Proxy for Home Assistant: secure remote access

```html

You have installed Home Assistant, connected smart plugs, a thermostat, and cameras — and you want to control all of this from your smartphone from anywhere in the world. However, open internet access without protection turns your smart home into an easy target for hackers. In this article, we will discuss how to properly organize remote access to Home Assistant via a proxy and secure your home network.

Why Direct Access to Home Assistant is Dangerous

Home Assistant is a powerful open-source smart home automation platform. Millions of users around the world manage lighting, climate, locks, cameras, and dozens of other devices through it. However, this popularity makes Home Assistant an attractive target for malicious actors.

When you forward port 8123 (the standard port for Home Assistant) directly through your router to the internet, you are literally hanging a "welcome" sign for automated scanners. These scanners go through the entire range of IP addresses and look for open ports of known services. According to Shodan (a search engine for devices on the internet), tens of thousands of Home Assistant instances are constantly available to the public.

What happens after your Home Assistant is discovered by a malicious actor:

Password Brute Force — automated scripts try thousands of login/password combinations. If you have a weak password, hacking is just a matter of minutes.
Exploitation of Vulnerabilities — critical holes are periodically found in older versions of Home Assistant that allow access without any password at all.
Surveillance through Cameras — once gaining access to HA, the attacker can see the live feed from all connected cameras.
Control of Locks and Alarms — if you have a smart lock connected, a hacker can remotely unlock your front door.
Theft of Automation Data — from HA's history, one can learn when you are home, when you leave, sleep mode, and other private data.

⚠️ Real Case

In 2023, security researchers discovered vulnerability CVE-2023-27482 in Home Assistant, which allowed authentication to be bypassed without any credentials. All instances with open access to the internet were vulnerable until a patch was released. Those who used a proxy layer or VPN were automatically protected.

How a Proxy Protects Your Smart Home: The Principle of Operation

In the context of Home Assistant, a proxy acts as an intermediary between the internet and your server. Instead of your Home Assistant being directly visible from the network, only the proxy server is visible from the outside — and it forwards requests internally, applying additional checks.

The operation scheme looks like this:

Your smartphone (internet)
        ↓
  Proxy server
  (filtering, encryption, authorization)
        ↓
  Home network (closed)
        ↓
  Home Assistant (192.168.1.X:8123)

What this additional layer provides:

Hiding Real IP — scanners see the proxy's IP, not your home address. Even if the proxy is hacked, they won't gain direct access to the home network.
SSL/TLS Encryption — the proxy can terminate the HTTPS connection and issue a valid certificate, protecting the traffic from interception.
Additional Authentication — you can set up Basic Auth or two-factor authentication directly at the proxy level before Home Assistant.
Rate Limiting — limiting the number of requests from a single IP blocks brute-force attacks before they reach Home Assistant.
Geo-blocking — access can be allowed only from certain countries or IP ranges.
Logging — all access attempts are recorded, which helps identify suspicious activity.

It is important to understand the difference between two types of proxies used in this scenario: a reverse proxy is installed on your server or router and accepts incoming connections, while an external proxy is an intermediary server in the cloud through which your traffic is tunneled. Both approaches have their advantages, and we will discuss each.

What Types of Proxies are Suitable for Home Assistant

Before choosing a solution, it is important to understand that the tasks of Home Assistant and, for example, an arbitrage trader or SMM specialist are fundamentally different. For a smart home, we need not an anonymous proxy to bypass blocks, but a secure tunnel for remote control. Let's break down the options:

Type of Solution	How It Works	Pros	Cons	Complexity
Reverse Proxy (Nginx/Caddy)	Accepts HTTPS requests from the outside and forwards them to HA internally	Free, full control, SSL	Requires a public IP or DDNS, open port 443	Medium
Cloudflare Tunnel	Tunnel from HA to Cloudflare servers, no ports needed	Free, no public IP needed, DDoS protection	Traffic goes through Cloudflare, requires a domain	Low
VPS + Proxy	Rent a VPS, tunnel traffic through it	Your own IP, maximum control	Paid, requires setup	High
Nabu Casa (official)	Cloud service from the HA developers	Extremely simple, supports Alexa/Google	Paid subscription ~$6.50/month	Very low
Residential Proxy	Routing outgoing traffic through a real home IP	Real IP, not blocked by services	Suitable for outgoing traffic, not for incoming	Low

For most Home Assistant users, the optimal choice will be Cloudflare Tunnel (free, no public IP needed) or reverse proxy on Nginx/Caddy (if you have a public IP or dynamic DNS). Nabu Casa is suitable for those who do not want to deal with settings at all. Let's break down each option in detail.

Reverse Proxy (Nginx, Caddy): Step-by-Step Setup

A reverse proxy is the classic and most flexible way to organize secure access to Home Assistant. It is installed on the same device as HA (for example, on a Raspberry Pi or Home Assistant OS) or on a separate server in the home network.

Option 1: Caddy (recommended for beginners)

Caddy is a modern web server that automatically obtains and renews SSL certificates through Let's Encrypt. No manual certbot setup is needed.

Step 1: What You Will Need

A domain name (can be free on DuckDNS or No-IP)
Port 443 forwarded on your router to the IP of your Home Assistant
Installed Home Assistant (any version)

Step 2: Install Caddy as an Add-on in Home Assistant OS

If you are using Home Assistant OS (HAOS), go to Settings → Add-ons → Add-on Store and find the Caddy 2 add-on. Install it and proceed to configuration.

Step 3: Basic Caddyfile Configuration

your-domain.duckdns.org {
    reverse_proxy localhost:8123
    
    # Additional protection: Basic Auth before HA
    # basicauth {
    #     admin $2a$14$hashed_password
    # }
    
    # Rate limiting: no more than 10 requests per second
    rate_limit {
        zone static_zone {
            key    {remote_host}
            events 10
            window 1s
        }
    }
    
    # Security headers
    header {
        X-Frame-Options DENY
        X-Content-Type-Options nosniff
        Referrer-Policy no-referrer
    }
}

Step 4: Configure Home Assistant to Work Behind a Proxy

Open the configuration.yaml file and add the following lines. This is mandatory — otherwise, HA will reject requests from the proxy:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1

After saving, restart Home Assistant. Now access it at https://your-domain.duckdns.org — the connection will be encrypted, and the real IP of your router will be hidden behind the domain.

Option 2: Cloudflare Tunnel (without a public IP)

If you do not have a public IP (most home providers issue gray IPs behind NAT), Cloudflare Tunnel is the perfect solution. You install a small agent cloudflared on the device with Home Assistant, and it creates an encrypted tunnel to Cloudflare servers by itself. No open ports on the router!

Step-by-step setup:

Register at cloudflare.com and add your domain (or use a free subdomain).
In the Cloudflare dashboard, go to Zero Trust → Networks → Tunnels.
Click Create a tunnel, give the tunnel a name (e.g., home-assistant).
Copy the installation command and execute it on the device with HA (or install the Cloudflared add-on from the HAOS store).
In the Public Hostname section, specify:
— Subdomain: ha
— Domain: your domain
— Service: http://localhost:8123
Add trusted Cloudflare proxies to configuration.yaml (IP ranges can be found at cloudflare.com/ips).
Optionally: enable Zero Trust Access — an additional level of authentication via email or Google account before logging into HA.

💡 Tip

Cloudflare Tunnel is completely free for personal use. The only limitation is that traffic passes through Cloudflare servers. For managing a smart home, this is absolutely acceptable, and protection against DDoS and bots comes included.

External Proxy Server: When It's Needed and How to Connect

An external proxy server is an intermediary node in the cloud through which your traffic is routed. In the context of Home Assistant, it is used in several specific scenarios that are not covered by a reverse proxy.

Scenario 1: Accessing Home Assistant from a Corporate Network

Many corporate networks block non-standard ports and VPN connections. If you want to manage your smart home from a work computer where most connections are blocked, traffic through a residential proxy looks like regular HTTPS traffic from a home user and does not raise suspicions with the corporate firewall.

Scenario 2: Integrations with Geo-Restricted Services

Home Assistant can integrate with thousands of external services: weather APIs, smart speakers, streaming platforms. Some of them are only available in certain countries. For example, integration with Amazon Alexa or Google Assistant requires that the server be accessible from the USA or Europe. In this case, outgoing traffic from HA can be routed through a data center proxy in the required region.

Scenario 3: Anonymizing Outgoing HA Requests

Home Assistant regularly makes requests to external APIs: checking the weather, getting traffic data, synchronizing with cloud services. All these requests leave from your home IP, revealing your location to third-party services. Setting up an outgoing proxy in the HA system settings allows you to hide the real IP.

How to Set Up an Outgoing Proxy in Home Assistant:

In Home Assistant OS, go to Settings → System → Network. Here you can specify an HTTP/HTTPS proxy for all outgoing connections. Enter the proxy details in the format:

HTTP Proxy:  http://user:password@proxy-server:port
HTTPS Proxy: http://user:password@proxy-server:port

Alternatively, if you are running HA in Docker, you can set the environment variables HTTP_PROXY and HTTPS_PROXY in the docker-compose.yml file:

version: '3'
services:
  homeassistant:
    image: ghcr.io/home-assistant/home-assistant:stable
    environment:
      - HTTP_PROXY=http://user:pass@proxy-server:port
      - HTTPS_PROXY=http://user:pass@proxy-server:port
      - NO_PROXY=localhost,127.0.0.1,192.168.0.0/16
    volumes:
      - ./config:/config
    network_mode: host
    restart: unless-stopped

Pay attention to the NO_PROXY variable — it excludes local addresses from proxying so that HA can communicate with devices in your home network directly.

Nabu Casa vs Self-Hosted Proxy: What to Choose

Nabu Casa is the official cloud service from the Home Assistant team. It solves the remote access problem with one click: no DNS settings, SSL, or open ports. You simply subscribe and get a ready-made URL like https://your-id.ui.nabu.casa.

Criterion	Nabu Casa	Cloudflare Tunnel	Nginx/Caddy
Cost	~$6.50/month	Free	Free
Setup Complexity	⭐ Very easy	⭐⭐ Easy	⭐⭐⭐ Medium
Public IP Required	No	No	Yes (or DDNS)
Own Domain	No	Yes	Yes
Alexa / Google Home	✅ Built-in	Manual setup	Manual setup
Privacy	Traffic through Nabu Casa servers	Traffic through Cloudflare	Full control
Support from HA Developers	✅ Yes	No	No

Conclusion: If you are just starting and want minimal hassle — go for Nabu Casa. If you want a free solution without a public IP — use Cloudflare Tunnel. If full control and your own domain name are important — set up Nginx or Caddy.

Security Checklist: 10 Rules for Protecting Home Assistant

A proxy is an important but not the only element of protection. Here is a complete checklist that will close most attack vectors on your smart home:

✅ Home Assistant Security Checklist

Set up a proxy layer (Caddy, Nginx, or Cloudflare Tunnel) — never open port 8123 directly.
Enable HTTPS — only encrypted connections. Caddy does this automatically.
Use a strong password — at least 16 characters, numbers, special characters. Better — a password manager.
Enable two-factor authentication in Home Assistant: Settings → Users → Enable 2FA (TOTP via Google Authenticator or Authy).
Disable account creation through the UI (onboarding) after the initial setup.
Set up rate limiting on the proxy — no more than 5-10 login attempts per minute from a single IP.
Enable fail2ban or similar — automatic blocking of IPs after several failed login attempts.
Regularly update Home Assistant — most critical vulnerabilities are closed within 24-48 hours after discovery.
Isolate smart home devices in a separate VLAN or guest Wi-Fi network — if one device is hacked, the rest of the network remains secure.
Disable unnecessary integrations and add-ons — each active component expands the attack surface.

Additionally: Setting Up fail2ban for Home Assistant

If you are using a Linux system (for example, Home Assistant Supervised on Debian), install fail2ban for automatic blocking of attacking IPs:

# Install fail2ban
sudo apt install fail2ban

# Create the file /etc/fail2ban/filter.d/hass.conf
[Definition]
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
ignoreregex =

# Create a rule in /etc/fail2ban/jail.d/hass.conf
[hass]
enabled  = true
filter   = hass
logpath  = /config/home-assistant.log
maxretry = 5
bantime  = 3600
findtime = 600

This rule blocks the IP for 1 hour after 5 failed login attempts within 10 minutes. You can tighten the parameters: increase bantime to 86400 (24 hours) or decrease maxretry to 3.

Monitoring Suspicious Activity

Home Assistant has a built-in authentication log. Regularly check it through Settings → System → Logs. Look for lines with Login attempt and invalid authentication. If you see attempts from unfamiliar IPs — it is a signal that your HA has been discovered by scanners.

You can also set up automatic notifications in Telegram for failed login attempts. Create an automation in Home Assistant:

alias: Failed Login Notification
trigger:
  - platform: event
    event_type: system_log_event
    event_data:
      level: WARNING
condition:
  - condition: template
    value_template: "{{ 'Login attempt' in trigger.event.data.message }}"
action:
  - service: notify.telegram
    data:
      message: "⚠️ Attempt to log in to Home Assistant: {{ trigger.event.data.message }}"

Conclusion

Secure remote access to Home Assistant is not an optional "feature," but a mandatory condition for anyone wanting to manage their smart home from the internet. An open port without a protective layer is not a question of "if it will be hacked," but "when it will be hacked." A proxy layer (reverse proxy or tunnel) radically changes the picture: attackers only see the proxy, not your real server and home network.

A brief summary of solution choices:

Beginner, want it simple and fast → Nabu Casa or Cloudflare Tunnel
Have a public IP, want control → Caddy or Nginx as a reverse proxy
No public IP, want it free → Cloudflare Tunnel + DuckDNS
Maximum privacy → VPS + WireGuard tunnel + reverse proxy

Remember that a proxy is the first line of defense. Complement it with two-factor authentication, regular updates, and log monitoring. A smart home should be smart in security matters as well.

If, in addition to protecting incoming traffic, you need to hide outgoing requests from Home Assistant to external APIs or gain access to geo-restricted integrations, we recommend considering residential proxies — they provide real home IP addresses that are not blocked by cloud services and API providers.