Traefik and a remote Home Assistant

2 minute read

I’ve been playing with Traefik lately, for remote access for various things in my Docker stack, and I decided to see if it was possible to also use it for Home Assistant, despite that being on a remote host.

The answer is (otherwise I wouldn’t have written this) yes - and I can continue my practice of limiting access to only parts of the API I want to expose. I used this guide to get myself going.

There’s nothing special about the core of my Traefik configuration. I’m using ZeroSSL here, instead of LetsEncrypt, purely because I’m already using LetsEncrypt for my existing proxy and didn’t want to hit rate limits while experimenting.

I’m using the file provider to define the connection to Home Assistant, and that configuration too is pretty simple. The key is the loadBalancer setting, that directs Traefik to the remote host.

Step by step

Set up your file (or in this case folder) provider, eg:

    exposedByDefault: false  
    directory: /config  
    watch: true

Any configuration files that are dropped in that folder will be automatically loaded since watch is set to true. The same goes for any changes to existing files.

Next set up the router - in this case I’m using http.yml in the folder mapped as /config:

        - "websecure"  
      rule: "Host(``) && ( PathPrefix(`/api/webhook`) || PathPrefix(`/api/websocket`) || PathPrefix(`/api/telegram_webhooks`) || PathPrefix(`/api/frigate`) || PathPrefix(`/api/tts_proxy/`) || PathPrefix(`/auth/token`) )"  
        certResolver: zerossl  
          - main: ""  
      service: homeassistant

The key things to note here are:

  • I’m limiting access to only parts of the API that I want to have remote access to. That is:
    • Webhooks for things like GPSLogger and the official Home Assistant Android app
    • Telegram bot
    • Frigate notifications 
  • I’ve explicitly named the hostname for the certificate. This apparently isn’t needed, though for some reason it wouldn’t generate a certificate request until I did this.

I didn’t initially appreciate that Traefik uses backticks, not normal quotes, in the config file, which did cause me a bit of wasted time.

The service goes in the same file:

          - url: ""  
        passHostHeader: true

Now all you have to do is restart Traefik to load the file provider config, whichthen loads everything else. If it all went well you’ll have a new working HTTP Router and Service entry in your Traefik dashboard, with a TLS domain, it not it’s time to check the logs to see what went wrong.