Limitting access to certain UIs
There is some discussion online about restricting access to parts of OpenHAB.
After working through “Securing access to OpenHAB” I thought that nginx could be used to achieve restrict access to any of the user interfaces.
In the end I was able to set things up so that browsing to the OpenHAB IP from any machine other than those that I whitelisted, would result in the basicui page being displayed.
My “default” file in /etc/nginx/sites-enabled looks as follows:
server {
listen 443 ssl;
server_name 192.168.1.25;
#pages that are blocked by the configuration below are redirected to the basicui page
error_page 403 https://192.168.1.25/basicui/app;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
ssl_certificate /etc/ssl/openhab.crt;
ssl_certificate_key /etc/ssl/openhab.key;
location / {
include shared_2.conf;
}
location /basicui/ {
include shared_1.conf;
}
location /icon/ {
include shared_1.conf;
}
location /rest/ {
include shared_1.conf;
}
}
And the include files which are in /etc/nginx as follows:
shared_1.conf;
proxy_pass http://localhost:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
shared_2.conf;
proxy_pass http://localhost:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#ips that require access to everything.
allow 192.168.1.51;
deny all;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
Notes:
- Apparently /rest/ is meant to catch anything that is not defined and because of shared_1.conf, allow access. In practice I noticed that images will not displaying until I added the /icon/ option so I am not sure if /rest/ was working.
- Initially I battled to get the above to work because the initial setup notes that I followed had a trailing ‘/’ after 8080. When I removed that, everything worked as it should.
Disclaimer: I only discovered nginx a few days ago and am therefore no means skilled in its use or understand its inner workings. As such there might be a much easier or better ways to achieve this.