A small Home Assistant integration to optionally proxy select web traffic through a Home Assistant instance.
Typical usecases are Lovelace cards (e.g. Frigate Card) that cannot directly access resources required (either because the browser may not be on the same network as the backend resources, or because the browser may not allow Mixed Content).
There are two main styles of proxying:
- Statically proxying a set of URL patterns (e.g. Accessing
https://$HA_INSTANCE/api/hass_web_proxy/v0/?url=http%3A%2F%2Fcam-back-yard.mydomain.iowill result in a request tohttp://cam-back-yard.mydomain.io). - Accept Home Assistant
actioncalls to selectively allow proxying, for use in automations orhass-web-proxy-integrationaware Lovelace cards that dynamically select what to proxy.
Add this repository as a custom repository for HACS:
- Navigate
HACS -> Integrations -> [Three dots menu] -> Custom repositories - Repository:
https://github.com/dermotduffy/hass-web-proxy-integration/ - Category:
Integration - Click
ADD
Download the integration via HACS as normal:
- Click
+ EXPLORE & DOWNLOAD REPOSITORIES - Search for
Home Assistant Web Proxy - Click
DOWNLOAD
Install the integration to your Home Assistant instance:
- Navigate
Settings -> Devices & Services - Click
+ Add INTEGRATION - Search and install
Home Assistant Web Proxy - Click
FINISH
The integration does not proxy anything by default. There are two methods to actually proxy:
With this method, the user manually configures static URL patterns to allow proxying for.
Visit the options configuration for the integration:
- Navigate
Settings -> Devices & Services - Click through
Home Assistant Web Proxyin the list of installed integrations - Click
CONFIGURE - Click
+ ADDto add a URL pattern that should be allowed proxy through the integration (e.g.https://cam-*.mydomain.ioto allow proxying any hostname that starts withcam-in themydomain.iodomain) - Click
SUBMIT
Result:
- If the example target to proxy is
http://cam-back-yard.mydomain.io, first URL encode it tohttp%3A%2F%2Fcam-back-yard.mydomain.io - Visiting
https://$HA_INSTANCE/api/hass_web_proxy/v0/?url=http%3A%2F%2Fcam-back-yard.mydomain.iowill proxy through Home Assistant for authenticated Home Assistant users.
With this method, the user, Home Assistant automation or Lovelace cards, can dynamically request a URL be proxied:
- Call the
hass_web_proxy.create_proxied_urlaction:
action: hass_web_proxy.create_proxied_url
data:
url_pattern: https://cam-*.mydomain.io
url_id: id-that-can-optionally-be-used-to-delete-laterResult:
- If the example target to proxy is
http://cam-back-yard.mydomain.io, first URL encode it tohttp%3A%2F%2Fcam-back-yard.mydomain.io - Visiting
https://$HA_INSTANCE/api/hass_web_proxy/v0/?url=http%3A%2F%2Fcam-back-yard.mydomain.iowill proxy through Home Assistant for authenticated Home Assistant users. - The service call will return a dictionary with a
url_idparameter referring to the created proxied URL.
To delete the proxied URL:
- Call the
hass_web_proxy.delete_proxied_urlaction:
action: hass_web_proxy.delete_proxied_url
data:
url_id: id-that-can-optionally-be-used-to-delete-later| Name | Default | Description |
|---|---|---|
dynamic_urls |
true |
Whether to allow to creation and deletion of dynamic proxy URL targets via the hass_web_proxy.create_proxied_url and hass_web_proxy.delete_proxied_url calls respectively. |
ssl_verification |
true |
Whether SSL certifications/hostnames should be verified on the proxy URL targets. |
ssl_ciphers |
default |
Whether to use default, modern, intermediate, or insecure ciphers. Older devices may not support default or modern ciphers. |
url_patterns |
[] |
An optional list of static URL patterns to allow proxying for, e.g. [ http://cam-*.mydomain.io ] |
action: hass_web_proxy.create_proxied_url
data: [...]| Name | Default | Description |
|---|---|---|
open_limit |
An optional number of times a URL pattern may be proxied to before it is automatically removed as a proxied URL. | |
ssl_verification |
true |
Whether SSL certifications/hostnames should be verified on the proxy URL targets. |
ssl_ciphers |
default |
Whether to use default, modern, intermediate, or insecure ciphers. Older devices may not support default or modern ciphers. |
ttl |
An optional number of seconds to allow proxying of this URL pattern. | |
url_pattern |
An required URL pattern to allow proxying for, e.g. http://cam-*.mydomain.io. |
|
url_id |
[UUID] | An optional ID that can be used to refer to that proxied URL later (e.g. to delete it with the hass_web_proxy.delete_proxied_url action). A UUID is automatically used if this parameter is not specified. |
allow_unauthenticated |
false |
If false, or unset, unauthenticated HA users will not be allowed to access the proxied URL. If true, they will. See below. |
action: hass_web_proxy.delete_proxied_url
data: [...]| Name | Default | Description |
|---|---|---|
url_id |
An id of a URL pattern to delete, that was previously created using the hass_web_proxy.create_proxied_url call. |
No URLs are proxied by default.
However, any user, automation or Javascript with authenticated access to the
Home Assistant instance could call hass_web_proxy.create_proxied_url to create
a dynamically proxied URL, thus exposing arbitrary resources "behind" Home
Assistant to anything/anyone that can access Home Assistant itself.
Depending on the setup, this may present an access escalation beyond what would
usually be accessible. In particular, wide exposure could occur if the user,
automation or Javascript set allow_unauthenticated in the dynamically proxied
URL request, which would allow arbitrary internet traffic to be proxied via the
Home Assistant instance regardless of whether or not they have valid user
credentials on the HA instance.
All proxying is done by the integration which runs as part of the Home Assistant process itself. As such, this proxy is not expected to be particularly performant and excessive usage could slow Home Assistant itself down. This is unlikely to be noticeable in practice for casual usage.