4)/allow access to (IPv6) ports 80 and 443 on your reverse proxy (caddy nginx, traefik, etc.)
  • set up the reverse proxy to use Cloudflare's Origin Certificates
  • restrict access to Cloudflare's IP ranges
  • optionally: enable Authenticated Origin Pulls to prevent unauthorized access in case someone should be able to spoof their IP address
  • optionally: set up JWT token validation (this is somewhat difficult, I haven't been able to get this working yet, but the setup shoudl be sufficiently secure without it if you use Authenticated Origin Pulls. If you can get get it working, feel free to share your progress :slight_smile: )

One thing that is nice about proxying traffic through Clouflare is that your site will be reachable via IPv4 and IPv6, but it's enough to have either IPv4 or IPv6 connectivity on your end. So even if your ISP only offers IPv4, your site will also be reachable via IPv6.

If you do have IPv6 connectivity, you will be able to publish more than one server by only exposing the reverse proxy via IPv6, because IPv6 restores end-to-end connectivity, i.e. every device on your network has its own public IP address and there's no NAT in between.

That's how I do it:

image 690x51
image.png1054×78 2.27 KB

My Cloudflare Crypto settings (screenshot).

Cheers,
Jan

1 Like