Apache 2.4 reverse proxy with OH1

Hi,

I would like to enable remote access by using my Apache server. I have ssl to the Apache and external access to it already working. An AJP reverse proxy is already running fine.

However, the standard way to setup an reverse proxy does not seem to work for OH1.
Does anyone have a working configuration? Maybe a rewrite rule is needed?

My simple setup:
< VirtualHost default:443>

ProxyPass /openhab/ http://10.10.7.14:8080/
ProxyPassReverse /openhab/ http://10.10.7.14.:8080/

< /VirtualHost>

The calling URL I use is: https://[…].dyndns.org/openhab/openhab.app?sitemap=haus

Best regards,
Tobias

Hi,

Here is my working apache configuration I use to restrict access to habmin to local network only (as I was unable to make authentification works).
I hope it can help you.

I don’t remember why, but I had no choice to keep openhab in https if my RP is in https.

<VirtualHost *:443>

    ProxyPreserveHost on
    ProxyRequests off
    SSLProxyEngine on

    <Location /habmin>
            Order deny,allow
            Deny from all
            Allow from 192.168.0.0/24
            ProxyPass https://localhost:8443/habmin
            ProxyPassReverse https://localhost:8443/habmin
    </Location>
    <Location /habmin2>
            Order deny,allow
            Deny from all
            Allow from 192.168.0.0/24
            ProxyPass https://localhost:8443/habmin2
            ProxyPassReverse https://localhost:8443/habmin2
    </Location>

    ProxyPass / https://localhost:8443/
    ProxyPassReverse / https://localhost:8443/

Thank you for the configuration!

I think I may have a solution for your authentication issue for habmin… You can enable a certificate authentication.

Here’s my final configuration:

<VirtualHost *:443>
ServerName my.domain.com

ProxyPreserveHost on
ProxyRequests off
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

SSLCACertificateFile /etc/ssl/ca/certs/privateToolsCA.crt
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

<Proxy *>
    Require all granted
</Proxy>
<Location /habmin>
        SSLVerifyClient require
        ProxyPass https://192.168.1.102:8443/habmin
        ProxyPassReverse https://192.168.1.102:8443/habmin
</Location>
<Location /habmin2>
        SSLVerifyClient require 
        ProxyPass https://192.168.1.102:8443/habmin2
        ProxyPassReverse https://192.168.1.102:8443/habmin2
</Location>

ProxyPass / https://192.168.1.102:8443/
ProxyPassReverse / https://192.168.1.102:8443/

    SSLEngine On

    SSLCertificatekeyFile /etc/letsencrypt/live/my.domain.com/privkey.pem
    SSLCertificateFile /etc/letsencrypt/live/my.domain.com/cert.pem
    SSLCertificateChainFile /etc/letsencrypt/live/my.domain.com/chain.pem

    SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
    SetEnvIf Remote_Addr "::1" dontlog
    SetEnvIf User-Agent ".*internal dummy connection.*" dontlog

    CustomLog /var/log/apache2/my.domain.com-access.log combined env=!dontlog
    ErrorLog /var/log/apache2/my.domain.com-error.log
    LogLevel warn

As a result, when you try to navigate to https://my.domain.com, you have a free pass and when you try to navigate to https://my.domain.com/habmin you will be prompted for a certificate