Feature Request: Custom Request Headers

[keatontaylor]

I'd like the ability in the connection page of 2.0 to be able to define custom additional headers that can be added to the webhook and other calls to HA. I understand this likely isn't possible to append these headers for the webview, but that isn't an issue in the case I have in mind.

Essentially my HA install is behind a CloudFlare proxy utilizing cloudflare access. This allows for apps to request a verification step, usually via email before allowing a request to the real site. This works fine for a web view since the captive portal is displayed and the user can input the correct info.

However, it does not work for the webhook messages back to HA that do not include the cloudflare header and so I'd be nice to be able to add these headers manually such that things like actions, push notification actions, and location updates work as intended.

https://developers.cloudflare.com/access/setting-up-access/securing-applications/

Above is a link for more info on CloudFlare access.

[dejanzelic]

+1 for this. I too am in the same boat

[jtscott]

+1 would like to use cloudflare access tokens for this as well

[nirhalfon]

+1 would like to use cloudflare access tokens for this as well

+1

[MyKEms]

+1 same use case 👍

[dejanzelic]

I have found that if enter my email into the cloudflare form and enter the authorization code, I'm able to login to Home Assistant. I set the expiration to the longest I can on cloudflare. However, It would be much nicer to use a header so I don't have to enter the code regularly.

[MyKEms]

I have found that if enter my email into the cloudflare form and enter the authorization code, I'm able to login to Home Assistant. I set the expiration to the longest I can on cloudflare. However, It would be much nicer to use a header so I don't have to enter the code regularly.

I solved it same way, extend Auth lifecycle to 1 month. However I can imagine situation that you could expect critical notification which you won't receive because of expiration even you have 1 month. You need manually check app if it expired or not yet.

JWT token is better because of 1 year validity and you can extend it with single click and you know when exactly it expire.

[MyKEms]

Update: It seems notifications still works even cloudflare asks for authentication after expiration in HA app.

[Savjee]

+1 for this!

[geekscrapy]

+1
I would have thought that this was quite a large usecase given the accessibility cloudflare now provide.

[wienans]

Yes i wanted to use it as well and I got the UI running on the app via the email auth. But the services/sensor updates don’t work as they don’t have the auth.
I think the usecase is defiantly there and many people already made videos showing how to use it. Surely it is a competitor product to HA Cloud, but the wide spread of the now free to use Tunnel shouldn’t be overlooked because it would maybe post security concerns to the HA instances which are available like this and aren’t secured with this tokens

[heyevwebody]

@wienans

Try bypassing the full webhook URI of your client w/in an access policy. You can grab the webhook URI from the dashboard events log (site > security > events). This will let your phone send sensor updates, but if someone browses to the exposed URL they'll still need to authenticate.

The long term solution is to implement this feature request and allow us to set custom headers.

[wienans]

Hey @heyevwebody thanks for the suggestion. But do this events only pop up if they got blocked? Because my log is empty (currently I removed authentication) or do I need to change the filter settings?

[heyevwebody]

My bad, do you have any WAF allow rules? They log on my allow rules as well. If you have a free rule available you could probably create a temporary allow rule that would match your HA traffic. Just something with allowing the country or hostname should work.

[heyevwebody]

+1

[wienans]

To help future readers until this Feature Request is accepted.
For Cloudflare Tunnels which are protected by Application Access Rules which require a authentication for example email. Sensors will not update in homeassistant as the webhook will be blocked even if you Authenticate within the App and have access to your homeassistant.

1. create a WAF (page > security > WAF) access rule wich allows access for example your country. With this you will get Logs about your accesses to your instance
2. open the app an go to Settings > Mobile App > Sensors Update to 20 seconds so that we get quick updates in the logs.
3. disable Wi-Fi so that your app tries to use the external url
4. Go to cloudflare page > security > events
5. now you should see some log entries open one and under path you should see the URI of your webhook starting with /api/webhook and a long id after it, copy the full path
6. Go to your zero trust tunnel application and create a application for the webhook address. your main url and as optional path past the full webhook path
7. Now add a bypass rule for „Everyone“ so now only your webhook is exposed instead of the full instance.
   you could also change it to bypass some countries or what ever you want.
8. now you can remove the WAF again

Credits to @heyevwebody for this.

[avol-io]

@heyevwebody I take a look with permanent log in network tab in firefox and no the first call it's not redirect by ha but by Cloudflare.
if I go to the same webhook with internal access I receive a page with "405: Method Not Allowed" not a redirect to some login page.

But what happen if you go with browser in anonymous session to webhook?

[heyevwebody]

It goes through without triggering the auth. Do you have this going through a tunnel also? Check the order of the tunnel hostnames (i.e., if you have a generic one for your HASS URL, and another for your webhook path, make sure the webhook one is higher up), and that the one you have for the webhook path has the correct access setting.

[avol-io]

I found my error. I choose the wrong type of rules "access" and not "bypass" kind. thank for support

[jamesgreeley]

Hi Thanks for the workaround, I've now got phone data going into Home Assistant again! However, I think ive broken something. the Cloudflare one time password is no longer sending me a code, do you think it could be related to now having two applications for the same URL. I have one for ha.domain.com and one for ha.domain.com/api/webhook/xxx

[lechuorzech]

I got to point 5 and stuck, sorry.
Could you write in detail what rules to create in zero trust, and where to add bypass for everyone, please.

[geekbleek]

This is a much desired feature! I implemented Beacons and the WARP client to access my zero trust tunnels. Not fully flushed out yet, but appears it could be pretty solid - just need a little more time. Details here: https://github.com/geekbleek/cloudflare-beacon

Never need to auth (web, HA, etc.), can use WARP & Zero Trust + Beacons to seamlessly switch from internal to external DNS/IPs (assuming you have split DNS), and can provide access to rest of your network or self-hosted applications. No need to open external network ports to the entirety of the world.

Having a token auth appended by HA client would be much simpler to setup, but also require re-auth to Cloudflare Access pretty regularly. I think the real winner will be when Cloudflare enables device attestation tokens (iOS etc) on Access, which will enable remote local network access entirely without the WARP client, at which point the token auth appended by HA client would be key.

[DrSpaldo]

@geekbleek I've only just come across this thread. I like the sound of it so far, but just am not understanding the implementation on say the iOS device itself. Currently the HA app pops up an authentication page and for wife issues, it is not friendly. Would this overcome having to enter a code every 30 days on the app? How did you implement that client side of this?

[MacieGx]

+1

[DavidMikeSimon]

I would love to have this feature as well, though for a slightly different use case.

I'm running HA behind Traefik with Authelia. I'm using the lovely https://github.com/BeryJu/hass-auth-header custom component to let Authelia act as the sole source of truth for authentication, which works great for the web UI. However, for the mobile apps, this is not reliable; it does not seem to consistently hold on to the cookies from Authelia. There does not seem to be a consistent workaround for this that doesn't involve opening unauthenticated holes in Authelia, but I'd really prefer not to expose HA as an attack surface.

With the requested feature, I could easily configure Traefik to let mobile traffic bypass Authelia, by setting a header with a pre-defined secure key.

[daroga0002]

+1

[skyw33]

+1

[baylanger]

For my case, iOS + cloudflare the proposed solution in this guide works flawlessly:

https://usher.dev/posts/exposing-home-assistant-using-cloudflare-tunnel/

[DaAwesomeP]

There was a PR to add this, but it was rejected: #2596

This is somewhat frustrating since this is one of the most voted feature requests on GitHub Discussions.

[wienans]

Especially as it was community provided… so frustrating also for the person who provided the feature.

[ideasman69]

why was this rejected?

[supperka]

+1

[RosensRauk]

So I have secured my home network by utilizing, as many in this thread, cloudflares network services. Maybe a header option doesn't comply with top Home Assistant goals and there's the Nabu Casa option too. I'm happy I got the cast dashboard function to work with an extra WAF rule. Thank you heyevwebody!

[threesquared]

It feels like there is real a resistance from maintainers to this or any similar idea as it would provide an alternative to HA Cloud. Such a shame that a feature that increases end user security is being blocked like this.

[Mathpro]

+1

[lukasj1106]

+1

[alejandro5x]

+1

[Coleslav]

+1