[Enhancement] Support https:// on Configuration web page

[lone-baggie]

My HA uses a SSL certificate. Get an error when trying to link from Open WEbUI

This site can’t be reached

Nothing major can use use local IP , just get a not secure warning . Would be nice if configuration web page could use existing certificate

[DJBenson]

This would be fixed by #36.

[myevit]

waiting as well

[tam481]

@t0bst4r please include this in the next update. You were able to quickly add it to the original project.

[t0bst4r]

I need to implement ingress support anyway - then home assistant takes care of ssl. And for people running docker, I’d recommend using a reverse proxy anyway which takes care of certificate renewal etc. I‘ll add an option to limit http access to a specific ip (range) in order to block all traffic which is not the proxy.

What do you think? Would that be sufficient? Or is in-app SSL required?

[tam481]

Sorry @t0bst4r I think I may have misunderstood the request. My Home Assistant is behind a reverse-proxy (Traefik) which is configured to redirect http to https. I am unable to connect to HASS on https://domain.name

I can do that with the current Matterbridge but not this new one (Matterhub)

p.s. Traefik is taking care of the certificate renewal.

[myevit]

same for me. when I open web ui by link it goes to -> https://myowndomain.com:8482 it should be the port - it should be ingress. like for example haas google backup addon alternative you can always open web ui in new page using http+ip-address+port

[DJBenson]

Sorry @t0bst4r I think I may have misunderstood the request.

My Home Assistant is behind a reverse-proxy (Traefik) which is configured to redirect http to https.

I am unable to connect to HASS on https://domain.name

I can do that with the current Matterbridge but not this new one (Matterhub)

p.s. Traefik is taking care of the certificate renewal.

How are you accessing HA then? The reverse proxy just puts everything web facing behind it but you still access it via a domain name? Ingress support would negate the need to expose the 84xx port as it would sit "inside" Home Assistant like other addons do (like zigbee2mqtt, frigate etc.)

[DJBenson]

same for me. when I open web ui by link it goes to -> https://myowndomain.com:8482

it should be the port - it should be ingress. like for example haas google backup addon

alternative you can always open web ui in new page using http+ip-address+port

Yeah as per my other reply, ingress would negate the need to expose port 8482 at all, it would just sit as a directory under your main HA domain. If people then have a reverse proxy in front of HA it would work the same.

I use Cloudflare Tunnels and my HA domain (and all the addons which support ingress) all work natively.

[tam481]

My Home Assistant is on https://hass.mydomain.co.uk internally

That's the current URL for Home Assistant. Traefik reverse-proxies the connections to the Home Assistant container on port 8123

If I configure Matterhub with "homeAssistantUrl": "https://hass.mydomain.co.uk" I get

[ ERROR ] [ Matter / Logger ]: Unhandled error detected: Unable to connect to home assistant: SyntaxError: Invalid URL: ws://x.x.x.x:yyyy/api/websocket at _HomeAssistantClient.parseError (file:///usr/local/lib/node_modules/home-assistant-matter-hub/dist/backend/cli.js:727:14) at file:///usr/local/lib/node_modules/home-assistant-matter-hub/dist/backend/cli.js:711:18 at async _HomeAssistantClient.initialize (file:///usr/local/lib/node_modules/home-assistant-matter-hub/dist/backend/cli.js:705:23) file:///usr/local/lib/node_modules/home-assistant-matter-hub/dist/backend/cli.js:727 return new Error(Unable to connect to home assistant: ${reason});

[myevit]

ingress controller (for my in house use) I use Nginx Proxy Manager, for external access Cloudflare Tunnel. In both cases hass exposed just https://mydomain.com. this is the same as mydomain.com:443, so you can't add custom port as it will make ingress controller reject your request and browser will complain. to bypass this, in hass there as own "ingress path" https://mydomain.com/hassio/ingress/cebe7a76_hassio_google_drive_backup that will be patched though reverse proxy, with ssl termination, and then haas will patch it to addon/docker container port. essentially it's addon/haas feature

[tam481]

Isn't Traefik or any other reverse proxy the ingress controller? I just need Matterhub to be able to connect to Home Assistant via Traefik in the same way that the current Matterbridge can.

[DJBenson]

Isn't Traefik or any other reverse proxy the ingress controller?

I just need Matterhub to be able to connect to Home Assistant via Traefik in the same way that the current Matterbridge can.

Ingress is how Home Assistant embeds addons so they use HA authentication and are proxied under HA's root domain/port or IP/port. Putting another proxy on top is fine but the two are not the same thing.

The hub does not communicate with home assistant via a proxy, it uses internal docker networking so far as I know, so getting the two to "talk" is nothing to do with proxies. Being able to access the hub's web interface IS a where a proxy comes in handy as you can have the whole lot under one domain.

For a totally local install, no proxy is required to allow HA and HAMH to work.

[DJBenson]

Isn't Traefik or any other reverse proxy the ingress controller?

I just need Matterhub to be able to connect to Home Assistant via Traefik in the same way that the current Matterbridge can.

Are you running HA and HAMH on the same host? Using the addon?

[DJBenson]

I need to implement ingress support anyway - then home assistant takes care of ssl. And for people running docker, I’d recommend using a reverse proxy anyway which takes care of certificate renewal etc. I‘ll add an option to limit http access to a specific ip (range) in order to block all traffic which is not the proxy.

What do you think? Would that be sufficient? Or is in-app SSL required?

For what it's worth I don't think you should be adding SSL into the app itself. Most other addons offload this to a dedicated proxy.