Roger JaggiRoger Jaggi
🌱Digital Garden🌿

🌱 Recently Planted

Homeassistant Companion App via Cloudflare ZeroTrust

2 min read

The Home Assistant companion app can’t handle Cloudflare Access reauthentication gracefully because it doesn’t support the interactive login flow. Possible solutions:

This is the most secure and reliable solution. You create a separate Access application for the companion app that uses client certificates instead of interactive authentication.

Steps:

  1. Generate a client certificate in Cloudflare: Go to SSL/TLS → Client Certificates → Create Certificate Download the certificate (cf.pem) and private key (cf.key)
  2. Convert to mobile-compatible format:
openssl pkcs12 -export -out cf.pfx -inkey cf.key -in cf.pem
(Some phones may need the -legacy flag)

  1. Install on your phone:

    • Transfer the .pfx file securely
    • Android: Settings → Security → Credential Storage → Install from storage
    • iOS: Similar process through Settings
    • Windows: Import cert by double-click .pfx file (default settings everywhere). On Edge-Browser, disable experimental QUIC protocol via edge://flags to allow cert selection.

  2. Create a WAF mTLS rule:

  • Go to SSL/TLS → Client Certificates → Create mTLS Rule
  • This blocks requests without a valid certificate
  1. Create a second Access application for the app:
  • Create an Access Group with selector “Valid Certificate”
  • Set the policy action to Service Auth (not Bypass!)
  • This allows certificate-authenticated requests without the login prompt
  1. Configure the companion app to use the certificate-protected URL

Cloudflare WARP Client

Use the WARP client on your mobile device to establish a trusted connection. This is free with Zero Trust and doesn’t require certificates, but you need WARP running:

  • Enable WARP in your Zero Trust dashboard
  • Install WARP (1.1.1.1 app) on your phone
  • Enroll the device in your Zero Trust organization
  • When WARP is connected, your device is trusted and bypasses Access

Bypass the /api Path

A simpler but less secure option - create a bypass policy specifically for /api/*:

  1. Create a new Access application for yourdomain.com/api/*
  2. Set the action to Bypass
  3. Your web interface still requires authentication, but API calls pass through

Security Hint

This exposes your API to anyone who knows the URL (though HA’s own authentication still applies).

Graph View