Expose only basicui to the internet

weberjn · August 22, 2021, 7:29pm

I’d like to access my home openHAB instance via the internet from my smartphone.

[Securing Communication and Access | openHAB] shows how to set up a reverse proxy.

This exposes the the whole openHAB instance to the internet. I’d like to have ony basicui accessible from the internet.

This would need a common path prefix that would be proxied. But if I look at the traffic of basicui, there is no common prefix.

One would need something like

/basicui/fonts
/basicui/rest

Has anybody worked on something like this?

Or is VPN the better option?

Thanks,
Juergen

hmerk · August 22, 2021, 8:25pm

VPN is definitely the better option, or use myopenHAB and the official apps…

HaKuNa · August 22, 2021, 8:39pm

have a look here.

rlkoshak · August 23, 2021, 3:23pm

Keep in mind that BasicUI has to be able to access the generic openHAB REST API and since BasicUI runs in the browser it means the REST API needs to be exposed as well. There isn’t a /basicui/rest because BasicUI doesn’t have it’s own REST API endpoint.

In this case it’s pretty much all or nothing.

As mentioned, VPN or myopenhab.org will be better options, though even with myopenhab.org. Having recently set up Tailscale I highly recommend it and I think openHABian has an option to set that up.

weberjn · August 23, 2021, 3:42pm

/basicui/rest could be another facade to the Java code behind /rest

And with the /basicui prefix access could be controlled by the Apache/Nginx before it, and basic auth with SSL could be enforced (or oauth2 if bigger guns are needed)

weberjn · August 23, 2021, 5:35pm

Anyway, guess most easy and secure access is an SSH tunnel, e.g. with ConnectBot.

This also works with openHAB app.