I’ve made good progress on this using the current version of nginx light, but am hung up on an issue that is possibly just nginx-related, but perhaps in may involve OpenHAB as well so I’m putting it out here.
System config: OH 1.8.3 / Ubuntu 16.0.4 LTS, default apache2 conf, everything working smoothly without nginx.
Installed nginx-light 1.10.0 via apt-get, set up config file to listen on port 7090 & reverse proxy for the OpenHAB server on the same server (i.e. localhost:8080.) With a wide-open nginx configuration (no access restrictions attempted, just straight-thru reverse proxying all requests,) everything is hunky-dory and access to OH sitemaps works normally on any device pointed to the alternate :7090 nginx listening port. (ipad, android, web browser.)
When I use an nginx location { } directive to attempt to block access to a specific sitemap (and only that sitemap), I can successfully block access by IP (or whatever other Nginx allow/deny method I wish.) So, access-denial is working fine as well:
From /var/log/nginx/error.log:
2017/01/17 13:00:12 [error] 8486#0: *4 access forbidden by rule, client: 192.168.1.143, server: 127.0.0.1, request: "GET /rest/sitemaps/bach2dop/bach2dop HTTP/1.1", host: "192.168.1.122:7090"
The problem I’m having is that, when the location { } directive is enabled (i.e. defined in the nginx default conf file), and a host is ALLOWED access to the location, nginx spits back the following error:
From /var/log/nginx/error.log:
2017/01/17 13:00:31 [error] 8565#0: *1 open() "/rest/sitemaps/bach2dop/bach2dop" failed (2: No such file or directory), client: 192.168.1.143, server: 127.0.0.1, request: "GET /rest/sitemaps/bach2dop/bach2dop HTTP/1.1", host: "192.168.1.122:7090"
Here’s the relevant section of the nginx conf file I’m using:
## nginx/1.10.0 (Ubuntu) reverse-proxy configuration to filter requests sent to OpenHAB.
server {
listen 7090;
server_name mydomain_or_myip;
location / {
proxy_pass http://localhost:8080/;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
### This specific sitemap ("bach2dop.sitemap") I want to DENY to all IP addresses on the LAN,
### EXCEPT for one authorized IP address:
location ~ /rest\/sitemaps\/bach2dop*.* {
satisfy any;
allow 192.168.1.143;
deny all;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
I have tried many different variations of the location ~ regexp match and there is no difference in behavior; I think I’m missing some other nginx config option, or possible I need to tweak something outside of nginx, i.e. in OpenHAB??