🔐 Security discussion: tokens, access control & remote access

Astrion Astrion - Development & Advanced
, ,
2

Environment

  • Sanytron Remote: Astrion
  • Sanytron Firmware: 1.0.38 / 2025111416
  • Home Assistant: Running with HTTPS enabled (via reverse proxy)
  • Network: Enterprise network with security policies

Issue Summary

I’m unable to configure the Sanytron remote to connect to my Home Assistant instance. The remote appears to have two separate issues with URL handling.

What I’ve Tried

1. Using Domain Name URL

URL entered: https://homeassistant.example.com/api/
Result: INVALID_URL_FORMAT error

The remote rejects any URL containing a domain name. Only IP addresses appear to be accepted.

2. Using IP Address with HTTPS

URL entered: https://[REDACTED_INTERNAL_IP]/api/
Result: Connection fails (TLS certificate error)

This fails because the SSL certificate is issued for the domain name, not the IP address. This is expected behaviour for properly configured HTTPS.

3. Using IP Address with HTTP

Not possible - Home Assistant server only accepts HTTPS connections (as it should for security).

The Problem

The remote creates an impossible situation:

URL Type Protocol Result
Domain name HTTPS :cross_mark: INVALID_URL_FORMAT
IP address HTTPS :cross_mark: TLS certificate mismatch
IP address HTTP :cross_mark: Server doesn’t support HTTP

Note on redacted information: Internal IP addresses and domain names have been redacted for security. These are valid, correctly formatted addresses - the redaction is not masking malformed input.

Network Context

Our network implements standard enterprise security practices, including:

  • Blocking outbound connections to known telemetry/tracking services (“phone home” blocking)
  • DNS filtering for IoT devices
  • HTTPS-only internal services

The remote can reach internal services (we’ve verified network connectivity), but the URL parsing/TLS handling prevents successful connection to Home Assistant.

Questions

  1. Is there a firmware update that adds support for domain names in URLs?
  2. Are there alternative integration methods (local API, different URL format)?

Device Information

The remote broadcasts itself as an Android device via mDNS. If helpful for diagnostics, I can provide additional network-level information about what the device is attempting to connect to.

🐞 [BUG] Describe the issue clearly here