Then in /usr/share/openhab2/runtime/karaf/etc/org.ops4j.pax.web.cfg comment the last line:
# Listening addresses. This should match host in the sslconnector/name attribute in jetty.xml
# org.ops4j.pax.web.listening.addresses = 0.0.0.0
This is needed, or the setting in /etc/defaults/openhab2 will have no effect.
So yes, it seems to be possible to change the listening address somehow, but it’s not very straight forward. I’d expect to setting jetty.host to be enough (as works fine for https). If there is no way to also use jetty.host but any other variable, it should be possible to override any configuration shipped with the package itself.
Should I open a bug report about this? For now, I can live with it, but it really complicates the setup. Once this works fine, I’d be happy to extend the reverse proxy setup documentation, because in such situations the internal server should not listen on global addresses but on localhost by default so the only way in from the outside world would be the proxy.