Disclaimer: if you find any private information (ip-address, domain name, etc.) I encourage you to immediately inform me to delete these information. Thank you!
Hi @Malspherus and welcome to the openHAB community,
I’m using a similar setup to yours just with one exception that I don’t automatically add the authenitification to the connection for logging into openHAB. (if this is your use case). My second NGINX uses standard username and password methods to authenticate a user and give her/him access to the openHAB instance. To get into the administration panel of the openHAB frontend the user has to log in with the appropriate credentials.
My setup consists of two NGINX servers. The Main-Proxy has a static IP-address which is publicly reachable. This Main-Proxy is connected via VPN to my local server. On this server I have my Local-Proxy to manage my local setup which consists of different services. (databases, experiments, openHAB, etc.) and also to provide the basic username/password functionality.
I use SSL for the connections. You will notice this in my setup files.
As you said you have problems getting the item state. I had a similar problem with the connection between the frontend in the web browser and the openHAB instance behind two NGINX proxies. In the NGINX log files I found the net::ERR_INCOMPLETE_CHUNKED_ENCODING 200 (OK)
. I was able to solve this problem with following setting (it is also included in the Main-Proxy settings):
# NGINX SSE error
# net::ERR_INCOMPLETE_CHUNKED_ENCODING 200 (OK)
# https://waglerocks.com/issues-and-fixes/solvedneterr_incomplete_chunked_encoding-200-ok/?__cf_chl_jschl_tk__=pmd_f1d9c9e2b7e2b71e8973056e40d25da61ff332e3-1626816675-0-gqNtZGzNAiKjcnBszQii
# prevent it with:
proxy_buffering off;
I changed my private settings to place holders. For example: >>XXXX<< is your domain address like wikipedia.com. (don’t forget the top level domain!). >>MY-PRIVATE-IPADDRESS<< is my private IP address of the Local-Proxy in the VPN network. >>LOCAL_IP_ADDRESS<< is my private IP address of the openHAB instance in my local network setup.
In the code below there are a lot of /
characters and these little things are easily overseen! Please look closely because they have a big impact on NGINX location settings. I had sometimes problems with them just by missing them writing. For example in the >>Local-Proxy<< part there is the location setting:
proxy_pass http://LOCAL_IP_ADDRESS/;
Don’t oversee the /
after you replaced the >>LOCAL_IP_ADDRESS<< with your valid IP-address.
Main-Proxy
#
###### Configurations file for Main Proxy #######
#
###########################################
# Some variables
upstream projectServer {
# Seriennummer:
server MY-PRIVATE-IPADDRESS;
}
################################################################################
#################### Normal http server ##################
################################################################################
server {
listen 80;
listen [::]:80;
root /var/www/XXXXX_V1/public_html;
index index.html;
server_name XXXX www.XXXXX;
access_log /var/log/nginx/XXXX_V1.access.log;
error_log /var/log/nginx/XXXX_V1.error.log;
# Server Test Connection
location /connection_test {
return 200 'Gangnam style! Your project controller is online!';
add_header Content-Type text/plain;
}
# Redirect to https!
location / {
if ($scheme != "https"){
return 301 https://$host$request_uri;
}
}
}
################################### Secure Server
server {
listen 443 ssl;
listen [::]:443 ssl;
root /var/www/XXXX_V1/public_html;
index index_Secure.html;
server_name XXXX www.XXXX;
access_log /var/log/nginx/XXXX_V1.access.log;
error_log /var/log/nginx/XXXX_V1.error.log;
ssl_certificate "/etc/letsencrypt/live/XXXX/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/XXXX/privkey.pem";
# It is *strongly* recommended to generate unique DH parameters
# Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
#ssl_dhparam "/etc/pki/nginx/dhparams.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
# Server Test Connection
location /connection_test {
return 200 'SECURE gangnam style! Your project controller is securely online!';
add_header Content-Type text/plain;
}
location / {
proxy_pass http://projectServer/;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# NGINX SSE error
# net::ERR_INCOMPLETE_CHUNKED_ENCODING 200 (OK)
# https://waglerocks.com/issues-and-fixes/solvedneterr_incomplete_chunked_encoding-200-ok/?__cf_chl_jschl_tk__=pmd_f1d9c9e2b7e2b71e8973056e40d25da61ff332e3-1626816675-0-gqNtZGzNAiKjcnBszQii
# prevent it with:
proxy_buffering off;
# Cross-Origin Resource Sharing.
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow_Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
# openHAB 3 api authentication
add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
}
}
Local-Proxy
server {
server_name localhost;
listen 80;
listen [::]:80;
root /usr/share/nginx/html;
index index.html;
# Endpoint for Testing
location /abc {
return 200 'Gangnam style!';
add_header Content-Type text/plain;
}
location / {
proxy_pass http://LOCAL_IP_ADDRESS/;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Authorization "";
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
# NGINX SSE error
# net::ERR_INCOMPLETE_CHUNKED_ENCODING 200 (OK)
# https://waglerocks.com/issues-and-fixes/solvedneterr_incomplete_chunked_encoding-200-ok/?__cf_chl_jschl_tk__=pmd_f1d9c9e2b7e2b71e8973056e40d25da61ff332e3-1626816675-0-gqNtZGzNAiKjcnBszQii
# prevent it with:
proxy_buffering off;
# Cross-Origin Resource Sharing.
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow_Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
# openHAB 3 api authentication
add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
}
}
I hope my presented information can help you to solve your problem!