All outgoing web traffic should go over a proxy to filter the data

  • Platform information: openhabian
    • Hardware: raspberry 3B
      openhab architecture:
      WAN gateway (fritzbox) -> raxpberry pi with radiation module (for homematik) - > hardware komponents like shutter , light an so on

Hello all, I want, that all web traffic which is coming from openhab should pass a proxy beforeit is going to the WAN (cloud)
The target is for example, if a device which connected to openhab and the device wants make an update of the firware or something else, I want know that.
I installed the nginx proxy on the openHAB server and the way from the client to the openhab webportal is working over the proxy. Now I need to knpw, if the openhab application initiate a web request, that the only way to go out of my house i to use a proxy.

I hope you can help me.
Regards Markus

Though this is a very valid concern, I doubt that is feasible with openHAB.
Each binding can connect in their specific ways, not controlled by the OH framework, hence there is no setting that would ensure your goal is possible.

I think that what you want is only archeivable if you route all traffic through some transparent proxy by means of the network setup ather than by OH configuration

Have a look at e.g.

Hello Marce, thans for your answer. I want to build a secure environment of my smart home and control the outgoing traffic. Allow or block outgoing traffic. For sure devices which are not connected to the radio module on the rasberry must be link to an extra proxy. But I wanted to start with device which takes the way over the radio module through the openHAB application.
Do you have another good idea for an architecture for this target.
Regards Markus

thanks Wolfgang, I looked it up. Looks like for adverds itis good solution. Do you think it could help to protect not allowed traffic from smart home components? Is there a solution in connection with IP-filter.
Or does it makes sense to create an own subnet and put all smart home componets in?
Regards Markus

Your solution is going to be completely outside of openHAB. You need to get smart and knowledgeable about how to set up and use a firewall. And then all network traffic on your LAN must go through that firewall to reach the internet. I use and am happy with pfSense.

Be aware that this is itself a relatively large project to set up and it will require a great deal of research on your part to learn how to do it properly. But it’s also completely outside the scope of openHAB so you will not find a whole lot of advice or guidance on this forum to help you.

Hello Rich, thanks for the hint. Iamnew in this topic. I use topenhabfor 3 years now, but with the backgroud of security. Now I thinking to make it secure. What isyour architekcture. I plan to have a WAN gateway (my standard router), where normal cients are connected . A second a device (like raspberry als WIFI access pointas router with firewall should serv IP-addresses for smart home componets. Is your archtecture similar? The firewall could be pfSense.

Regards Markus

I have my cable model that is plugged into my pfSense machine. My wifi access point and all other computers are connected through pfSense.

Nothing can reach the Internet nor be reached from the Internet except by going through pfSense.

But that’s the easy part. The hard part is how you configure pfSense. What traffic to you allow and what do you block? What services you do you to run on the firewall (Snort, Squid, Haproxy, pfblockng, etc.) and what do you want them to do? Do you want to have virtual LANs to segregate your IoT devices from the rest of your devices?

Only you can answer those questions and each one will take a great deal of research and experimentation to figure out how to achieve what you want to achieve.