I’ve read a few posts recently about people concerned that their openHAB instance has been accessed without their consent, so I thought I’d write a post to explain how I have gone about setting up my solution.
For me, I wanted to keep things as simple as possible. My wife, like many others, isn’t interested in using openHAB or technology for that matter. So having multiple ways of accessing my setup was a no no from the start.
The solution I have in place, uses three components. LetsEncrypt, NGINX and openHAB. On my firewall I have both ports 80 (http) and 443 (https) open and forwarding to my server running NGINX. Not only does this give me an additional point between the internet and openHAB, but also allows me to host other websites/functions. Using LetsEncrypt and certbot I obtain a valid SSL certificate to add further protection, additionally I have the NGINX configuration requesting a username and password.
The NGINX configuration then manipulates the incoming requests and transfers that to my openHAB instance. Using DNS on my network I point all my internal traffic at the same configuration, so no matter whether I’m at home or away I just open the openHAB app on the phone and have the same access with no configuration changes needed.
NGINX Config
server {
access_log /var/log/nginx/openhab.access.log;
error_log /var/log/nginx/openhab.error.log;
server_name openhab;
client_max_body_size 0;
underscores_in_headers on;
location / {
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 64;
add_header Front-End-Https on;
proxy_pass http://172.16.10.1:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
satisfy any;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/openhab/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/openhab/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = openhab) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 192.168.10.1;
server_name openhab;
return 404; # managed by Certbot
}
Hopefully this proves to be helpful, if you’d like further details then please let me know.