Traefik configuration file for proxying Home Assistant running on a LAN IP within a TrueNAS Scale VM. This configuration allows Traefik to handle HTTPS requests and route them to the Home Assistant service, ensuring secure access to your smart home environment.

traefik-proxy-for-home-assistant-lan-ip-configuration.md

Traefik Proxy for Home Assistant on LAN IP

This guide explains how to set up Traefik as a reverse proxy for Home Assistant running on a local network IP. It includes creating a dataset for Traefik configs, setting up a Docker Compose file, creating the necessary Docker volume and network, and configuring Home Assistant to trust the proxy.

1. Create a Docker Network

Before running the Traefik stack, create a Docker network that Traefik will use:

docker network create traefik_proxy

2. Create a Docker Volume

Create a Docker volume to store Let's Encrypt certificates securely:

docker volume create traefik_letsencrypt

3. Create a Dataset for Traefik Configs

Create a directory on your Docker host for Traefik configurations:

mkdir -p /mnt/Phantom/Applications/TraefikConfigs

4. Docker Compose File

Create a file named docker-compose.yml in the /mnt/Phantom/Applications/TraefikConfigs directory with the following content:

version: "3.8"

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: always
    command:
      - --log.level=INFO                        # Set log level to INFO
      - --accesslog                             # Enable access logging
      - --entrypoints.web.address=:80           # HTTP entrypoint
      - --entrypoints.websecure.address=:443    # HTTPS entrypoint
      - --providers.docker=true                  # Enable Docker provider
      - --providers.docker.exposedbydefault=false # Only expose containers with traefik.enable=true
      - --providers.file.filename=/etc/traefik/home_assistant_proxy_config.yml  # Load dynamic config
      - --certificatesresolvers.letsencrypt.acme.email=your-email@example.com
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_letsencrypt:/letsencrypt
      - /mnt/Phantom/Applications/TraefikConfigs/home_assistant_proxy_config.yml:/etc/traefik/home_assistant_proxy_config.yml  # Mount the dynamic config
    networks:
      - traefik_proxy
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
      - traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true
      - traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)
      - traefik.http.routers.http-catchall.entrypoints=web
      - traefik.http.routers.http-catchall.middlewares=redirect-to-https
      - traefik.http.routers.traefik.rule=Host(`your-traefik-domain.com`)
      - traefik.http.routers.traefik.entrypoints=websecure
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.tls=true
      - traefik.http.routers.traefik.tls.certresolver=letsencrypt

networks:
  traefik_proxy:
    external: true

volumes:
  traefik_letsencrypt:
    external: true

5. Dynamic Configuration File for Traefik

Create a file named home_assistant_proxy_config.yml in the same directory with the following content:

http:
  routers:
    ha-router:
      rule: "Host(`your-home-assistant-domain.com`)"
      entryPoints:
        - websecure
      service: ha-service
      tls:
        certResolver: letsencrypt

  services:
    ha-service:
      loadBalancer:
        servers:
          - url: "http://<YOUR_HOME_ASSISTANT_LAN_IP>:8123"

Why is the Dynamic Configuration Required?

The dynamic configuration file is essential because it allows Traefik to define routing rules and services outside the constraints of Docker labels. This method provides greater flexibility, allowing for detailed configurations that can be easily managed without altering the Docker setup directly.

6. Update Home Assistant Configuration

To update the configuration.yaml file in Home Assistant to whitelist the proxy IP addresses, you can do it through the UI or via SSH:

Option 1: Edit through the UI

1. Install the File Editor add-on from the Home Assistant add-on store.
2. Once installed, open the File Editor and navigate to configuration.yaml.
3. Add the following lines:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.16.0.0/12        # Docker subnet range
    - 192.168.0.0/16       # Host network range
  ip_ban_enabled: true     # Optional: enable IP banning for failed login attempts
  login_attempts_threshold: 5  # Optional: threshold for failed logins before banning an IP

4. Save the changes and restart Home Assistant.

Option 2: Edit via SSH

If you prefer command-line access, follow these steps:

1. Access your Home Assistant instance using secure shell in your TrueNas Scale UI.
2. Open the configuration.yaml file with your preferred text editor, for example:

nano /mnt/data/supervisor/homeassistant/configuration.yaml

3. Add the following lines to the file:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.16.0.0/12        # Docker subnet range
    - 192.168.0.0/16       # Host network range
  ip_ban_enabled: true     # Optional: enable IP banning for failed login attempts
  login_attempts_threshold: 5  # Optional: threshold for failed logins before banning an IP

4. Save the changes (in nano, you can press CTRL + O, then Enter to save, and CTRL + X to exit).
5. Restart Home Assistant.

Summary

By following these steps, you will successfully set up Traefik as a reverse proxy for Home Assistant on your local network, ensuring secure and flexible access through HTTPS.