How to limit access to parts of OpenHAB (one option)

Tags: #<Tag:0x00007f7458c76c20>

Limitting access to certain UIs

There is some discussion online about restricting access to parts of OpenHAB.

After working through “Securing access to OpenHAB” I thought that nginx could be used to achieve restrict access to any of the user interfaces.

In the end I was able to set things up so that browsing to the OpenHAB IP from any machine other than those that I whitelisted, would result in the basicui page being displayed.

My “default” file in /etc/nginx/sites-enabled looks as follows:

server {
  listen 443 ssl;
  server_name	192.168.1.25;
	
  #pages that are blocked by the configuration below are redirected to the basicui page
  error_page 403 https://192.168.1.25/basicui/app;

   root /var/www/html;

   index index.html index.htm index.nginx-debian.html;

   ssl_certificate                 /etc/ssl/openhab.crt;
   ssl_certificate_key             /etc/ssl/openhab.key;

   location / {
	include shared_2.conf;
   }

   location /basicui/ {
 	include shared_1.conf;
   }

   location /icon/ {
	include shared_1.conf;
   }

   location /rest/ {
	include shared_1.conf;
   }

}

And the include files which are in /etc/nginx as follows:

shared_1.conf;

proxy_pass                            http://localhost:8080;
proxy_set_header Host                 $http_host;
proxy_set_header X-Real-IP            $remote_addr;
proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto    $scheme;

auth_basic                            "Username and Password Required";
auth_basic_user_file                  /etc/nginx/.htpasswd;

shared_2.conf;

proxy_pass                            http://localhost:8080;
proxy_set_header Host                 $http_host;
proxy_set_header X-Real-IP            $remote_addr;
proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto    $scheme;

#ips that require access to everything.
allow 192.168.1.51;
deny all;

auth_basic                            "Username and Password Required";
auth_basic_user_file                  /etc/nginx/.htpasswd;

Notes:

  • Apparently /rest/ is meant to catch anything that is not defined and because of shared_1.conf, allow access. In practice I noticed that images will not displaying until I added the /icon/ option so I am not sure if /rest/ was working.
  • Initially I battled to get the above to work because the initial setup notes that I followed had a trailing ‘/’ after 8080. When I removed that, everything worked as it should.

Disclaimer: I only discovered nginx a few days ago and am therefore no means skilled in its use or understand its inner workings. As such there might be a much easier or better ways to achieve this.

3 Likes

Thanks for posting! I’ve moved the post to the Tutorials & Examples category where it should be easier to find.