How to run OpenHAB behind an internet proxy?

StefanMUC · December 10, 2019, 8:55am

Platform information:
- Hardware: virtual Machine on ESX Server
- OS: Suse Linux Enterprise Server 15
- Java Runtime Environment: zulu8.33.0.1-jdk8.0.192
- openHAB version: 2.4.0
Issue of the topic: OpenHAB extensions (OpenHABCloud, Telegram) can’t connect to their servers
Please post configurations:
- Services configuration related to the issue
  /etc/default/openhab2 has EXTRA_JAVA_OPTIONS set to this:
  EXTRA_JAVA_OPTS="-Djava.net.useSystemProxies=true -Dhttp.proxyHost=[my proxy IP] -Dhttp.proxyPort=8080 -Dhttp.nonProxyHosts='localhost|127.0.0.1|.local'"
If logs where generated please post these here using code fences:

 # systemctl status openhab2.service
● openhab2.service - openHAB 2 - empowering the smart home
   Loaded: loaded (/usr/lib/systemd/system/openhab2.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2019-12-10 09:19:47 CET; 26s ago
     Docs: https://www.openhab.org/docs/
           https://community.openhab.org
  Process: 15107 ExecStop=/usr/share/openhab2/runtime/bin/karaf stop (code=exited, status=0/SUCCESS)
 Main PID: 15361 (java)
    Tasks: 165 (limit: 4915)
   Memory: 420.3M
      CPU: 32.714s
   CGroup: /system.slice/openhab2.service
           └─15361 /usr/bin/java -Dopenhab.home=/usr/share/openhab2 -Dopenhab.conf=/etc/openhab2 -Dopenhab.runtime=/usr/share/openhab2/runtime -Dopenhab.userdata=/var/lib/openhab2 -Dopenhab.logdir=/var/log/openhab2 -Dfelix.cm.dir=/var/lib/openhab2/config -Djava.library.path=/var/lib/openhab2/tmp/lib -Djetty.host=0.0.0.0 -Djetty.http.compliance=RFC2616 -Dorg.ops4j.pax.web.listening.addresses=0.0.0.0 -Dorg.osgi.service.http.port=8080 -Dorg.osgi.service.http.port.secure=8084 -Djava.awt.headless=true -XX:+UseG1GC -Djava.net.useSystemProxies=true -Dhttp.proxyHost=[my proxy IP] -Dhttp.proxyPort=8080 -Dhttp.nonProxyHosts='localhost|127.0.0.1|.local' -Djava.endorsed.dirs=/usr/lib/jvm/zulu-8/jre/lib/endorsed:/usr/lib/jvm/zulu-8/lib/endorsed:/usr/share/openhab2/runtime/lib/endorsed -Djava.ext.dirs=/usr/lib/jvm/zulu-8/jre/lib/ext:/usr/lib/jvm/zulu-8/lib/ext:/usr/share/openhab2/runtime/lib/ext -Dkaraf.instances=/var/lib/openhab2/tmp/instances -Dkaraf.home=/usr/share/openhab2/runtime -Dkaraf.base=/var/lib/openhab2 -Dkaraf.data=/var/lib/openhab2 -Dkaraf.etc=/var/lib/openhab2/etc -Dkaraf.logs=/var/log/openhab2 -Dkaraf.restart.jvm.supported=true -Djava.io.tmpdir=/var/lib/openhab2/tmp -Djava.util.logging.config.file=/var/lib/openhab2/etc/java.util.logging.properties -Dkaraf.startLocalConsole=false -Dkaraf.startRemoteShell=true -classpath /usr/share/openhab2/runtime/lib/boot/activation-1.1.1.jar:/usr/share/openhab2/runtime/lib/boot/jaxb-api-2.3.0.jar:/usr/share/openhab2/runtime/lib/boot/jaxb-core-2.2.11.jar:/usr/share/openhab2/runtime/lib/boot/jaxb-impl-2.2.11.jar:/usr/share/openhab2/runtime/lib/boot/org.apache.karaf.diagnostic.boot-4.2.1.jar:/usr/share/openhab2/runtime/lib/boot/org.apache.karaf.jaas.boot-4.2.1.jar:/usr/share/openhab2/runtime/lib/boot/org.apache.karaf.main-4.2.1.jar:/usr/share/openhab2/runtime/lib/boot/org.osgi.core-6.0.0.jar org.apache.karaf.main.Main

Dec 10 09:19:47 systemd[1]: Started openHAB 2 - empowering the smart home.

OpenHAB Log shows this:

==> /log/openhab2/openhab.log <==
2019-12-10 09:21:09.324 [INFO ] [e.smarthome.model.script.debug.rules] - Sending Telegram message...
2019-12-10 09:29:52.416 [WARN ] [ab.action.telegram.internal.Telegram] - Transport error: {}
java.net.ConnectException: Connection timed out (Connection timed out)
	at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:?]
	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:?]
	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:?]
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:?]
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:?]
	at java.net.Socket.connect(Socket.java:589) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:666) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:471) ~[?:?]
	at sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:153) ~[?:?]
	at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:82) ~[?:?]
	at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:127) ~[?:?]
	at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[?:?]
	at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[?:?]
	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[?:?]
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[?:?]
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[?:?]
	at org.openhab.action.telegram.internal.Telegram.sendTelegram(Telegram.java:100) ~[?:?]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:?]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.invokeOperation(XbaseInterpreter.java:1086) ~[?:?]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.invokeOperation(XbaseInterpreter.java:1061) ~[?:?]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter._invokeFeature(XbaseInterpreter.java:1047) ~[?:?]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.invokeFeature(XbaseInterpreter.java:992) ~[?:?]
	at org.eclipse.smarthome.model.script.interpreter.ScriptInterpreter.invokeFeature(ScriptInterpreter.java:151) ~[?:?]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter._doEvaluate(XbaseInterpreter.java:902) ~[?:?]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter._doEvaluate(XbaseInterpreter.java:865) ~[?:?]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.doEvaluate(XbaseInterpreter.java:224) ~[?:?]
	at org.eclipse.smarthome.model.script.interpreter.ScriptInterpreter.doEvaluate(ScriptInterpreter.java:226) ~[?:?]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.internalEvaluate(XbaseInterpreter.java:204) ~[?:?]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter._doEvaluate(XbaseInterpreter.java:447) ~[?:?]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.doEvaluate(XbaseInterpreter.java:228) ~[?:?]
	at org.eclipse.smarthome.model.script.interpreter.ScriptInterpreter.doEvaluate(ScriptInterpreter.java:226) ~[?:?]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.internalEvaluate(XbaseInterpreter.java:204) ~[?:?]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.evaluate(XbaseInterpreter.java:190) ~[?:?]
	at org.eclipse.smarthome.model.script.runtime.internal.engine.ScriptImpl.execute(ScriptImpl.java:82) ~[?:?]
	at org.eclipse.smarthome.model.rule.runtime.internal.engine.RuleEngineImpl.lambda$2(RuleEngineImpl.java:341) ~[?:?]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:?]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [?:?]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:?]
	at java.lang.Thread.run(Thread.java:748) [?:?]

What do I do wrong?

mstormi · December 10, 2019, 10:37am

OH is not meant to be run behind a (non-transparent) Inet proxy.
Dunno what -Dhttp.proxyPort=8080 is supposed to do. At least it’s no intentional/supported function.
And even if it did work it applies to HTTP. You error is from a Telegram outbound connect which I think is not HTTP.
So that construction of your won’t work in general. Get a transparent proxy (NAT, that is) to work like that in your Inet router.

Bruce_Osborne · December 10, 2019, 10:56am

I have set up a reverse proxy as detailed in the official documentation. You may wist to read the whole security document.

mstormi · December 10, 2019, 11:14am

OP’s problem is outbound connections.

StefanMUC · December 10, 2019, 11:41am

Oh okay, didn’t know that. Thought it is HTTP(S) as stacktrace says that org.apache.commons.httpclient.HttpClient and further is in there.

Buy the way, do you know how openhabcloud service connects? Will I have the same problem there? This currently doesn’t work too.

That’s the standard way of Java to configure a proxy: java - How do I set the proxy to be used by the JVM - Stack Overflow

That’s what we had before and what IT department decided to not offer anymore

Thanks, that’s what I already did (for adding SSL and planned future authentication), that’s not the problem. I know that document, I even contributed to details of it, see [SOLVED] [BUG] OpenHAB with nginx redirects HTTPS to HTTP

mstormi · December 10, 2019, 11:51am

You’re running OH in a corporate environment ?? And your IT doesn’t want to support you (if so, they would continue providing NAT, wouldn’t they) ?
That sure OH is not built for (means: even if you did get this here to work you’ll likely encounter more issues, many of which you cannot work around using HTTP only).

rlkoshak · December 10, 2019, 4:08pm

Most likely. I don’t know what protocol it uses, but the Cloud Connector add-on initiates an outbound connection to myopenhab.org. If you have a proxy in the way it likely will block that connection.

Ultimately, this is a non-standard setup and one few if any on this forum will have encountered. Many of us have a proxy on our home networks (e.g. pihole) but it’s set up to be transparent. You will need to do the research and experimentation for how to make this work using other resources than this forum I suspect. If you do figure it out a tutorial might be useful to some though.

StefanMUC · December 18, 2019, 12:35pm

So regarding the Telegram API I dug into the sources:

openhab2-addons/bundles/org.openhab.binding.telegram/src/main/java/org/openhab/binding/telegram/internal/TelegramHandler.java:144

botLibClient = new OkHttpClient.Builder().connectTimeout(75, TimeUnit.SECONDS).readTimeout(75, TimeUnit.SECONDS)
        .build();
updateStatus(ThingStatus.ONLINE);
TelegramBot localBot = bot = new TelegramBot.Builder(botToken).okHttpClient(botLibClient).build();

So TelegramBot is instantiated with a reference to okHttpClient(). It is based on com.pengrad.telegrambot.TelegramBot

The sources there say:
pengrad/java-telegram-bot-api/library/src/main/java/com/pengrad/telegrambot/TelegramBot.java:81

public static final class Builder {

    static final String API_URL = "https://api.telegram.org/bot";

    [...]

    public Builder(String botToken) {
        this.botToken = botToken;
        api = new TelegramBotClient(client(null), gson(), apiUrl(API_URL, botToken));

So everything here looks like HTTP/HTTPS.

Even Telegram states: Telegram APIs

So I’m quite sure that communication to Telegram servers is done with HTTPS - and should also be possible through HTTPS proxy. But how to do it?

StefanMUC · January 16, 2020, 11:02am

Okay, so I now have a solution - but it’s not an answer to my question here:
I finally got port 443 opened in firewall for connecting to api.telegram.org and myopenhab.org so both work again for my case.

And yeah as mentioned in other topics, I will have to apt-get install openhab2-addons for having the addons work