Binding only to specific network interface

Kwave · January 2, 2017, 12:09am

Hi,

how to configure OH2 to bind only to a specific network interface? I want the openhab webinterface to only be available on 127.0.0.1.

Thanks,
Michael

ThomDietrich · January 16, 2017, 4:11pm

Hello @Kwave,
that’s imho not supported at the moment. You can change the serving port or block the port via firewall if that is an option. Certainly we should look into a solution. I’ll investigate. Ping me in a few days

ThomDietrich · January 16, 2017, 5:32pm

Please add the following line to /etc/default/openhab2 (expecting you to be on a linux apt setup):

EXTRA_JAVA_OPTS="-Dorg.apache.felix.http.host=127.0.0.1"

Untested Update: doesn’t seem to work. @Kai I’ve probably chosen the wrong option?

Kai · January 16, 2017, 9:42pm

The VERY wrong option - we are running Jetty through Pax-Web, not Felix HTTP service
So better go and search somewhere here: https://ops4j1.jira.com/wiki/display/paxweb/Configuration

Kai · January 16, 2017, 9:46pm

org.ops4j.pax.web.listening.addresses seems to be the setting, which would have to go into etc/org.ops4j.pax.web.cfg.

ThomDietrich · January 16, 2017, 9:55pm

I’ve never bothered with these parts of openHAB and don’t want to My suggestion was a between-the-doors hunch based on this: https://www.google.de/search?q=org.osgi.service.http.port
Thanks for your help. We should provide this option (inside setenv and) as a variable just like the HTTP(S) Ports.

@Kwave @mashborn please test

Kai · January 17, 2017, 4:15pm

FTR: I have successfully tested this setting. Using 127.0.0.1 made openHAB only answer on the loopback interface.

mashborn · January 18, 2017, 9:07am

So I have to create the file?

sudo nano /etc/org.ops4j.pax.web.cfg
to create a new file?

org.ops4j.pax.web.listening.addresses=127.0.0.1
as single line in that file?

Dim · January 18, 2017, 9:18am

See here also:

No, the file that you need to modify is already located at: $OPENHAB_USERDATA/etc/org.ops4j.pax.web.cfg
(/var/lib/openhab2/etc/org.ops4j.pax.web.cfg)

edit the default value (from 0.0.0.0 to 127.0.0.1) to allow only localhost to access the OH2 web services.

#
# Listening addresses. This should match host in the sslconnector/name attribute in jetty.xml
#
org.ops4j.pax.web.listening.addresses = 0.0.0.0

http://docs.openhab.org/installation/security.html

0xMUHAHA · January 18, 2017, 9:20am

On debian-based setups this file can be found in
/var/lib/openhabs/etc/org.ops4j.pax.web.cfg

Benjy · January 18, 2017, 9:21am

You should be able to put in a comma separated list of allowed addresses.

https://ops4j1.jira.com/wiki/plugins/servlet/mobile?contentId=12059275#content/view/12059275

Dim · January 18, 2017, 9:38am

Correct. Comma separated IP Addresses can be configured in the org.ops4j.pax.web.listening.addresses parameter

btw, I tried to add a subnet (172.16.13.0/24) and I get an error:

2017-01-18 11:25:49.230 [ERROR] [.service.internal.HttpServiceStarted] - Could not start the servlet context for context path []
java.net.SocketException: Unresolved address

So, this is only for local IPs of the host running OH2.

mashborn · January 18, 2017, 10:45am

If I’m using 127.0.0.1 it works.

But comma-separated lists don’t work…

I tried it with (oh-server is 192.168.5.4):
127.0.0.1,192.168.5.0
127.0.0.1,192.168.5.0/24
127.0.0.1,192.168.5.*
127.0.0.1,192.168.5.2

I have connected two networks by vpn. My openhab should only be available in the 5er-subnet…

Dim · January 18, 2017, 11:55am

You can’t specify IP Subnets there. This parameter is for binding the web services (http & https) to local interface(s) (using hostname or IP)

Only local host IPs

In your case, it would be:
127.0.0.1, 192.168.5.4

(or the default 0.0.0.0 to do the same… bind to both local IPs :))

mashborn · January 18, 2017, 8:09pm

Now It works kind of:
Port 8080 is only available over 127.0.0.1
Port 80 via nginx is open to my subnet
Everything works - except Hueemulation and Echo.

Maybe theres a hardcoded 8080 in the hueemulation?!?

breti · June 25, 2017, 2:07pm

Be careful: This setting affects HTTP on port 8080, but not HTTPS on port 8443!

One should bind OpenHAB to 127.0.0.1 and disable HTTPS support in OpenHAB when using a reverse proxy.

If HTTPS is needed, it should be activated in the reverse proxy configuration.

org.osgi.service.http.secure.enabled = false
org.ops4j.pax.web.listening.addresses = 127.0.0.1

sipvoip · May 12, 2018, 3:59pm

Does this still work in 2.3? I have it set to localhost,10.88.64.4 but now with 2.3 I am seeing:

2018-05-12 11:57:07.517 [WARN ] [g.eclipse.smarthome.core.net.NetUtil] - Found multiple local interfaces - ignoring 10.88.64.4
2018-05-12 11:57:07.541 [INFO ] [.dashboard.internal.DashboardService] - Started Dashboard at http://50.246.121.172:8080
2018-05-12 11:57:07.541 [INFO ] [.dashboard.internal.DashboardService] - Started Dashboard at https://50.246.121.172:8443

That is my public IP, however netstat shows:

[root@lisa smarthome]# netstat -nl |grep 8080
tcp        0      0 10.88.64.4:8080         0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN

Dim · May 12, 2018, 8:00pm

try to set in /etc/openhab2/services/runtime.cfg

org.eclipse.smarthome.network:primaryAddress = 10.88.64.4/24
org.eclipse.smarthome.network:broadcastAddress = 10.88.64.255
org.eclipse.smarthome.core.net.NetUtil:primaryAddress = 10.88.64.0/24

to see if this helps