Ecowitt Integration - HTTPS requirements non functional

[JohnMcLear]

The problem

Duplicate of garbled1/homeassistant_ecowitt#154

I'm running HA Blue hardware w/ HASS and want to use HTTPS to make Ecowitt plugin (core) work.

Since the plugin went into core HA the TLS/SSL was dropped and the requirement is to use NGINX to reverse proxy HTTPS > HTTP.

Before I had port 4199 > 4199 forwarded(at the router) to the HA Blue box and it was working fine (using custom plugin). I modified the new path to match the path specified by the plugin at time of installation/configuration and I have no data coming through and no errors in the logs.

Given that I expose https for core without a plugin what are my options here?

Related to garbled1/homeassistant_ecowitt#149 but I wanted to create a new issue to remove the noise

What version of Home Assistant Core has the issue?

core-2023.5.2

What was the last working version of Home Assistant Core?

n/a

What type of installation are you running?

Home Assistant OS

Integration causing the issue

Ecowitt

Link to integration documentation on our website

https://www.home-assistant.io/integrations/ecowitt/

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

No response

Additional information

No response

[home-assistant]

Hey there @pvizeli, mind taking a look at this issue as it has been labeled with an integration (ecowitt) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of ecowitt can trigger bot actions by commenting:

• @home-assistant close Closes the issue.
• @home-assistant rename Awesome new title Renames the issue.
• @home-assistant reopen Reopen the issue.
• @home-assistant unassign ecowitt Removes the current integration label and assignees on the issue, add the integration domain after the command.

_{^{(message by CodeOwnersMention)}}

---

ecowitt documentation
ecowitt source
_{^{(message by IssueLinks)}}

[veilofsecurity]

The requirement to use NGINX proxy is a step backward and a security issue. The custom integration was able to expose a specific port for a specific purpose and not expose 8123 over HTTP. Even local I do not consider exposing my entire HA instance over HTTP acceptable.

This integration should be reworked to support HTTP without exposing all of HA via HTTP like the HACS version did.

[JohnMcLear]

This integration should be reworked to support HTTP without exposing all of HA via HTTP like the HACS version did.

Is this accurate @veilofsecurity - It doesn't change your point but I think the above statement includes mistakes? I think it's meant to say

1. "This integration should be reworked to support HTTP for a specific purpose without the requirement to expose all of HA".

and/or (and this is for my use case).

2. "This integration should be reworked to support ecowitt where HA is exposed via core HTTPS handlers and not require Nginx reverse proxying.

They are two separate approaches. You'd of thought 2) would be supported "out of the box" given that it was implemented for hass.io.

[veilofsecurity]

My wording about HACS was definitely ambiguous and your 1 clarifies the meaning. Your 2 wont work because the Ecowitt gateways only support HTTP and I doubt they will be updated anytime soon, if ever.

There are 3 options:

1. Best - Ecowitt updates to support HTTPS and we use the native integration as is.
2. Better - HA makes the integration expose an HTTP port whose only function is to ingest from Ecowitt. This is what HACS did and doesnt make all of HA available via HTTP which is unacceptable in my opinion.
3. Not great - Expose HA via HTTP allowing Ecowitt to send to the integration. Use NGINX Rev Proxy to enable HTTPS for HA for your everyday use, mobile apps, etc.

For now I am continuing to use the HACS integration with the line 21 code fix but I dont expect that integration to work forever as it seems to now be unmaintained. I would like to see option 2 implemented in the official integration or I am open to othet ideas if I've missed something.

[adynis]

Where could I vote for option "1. Best" from previous post from @veilofsecurity ? :-)

[JohnMcLear]

For now I am continuing to use the HACS integration with the line 21 code fix

Given the situation I might be forced to do the same ;( Can you please link to the line 21 code fix?

[adynis]

I suppose it's this one: garbled1/homeassistant_ecowitt#149 (comment)

[Cellivar]

Skimming through the code it looks like the port for the webhook could be made configurable?

core/homeassistant/components/ecowitt/config_flow.py

Line 46 in 3fbc026

"port": str(base_url.port),

My GW1000 seems to support adding different ports, just not using HTTPS over whatever port is selected.

[Entropy512]

Given that option 1 is extremely unlikely to happen (since that would require ecowitt to add the function and this does not seem likely), option 2 would make most sense. It also is the easiest for existing ecowitt users to migrate to.

Funny thing is that when installing the new Ecowitt integration after deleting all of the old HACS-originated stuff, it talks about finding an open port and even suggest 4199 which is what the old HACS ecowitt integration used - but it obviously does not actually support listening on 4199...

[raucao]

Just ran into this issue with a new weather station. Option 2 seems the most reasonable to me as well, because I also don't want to expose the rest of HA on HTTP. And option 1 is out of our control.

[andcastellani]

Is it not possible meanwhile a workaround, like writing a different port number in a config file?
Or, for instance, can core/homeassistant/components/ecowitt/config_flow.py code file be edited for this type of "hacking"?

[kbx81]

Just ran into this issue with a new weather station.

Add me to the list 🙃

Option 2 seems the most reasonable to me as well, because I also don't want to expose the rest of HA on HTTP. And option 1 is out of our control.

Solid agree. 😄

[del13r]

I also recently struggled with setting up simultaneous:

• HTTPS secure web browser access via NGINX proxy
• HTTP webhook access direct to home assistant

I made a guide on how I solved my issue if anyone else is currently lost:
https://community.home-assistant.io/t/nginx-tls-proxy-add-on-config-to-allow-simultaneous-https-and-http-access-required-by-ecowitt-integration/589276