Accessing your openHAB instance from outside your network

I’ve read a few posts recently about people concerned that their openHAB instance has been accessed without their consent, so I thought I’d write a post to explain how I have gone about setting up my solution.

For me, I wanted to keep things as simple as possible. My wife, like many others, isn’t interested in using openHAB or technology for that matter. So having multiple ways of accessing my setup was a no no from the start.

The solution I have in place, uses three components. LetsEncrypt, NGINX and openHAB. On my firewall I have both ports 80 (http) and 443 (https) open and forwarding to my server running NGINX. Not only does this give me an additional point between the internet and openHAB, but also allows me to host other websites/functions. Using LetsEncrypt and certbot I obtain a valid SSL certificate to add further protection, additionally I have the NGINX configuration requesting a username and password.

The NGINX configuration then manipulates the incoming requests and transfers that to my openHAB instance. Using DNS on my network I point all my internal traffic at the same configuration, so no matter whether I’m at home or away I just open the openHAB app on the phone and have the same access with no configuration changes needed.

NGINX Config

server {

        access_log /var/log/nginx/openhab.access.log;
        error_log /var/log/nginx/openhab.error.log;

        server_name      openhab;
        client_max_body_size 0;
        underscores_in_headers on;

        location / {
                proxy_headers_hash_max_size 512;
                proxy_headers_hash_bucket_size 64;

                add_header Front-End-Https on;
                proxy_pass                  ;
                proxy_set_header Host                 $http_host;
                proxy_set_header X-Real-IP            $remote_addr;
                proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto    $scheme;
                auth_basic                            "Username and Password Required";
                auth_basic_user_file                  /etc/nginx/conf.d/.htpasswd;
                satisfy any;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/openhab/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/openhab/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

server {
    if ($host = openhab) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name      openhab;
    return 404; # managed by Certbot


Hopefully this proves to be helpful, if you’d like further details then please let me know.

At a quick look, isn’t that similar to the official documentation for a reverse proxy? That is ehat I based mine on.

Well there you go, it’s already been documented. Phew, saves me answering a load of questions now. Happy days.
At least now if someone searches in the future they’ll be directed to the documentation.

1 Like

On mine I added a separate reverse proxy for the frontail log viewer. I did this mainly so I could access OH from work. Since I have been working from home, that is no longer needed.

I wondered about trying my own instance of the cloud server locally, port forwarding as needed but I have not tried that.

I like to be able to access everything from anywhere, if at all possible and always try to make it as seamless as possible. That way the wife will use things. By having NGINX in place I’ve been able to get all sorts of applications working via it.

1 Like

A ready to use NGINX is also part of openHABian.
BTW you need some modifications to run OH3 because of its builtin auth.

1 Like