Proposed change

I'm running HA in a Docker container on Linux with a reverse proxy setup through Apache that takes care of outside connectivity. Binding HA to 127.0.0.1 works in not having the instance directly accessible from outside the machine, but it will still be accessible from the machine itself bypassing the proxy. I'm personally moving as many localhost-only services as possible to UNIX sockets so they won't need a port and can be locked down to only the relevant users/groups having access to them. As a bonus there's usually a little bit of a performance improvement as well, as the network stack isn't used and the packets don't need to traverse the firewall either, however this impact will be negligible on most/all HA instances I believe.

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

Aiohttp already supports this easily by using a UnixSite instead of a TCPSite. That is exactly what I've done. Since the socket creation is affected by the active umask, it generally results in a socket with 755 permissions allowing effectively only the user to connect, which could be undesirable depending on the setup (e.g. shared group between HA and the proxy), so the effective permissions after creation are configurable.

I have no idea what tests to make for this, if any. It looks like the TCP client isn't tested either. The aiohttp.test_utils.TestClient doesn't take into account any possible HA configuration changes in terms of bound interfaces and port but talks more or less directly to the app, seemingly bypassing most of the network stack. Tests still pass if I block traffic to the port configured in the respective tests, and in the socket case even if I set the socket permissions to 000 so I don't think it's easy to test this in the same style as the rest. I have at least verified that this is working for me.

A sample configuration would be:

http:
  server_host: unix:/run/homeassistant.sock
  #socket_user: someone
  socket_group: web
  socket_permissions: 0660
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1

For me, a more natural configuration would be

http:
  server_host: unix:/run/homeassistant.sock
  socket:
    #user: someone
    group: web
    permissions: 0660
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1

however so far I haven't really found this extra nesting level being used for things other than defining multiple similar entities, so I left it as a flat structure for now. That seems to be the preferred way.

• Link to documentation pull request: Add documentation for UNIX socket listener home-assistant.io#32484

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations
• The code has been formatted using Ruff (ruff format homeassistant tests)
• Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.
• Untested files have been added to .coveragerc.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.