How to limit access to parts of OpenHAB (one option)

abasel · October 31, 2019, 7:13am

Limitting access to certain UIs

There is some discussion online about restricting access to parts of OpenHAB.

After working through “Securing access to OpenHAB” I thought that nginx could be used to achieve restrict access to any of the user interfaces.

In the end I was able to set things up so that browsing to the OpenHAB IP from any machine other than those that I whitelisted, would result in the basicui page being displayed.

My “default” file in /etc/nginx/sites-enabled looks as follows:

server {
  listen 443 ssl;
  server_name	192.168.1.25;
	
  #pages that are blocked by the configuration below are redirected to the basicui page
  error_page 403 https://192.168.1.25/basicui/app;

   root /var/www/html;

   index index.html index.htm index.nginx-debian.html;

   ssl_certificate                 /etc/ssl/openhab.crt;
   ssl_certificate_key             /etc/ssl/openhab.key;

   location / {
	include shared_2.conf;
   }

   location /basicui/ {
 	include shared_1.conf;
   }

   location /icon/ {
	include shared_1.conf;
   }

   location /rest/ {
	include shared_1.conf;
   }

}

And the include files which are in /etc/nginx as follows:

shared_1.conf;

proxy_pass                            http://localhost:8080;
proxy_set_header Host                 $http_host;
proxy_set_header X-Real-IP            $remote_addr;
proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto    $scheme;

auth_basic                            "Username and Password Required";
auth_basic_user_file                  /etc/nginx/.htpasswd;

shared_2.conf;

proxy_pass                            http://localhost:8080;
proxy_set_header Host                 $http_host;
proxy_set_header X-Real-IP            $remote_addr;
proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto    $scheme;

#ips that require access to everything.
allow 192.168.1.51;
deny all;

auth_basic                            "Username and Password Required";
auth_basic_user_file                  /etc/nginx/.htpasswd;

Notes:

Apparently /rest/ is meant to catch anything that is not defined and because of shared_1.conf, allow access. In practice I noticed that images will not displaying until I added the /icon/ option so I am not sure if /rest/ was working.
Initially I battled to get the above to work because the initial setup notes that I followed had a trailing ‘/’ after 8080. When I removed that, everything worked as it should.

Disclaimer: I only discovered nginx a few days ago and am therefore no means skilled in its use or understand its inner workings. As such there might be a much easier or better ways to achieve this.

rlkoshak · October 31, 2019, 2:45pm

Thanks for posting! I’ve moved the post to the Tutorials & Examples category where it should be easier to find.

ffr · November 28, 2021, 10:28pm

@abasel
hello Andre,

I have been using your approach successfully to restrict access to sitemaps via the Android App.
Now I like to use a similar approach to restrict acess to Main UI Pages, also via the android app. Do you happen to know how to setup the location for checking Main UI pages via the app?
thanks