Basic HTTP(S) Authentication for OpenHab 2

Dim · October 13, 2016, 8:42pm

This is a very basic setup using Apache Webserver and Reverse Proxy to enable basic authentication for your OpenHab 2 deployment.

1. Install Apache

sudo apt-get update
sudo apt-get install apache2 apache2-utils

2. Create the Password File

sudo htpasswd -c /etc/apache2/.htpasswd openhab

Enter the password for the user when prompted.
If you want to add more users, leave out the -c argument (sudo htpasswd /etc/apache2/.htpasswd another_user)

3. Configure the Apache default Virtual Host

sudo nano /etc/apache2/sites-enabled/000-default.conf

Replace all text in the file with the following:

<VirtualHost *:80>

ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/

<Location />
	AuthType Basic
	AuthName "OpenHab2 Restricted"	
	AuthUserFile /etc/apache2/.htpasswd
	Require valid-user
</Location>
</VirtualHost>

Save and close the 000-default.conf file.

4. Enable the necessary apache mods

sudo a2enmod proxy proxy_http proxy_ajp rewrite deflate headers proxy_balancer proxy_connect proxy_html xml2enc

5. Restart Apache

sudo service apache2 restart

6. Confirm the Password Authentication
Try to access your OpenHab installation by using the default http port (http://<url_or_ip_of_OH2_host>) instead of (http://<url_or_ip_of_OH2_host>:8080).
You will be presented with a username and password prompt that looks like this:

For your mobile App (iOS and/or Android): Set the Username and the password in the application settings and remember to use http://<url_or_ip_of_OH2_host> without the 8080 port.

7. Enable HTTPS for Apache
(Optional but highly reccomended!)

7.1 Install the crypto packages using apt-get

sudo apt-get install openssl ssl-cert

Package ssl-cert will automatically create a self-signed certificate using the hostname currently configured on your computer. The certificate will be stored in /etc/ssl/certs/.

7.2 Enable mod_ssl in apache

sudo a2enmod ssl

7.3 Configure the HTTPS Virtual Host
Add the following text to your /etc/apache2/sites-enabled/000-default.conf file, right after the HTTP section listed in step 3 above :

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        ProxyPass / http://127.0.0.1:8080/
        ProxyPassReverse / http://127.0.0.1:8080/
        RequestHeader set X-Forwarded-Proto "https" env=HTTPS
        <Location />
                AuthType Basic
                AuthName "OpenHab2 Restricted"
                AuthUserFile /etc/apache2/.htpasswd
                Require valid-user
        </Location>
</VirtualHost>

7.4 Restart Apache and test the HTTPS connection

sudo service apache2 restart

Now, fire up a browser and go to https://<url_or_ip_of_OH2_host>. It should establish a HTTPS connection to your apache web server which in turn will proxy the local OpenHab web interface (and of course, it should ask you for your username and password as defined in step 2 above.

From your mobile: Set the Username and the password in the application settings and remember to use https://<url_or_ip_of_OH2_host>.

Best Regards,
Dimitris

ThomDietrich · October 13, 2016, 10:42pm

Hey @Dim,
that’s a nice straight tutorial on authentication!
I guess you know the similar tutorial by @Benjy utilizing nginx? It also already found it’s way into the OH2 docs: http://docs.openhab.org/configuration/nginx.html

You also promised https. It’s great to have both major webservers covered for these important topics. If you or @Benjy can think of a way to merge the two articles into one, that would be truly amazing

Benjy · October 13, 2016, 11:38pm

I’m all for alternatives! I believe Apache has a larger memory footprint and will run slower than an NGINX reverse proxy in general, but there may be many customisations and use cases for Apache that you can’t do with NGINX.

@ThomDietrich Do you think it would be wise to have their own page? You could have a main “Reverse Proxy” page and offer alternative instructions for Apache, NGINX and HAProxy.

@Dim How does an Apache based proxy handle live events? Because up until recently I didn’t know it could. That is to say, if you change the state of an item from one machine does it instantly update on BasicUI on the other?

Dim · October 14, 2016, 5:20am

Hi both @ThomDietrich & @Benjy !

I didn’t know that a NGINX tutorial existed when I wrote (fast) the Apache one

The NGINX tutotial is very, very good! I will improve the Apache one also and add info on https also.

Since Benjy’s tutorial is much more comprehensive than mine, I believe that it would be best if Benjy incorporates selected info from this Apache tutorial in his version so that it becomes a main Reverse Proxy with Auth, Security Options (subnets, etc) and HTTPs options.

I agree with @Benjy that Apache is much “heavier” and I would recommend NGINX also for a Raspberry Pi user.

Anyway, I assume that some of these features (HTTPs & Auth) will find themselves inside the OH2 package at a later date and be configurable from the Paper UI… correct?

Apache & Live events: So far, it has been very fast with the updates.

Example: I have a chrome browser open on my PC running my HABPanel (love it) and turning on/off switches or moving roller-shutters around (all KNX devices) and status updates are immediate on my android app on my phone and the Classic UI on another PC which both are connected via the Apache reverse proxy to OH2.

I haven’t performed many tests on https yet to check stability and performance but so far all is looking good.
All web interfaces that I tested on http work without any hiccups (Classic UI, Basic UI, Rest API, Paper UI, HABAdmin & HABPanel). So far, so good… more testing is on the way.

Important Note: My config is very simple (only 30 devices) and I haven’t setup yet advanced rules, configs, bindings etc… I am building up now my OpenHab 2 deployment. I don’t know yet how Apache’s Reverse Proxy will handle more “advanced” live events/updates… more news soon as I develop my setup.

MikeD · October 14, 2016, 5:26am

I would love to know how to implement the Apache option under a WIN7 environment.

Dim · October 14, 2016, 5:58am

Hi @MikeD,

I will add some info on Win installation also

For now (quick reply): you can follow some online guides on how to install Apache2 on Windows from here: https://www.apachelounge.com/download/.
Take a look at http://httpd.apache.org/docs/2.4/platform/windows.html also for more info.

Afterwards, configure your C:\Apache24\conf\httpd.conf file and un-comment (remove the # from) the following lines:

ServerName localhost:80
Include conf/extra/httpd-vhosts.conf
LoadModule headers_module modules/mod_headers.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule xml2enc_module modules/mod_xml2enc.so

Run C:\Apache24\bin\htpasswd.exe -c C:\Apache24\conf\.htpasswd openhab

And finally, edit your C:\Apache24\conf\extra\httpd-vhosts.conf and put the following info:

<VirtualHost *:80>

ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/

<Location />
	AuthType Basic
	AuthName "OpenHab2 Restricted"	
	AuthUserFile C:\Apache24\conf\.htpasswd
	Require valid-user
</Location>
</VirtualHost>

Start up Apache by running C:\Apache24\bin\httpd.exe, open a browser on your Win7 PC on http://localhost and good luck! (it should proxy the OH start page (assuming that OH is running on your local PC and listening to port 8080).

BR,
Dim

MikeD · October 14, 2016, 6:14am

Hi @Dim

Awesome, thanks for the reply. I will have a good look at this tomorrow and see how it goes.

Cheers,
Mike

p.s. I am also keen on the HTTPS setup when you are ready

MikeD · October 14, 2016, 6:20am

Quick question (hopefully) - where do I set up user and password info for valid users?

Cheers,
Mike

Dim · October 14, 2016, 6:22am

It will prompt you to introduce (twice) the password for the user (openhab in this example… you can change the username also). This command will create a new file in your C:\Apache24\conf directory named .htpasswd that will include the credentials (username & password combo)

If you want to add more users, leave out the -c argument (Run C:\Apache24\bin\htpasswd.exe C:\Apache24\conf\.htpasswd another_user)

BR,
Dim

MikeD · October 14, 2016, 6:24am

Thanks, I now have another project for tomorrow

Cheers,
Mike

Dim · October 18, 2016, 7:37am

@ThomDietrich & @Benjy

Hi, I added steps 7.1-7.4 on how to setup (quick and dirty) HTTPS on Apache and use the reverse proxy with basic auth. I wanted to keep it short and simple on purpose.

I will now work on a more enhanced version of the tutorial with more explanations and images to be in par with the nginx version

Regarding status refresh & Apache RP… No issues so far. Basic UI + Classic UI + HABPanel +HABDroid refresh the status immediately when using the Reverse Proxy. I haven’t tested HABAdmin yet but I think that there is an issue with the headers and it won’t work.

More news soon

BR,
Dim

Benjy · October 18, 2016, 8:30am

Nice one @Dim, although there may be a potential problem with that setup:

What happens when you go to https:\\server\rest\sitemaps? Do the URLs come through as http? This will cause problems with some interfaces.

I believe the appropriate setting in apache would be:

RequestHeader set X-Forwarded-Proto "https" env=HTTPS

You need to enable the mod_headers mod for this setting.

Dim · October 18, 2016, 8:36am

True @Benjy. They do come up as http

example: “https://server/rest/sitemaps” gives me:

[{"name":"HomeR","label":"HomeR","link":"http://server/rest/sitemaps/HomeR","homepage":{"link":"http://server/rest/sitemaps/HomeR/homer","leaf":false,"widgets":[]}}]

with RequestHeader set X-Forwarded-Proto "https" env=HTTPS the result is:

[{"name":"HomeR","label":"HomeR","link":"https://server/rest/sitemaps/HomeR","homepage":{"link":"https://server/rest/sitemaps/HomeR/homer","leaf":false,"widgets":[]}}]

Thanx
I updated the tutorial above

BR,
Dim

alabamatoy · May 10, 2017, 6:47pm

@Dim , can you tell me what changes to make to the /etc/apache2/sites-enabled/000-default.conf file if I already have existing virtual directories hosted under the Apache2 server? I would need to have a https://servername/oh2 or something similar for openhab. Can this be done?

Dim · May 10, 2017, 7:30pm

Edit: It’s more complex that I originally thought…
You could do it but it requires more advanced configuration. See here: Using NGINX Reverse Proxy (Authentication and HTTPS) - #37 by nlmarco & Apache2 reverse-proxy with LDAP-authentication, HTTPS and URL-path-prefix

ThomDietrich · May 10, 2017, 9:41pm

It’s probably easier to just use a different port…

alabamatoy · May 13, 2017, 3:09pm

“It’s probably easier to just use a different port…”

Indeed, but not how I wanted to deploy it. It is very difficult in my situation to change the ports that are open inbound. And I defnitely dont want to deploy LDAP.

zbot473 · August 4, 2017, 4:05pm

When I go to the https site, It shows a not secure error.

Dim · August 4, 2017, 4:56pm

tutorial uses self-signed certificates

zbot473 · August 25, 2017, 5:50pm

Thanks.