openHAB2 + Apache2 reverse-proxy + LDAP authentication + HTTPS + URL-path-prefix
This tutorial describes how to get openHAB2 running with
- URL-path-prefix (e.g. “https://myserver/openhab/” instead of directly “https://myserver/”)
using an Apache2 reverse-proxy (to be precise, my system is: Apache 2.4.7 on Ubuntu-server 14.04.5).
According to this forum thread it is not possible to configure a path-prefix with NGINX. With Apache2, however, I succeeded in doing so.
You can see in
/etc/apache2/mods-enabled/ which modules are already enabled. To see what’s installed, look into
To install a module, you should use your OS package manager – in case of Debian/Ubuntu and the like, that’s
apt-get. I’m sorry, but I can’t tell you for sure what packages you need to install, but based on
dpkg -S xxx, I think all you need is:
apt-get install apache2 libldap-2.4-2
If you follow this tutorial with a vanilla installation from scratch, please provide feedback, if this is fine or if you need more.
To enable a module, which is already installed, use:
Here’s the content of my
/etc/apache2/mods-enabled/ (created with
- authz_svn.load (not needed)
- dav.load (not needed)
- dav_svn.conf (not needed)
- dav_svn.load (not needed)
- php5.conf (not needed)
- php5.load (not needed)
My Apache2 is used for other stuff, too, hence there are modules that are probably not needed for you to run openHAB. Because I have no time to disable them and test, if openHAB still runs, I have simply listed all my modules above and marked those that I believe to be unnecessary.
Apache2 config file
I assume you already configured
/etc/apache2/sites-enabled/default-ssl.conf properly and are able to access “https://yourserver/” with a browser. If no, please consult other docs on how to set up HTTPS.
IMHO the easiest editor is
mcedit – if you don’t have it, install it:
apt-get install mc
Then edit the configuration file:
At the end, before
</VirtualHost>, you add one
# ... lots of other stuff ... leave this unchanged! Include /etc/apache2/openhab/openhab-ssl.conf </VirtualHost> </IfModule>
Apache2 config file
The include-file needs to be created by you. First create the directory:
Then create the file:
…and put the following content:
You must adapt all the stuff between
## BEGIN LDAP and
## END LDAP to your local environment. Please consult mod_authnz_ldap for details. Btw. I’m using the Apache Directory Server (not allowed to link it) listening on
setcap 'cap_net_bind_service=+ep' /usr/lib/jvm/java-8-oracle/jre/bin/java).
Additionally, you must either change your openHAB2 server to listen on
localhost:10080 (see below) or change the port 10080 to the default 8080.
You probably do not need to change anything else. However, I left a few comments from my experiments to give a bit more background info.
We need the rewrite-rule
RewriteRule "/openhab/openhab/(.*)" "/openhab/$1" [R,L], because some URLs are sent relative and then resolve to a duplicate “openhab/openhab/”. This rule sends the browser a redirect to the proper (non-duplicate) path.
RewriteRule "/openhab/?(.*)" "http://localhost:10080/$1" [P,L]replaces the simple
ProxyPassdirective. As you can see, this is the 2nd rule. If we use the easier
ProxyPassinstead (which I first did), then the rewrite-engine gets only proxied URLs to see, because the proxying happens first. However, our deduplication-rewrite-rule (see above) must be first, before any proxying is done. That’s why, we do not use
ProxyPassand instead “manually” configure the proxying using this “RewriteRule” directive.
We still keep the
ProxyPassReversethough. It rewrites URLs into the opposite direction – e.g. if the openHAB server responds with a HTTP redirect, this makes sure our client does not get the internal URL, but the correct, external one.
I’m not sure whether the
ProxyHTMLEnable Onis still needed or whether the
SUBSTITUTEwould be sufficient. This directive causes links in HTML documents to be rewritten. It currently works this way and I have no time to experiment with it being omitted. Please feel free to test and give feedback!
RequestHeader unset Accept-Encodingsuppresses compression. Without it, openHAB would return gzipped data and our
SUBSTITUTEwould not work (because its rules don’t match the compressed content).
It seriously sucks that openHAB does not support to configure an URL-path-prefix or at least uses a hard-coded one. To write string-replacement-rules for replacing one single path-prefix by another one (e.g. to map “openhab/” to “oh/”) would be far easier and more reliable than to deal with all the paths individually ("/basicui/", “/rest”, “/icon/” etc.). But this is the way, it currently is, and the list of replacement-rules seems pretty complete. This might easily break with the next openHAB-release, though
Make openHAB2 listen on localhost:10080 only
By default, openHAB2 listens on all network interfaces on the ports 8080 (HTTP) and 8443 (HTTPS). In order to make it listen only on
localhost (more secure!) and on another port (to prevent collisions with other services) you do the following:
Create the file
openhab/conf/services/org.ops4j.pax.web.cfg and put the following content:
## See: https://ops4j1.jira.com/wiki/display/paxweb/Basic+Configuration ## We listen on localhost only, because we use the Apache2 as a facade proxy. ## This way, we can use Apache's LDAP authentication and Apache's HTTPS. org.ops4j.pax.web.listening.addresses=127.0.0.1 ## We disable SSL, because our facade-proxy (Apache) is doing SSL with the proper cert. org.osgi.service.http.secure.enabled=false ## We listen on port 10080 internally (on localhost), while the facade proxy does ## HTTPS on 443 and HTTP for the intellihouse-OpenPGP-encrypted stuff on 80. org.osgi.service.http.port=10080
After restarting openHAB2, it should listen on port 10080 on IP 127.0.0.1 (localhost), only. You can check this with
It is important that the port configured here matches the reverse-proxy-configuration of your
When your configuration is complete, you must restart the server:
service apache2 restart
That’s it. If there are no errors and your openHAB2 server is running, you should now be able to access it with your browser.
I hope this tutorial is helpful!