HTTPS support for web displays

I want to incorporate a roon web display into my home assistant dashboard, but this requires HTTPS support. Is there a way to enable HTTPS for the web displays, or is it a feature that the team would consider adding in an update?

1 Like

Don’t know if this is relevant

The certificate issue that I mentioned in that github link @ged_hickman1 posted still stands.

You can set something up using ngrok or one of the many similar solutions. I have a similar problem with a few things, not just Roon. One nasty side effect of the world going HTTPS is that certificate authorities are still a public thing because they are hard coded into products.

You could possibly get away with Tailscale + magic DNS, but unsure how your network is set up.

There is not a good solution for this problem.

Unless you were specifically after the Roon branding / look & feel, you can achieve similar functionality (control & show what’s playing on a HA dashboard) using the Roon integration along with the Mini Media Player (*) with background imagery enabled.

(*) the easiest way go to install the Mini Media Player is to first install HACS from within your HA UI.

@danny certainly has a point.

I have a bunch of internal services running that are not exposed from the internet (nas, nucleus, …).

I do have https setup for those, but the only way to achieve that is if you have a public dns server running under your control.

I have certbot running on the local network that fetches let’s encrypt certificates. To prove that I’m the owner of the domain, I have a certbot plug-in that temporarily creates a txt dns record on my public server containing a dns challenge response.

The room branding and lyrics are nice but this should work just as well.

Do you think something similar could be achieved by using Nginx as a reverse proxy? Getting the SSL certificate isn’t an issue for me as home assistant already handles that.

You absolutely can, and that’s exactly how I do it for my nucleus web admin console.

I have a device running an nginx reverse proxy, which proxies a certain url to my nucleus. That same device also handles the certificate retrieval / renewal.

Note that the whole thing is rather pointless though. You encrypt traffic from a device on the local network to your reverse proxy, after which it goes unencrypted on the same local network to my nucleus… for the sole purpose of getting that ssl certificate. There’s no added security here. Only added value here is that you can use whatever domain name to access the nucleus rather than nucleus.local or its ip address.

It might make more sense to do this kind of approach if your reverse proxy is reachable from the internet, but exposing the nucleus on the internet is yet another bad idea. So please don’t do that :slight_smile:

The only reason for it is so that I can embed it into a home assistant dashboard. When you use SSL with home assistant, it requires any embeds to use SSL as well.

I would also like to have my Roon Display added to Home Assistant, but even with a reverse proxy I’m getting WS to WSS errors and it won’t work :frowning:

1 Like

Apologies if this is out of date, but back when I needed local certs I set up my own CA and added it to the trusted certs DBs on the machines involved. I then used it to authorize my local certs. Does that no longer work, or does Home Assistant make it difficult?

No idea if that still works or not, I never tried it, but setting up your own CA kind of defeats the whole purpose. There’s nothing trustworthy about having to set up your own CA :slight_smile:

I do something similar.

I don’t know about Home Assistant because I had to use their duckdns w/Let’s Encrypt solution since my HA is linked to Amazon for voice support, but all my other devices (Synology NAS, router, VPN router, UI controller, etc. all have certs that I created using my own CA. That CA then gets imported into my iPhone, Macbook, any other client so HTTPS works properly (although some clients my bark once initially about the CA not being legit).

I would assume that a setup like this would work but my only Roon display is a Chromecast.

Don’t think it would help, in any case. Aren’t the Web displays served up by the Roon core? So wouldn’t you also have to convince it to do that on port 443, and to use the cert you generated? How would that happen?

I think using the nginx reverse proxy still seems like the most reasonable approach.

Has anyone managed to get this working? I’ve attempted to configure HAProxy to forward to the Roon display instance, to terminate SSL… but also seeing the lack of secure websocket messages in developer tools:

display_ui.js:26733 Mixed Content: The page at '' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://'. This request has been blocked; this endpoint must be available over WSS.

if anyone else comes looking, the interim problem is that roon puts http and ws (the insecure websocket scheme) in the source, so you’ll get mixed content errors.

If you wanna do something a bit sketch, it works to rewrite the URLs.
I wrote this, mostly as a proof-of-concept/thought-experiment-gone-wrong, but it works: GitHub - DirectXMan12/cursed-roon-rewriter: Serve Roon's Display page over HTTPS to do the trick (don’t mind the readme, i’m a bit sleep-deprived rn). in theory you could run this on your core box, although I played around with running it on my gateway/router instead.

ideally, roon folks just makes this an option or something even with self-signed certs so we can at least get the right URLs to avoid mix-security content, but in the mean time, the rewriting works enough (or at least, i didn’t notice any bugs across a few songs)

1 Like