Basic HTTP(S) Authentication for OpenHab 2

Thanks, I now have another project for tomorrow :slight_smile:

Cheers,
Mike

1 Like

@ThomDietrich & @Benjy

Hi, I added steps 7.1-7.4 on how to setup (quick and dirty) HTTPS on Apache and use the reverse proxy with basic auth. I wanted to keep it short and simple on purpose.

I will now work on a more enhanced version of the tutorial with more explanations and images to be in par with the nginx version :slight_smile:

Regarding status refresh & Apache RP… No issues so far. Basic UI + Classic UI + HABPanel +HABDroid refresh the status immediately when using the Reverse Proxy. I haven’t tested HABAdmin yet but I think that there is an issue with the headers and it won’t work.

More news soon

BR,
Dim

Nice one @Dim, although there may be a potential problem with that setup:

What happens when you go to https:\\server\rest\sitemaps? Do the URLs come through as http? This will cause problems with some interfaces.

I believe the appropriate setting in apache would be:

RequestHeader set X-Forwarded-Proto "https" env=HTTPS

You need to enable the mod_headers mod for this setting.

True @Benjy. They do come up as http

example: “https://server/rest/sitemaps” gives me:

[{"name":"HomeR","label":"HomeR","link":"http://server/rest/sitemaps/HomeR","homepage":{"link":"http://server/rest/sitemaps/HomeR/homer","leaf":false,"widgets":[]}}]

with RequestHeader set X-Forwarded-Proto "https" env=HTTPS the result is:

[{"name":"HomeR","label":"HomeR","link":"https://server/rest/sitemaps/HomeR","homepage":{"link":"https://server/rest/sitemaps/HomeR/homer","leaf":false,"widgets":[]}}]

Thanx :slight_smile:
I updated the tutorial above

BR,
Dim

1 Like

@Dim , can you tell me what changes to make to the /etc/apache2/sites-enabled/000-default.conf file if I already have existing virtual directories hosted under the Apache2 server? I would need to have a https://servername/oh2 or something similar for openhab. Can this be done?

Edit: It’s more complex that I originally thought…
You could do it but it requires more advanced configuration. See here: Using NGINX Reverse Proxy (Authentication and HTTPS) & Apache2 reverse-proxy with LDAP-authentication, HTTPS and URL-path-prefix

It’s probably easier to just use a different port…

1 Like

“It’s probably easier to just use a different port…”

Indeed, but not how I wanted to deploy it. It is very difficult in my situation to change the ports that are open inbound. And I defnitely dont want to deploy LDAP.

When I go to the https site, It shows a not secure error.

tutorial uses self-signed certificates

Thanks.

Hi,
i have done the config and it worked great in a webbrowser. But the app on iOS is not able to connect to remote host. Do someone have an idea why it is not possible to connect from the app? I copy and paste your config.

I’ve tried this solution but I’m curious if there is any way in which I can protect my server on port 8080 as I can currently bypass the password protection altogether by adding :8080 to my hostname.

you mean from the internet?
if yes: simply don’t allow port nat on 8080 (on your Internet Gateway (aka Router)).
Only allow port 80 from the outside world, that will hit the Apache web server and Apache will do the reverse proxying to the internal port 8080

Thanks!
I actually meant on my home network, I’ve already blocked access from the Internet.

(in theory) you could modify the jetty web service to listen only to localhost requests (can’t find now the link to the howto)
If I remember well, it’s something like org.ops4j.pax.web.listening.addresses (defaults to 0.0.0.0 … you will need to change this to 127.0.0.1)
Apache should be running on the same host to be allowed to access the 8080 port.

Hi @Dim,

Thanks for this helpful tutorial.

I just have a small problem after I made all steps, I still can access openhab from port 8080 without requesting username and password. how i can fix this problem?

you can’t :slight_smile:
port 8080 is from the embedded jetty web server and it doesn’t support auth

Okay.

Is there is a way to stop jetty and working from apache only?

no, jetty is the main web server that OH2 is using. also apache is reversing the requests to jetty
what you could do is make jetty listen only to localhost