Sim
February 19, 2024, 11:00am
1
After migrating from version 3.x to 4.x, “http.secure.enabled = false” no longer works.
# openhab-cli info
Version: 4.1.1 (Build)
# cat config/org/ops4j/pax/web.config
:org.apache.felix.configadmin.revision:=L"5"
felix.fileinstall.filename="file:/var/lib/openhab/etc/org.ops4j.pax.web.cfg"
org.ops4j.pax.web.config.file="/usr/share/openhab/runtime/etc/jetty.xml"
org.ops4j.pax.web.listening.addresses="127.0.0.1"
org.ops4j.pax.web.server.idleTimeout="300000"
org.ops4j.pax.web.server.maxThreads="50"
org.ops4j.pax.web.server.minThreads="2"
org.ops4j.pax.web.session.timeout="10"
org.ops4j.pax.web.ssl.clientauthneeded="false"
org.ops4j.pax.web.ssl.clientauthwanted="false"
org.osgi.service.http.port="18080"
org.osgi.service.http.secure.enabled="false"
org.osgi.service.http.useNIO="true"
service.bundleLocation="?"
service.pid="org.ops4j.pax.web"
# cat etc/org.ops4j.pax.web.cfg
[..]
org.osgi.service.http.secure.enabled = false
org.osgi.service.http.port = 18080
#org.osgi.service.http.port.secure = 8443
org.ops4j.pax.web.listening.addresses = 127.0.0.1
# netstat -nap | grep LIST | grep java
tcp6 0 0 172.19.0.1:9123 :::* LISTEN 1969091/java
tcp6 0 0 127.0.0.1:8101 :::* LISTEN 1969091/java
tcp6 0 0 :::5007 :::* LISTEN 1969091/java
tcp6 0 0 :::8443 :::* LISTEN 1969091/java
tcp6 0 0 127.0.0.1:33119 :::* LISTEN 1969091/java
tcp6 0 0 127.0.0.1:18080 :::* LISTEN 1969091/java
As you can see HTTP binding is working (127.0.0.1), but HTTPS binding is to 0.0.0.0.# → org.osgi.service.http.port.secure = 8443
I have to protect my openHAB installation with a reverse proxy and I don’t have to publish web services directly.
Is this a bug?
splatch
February 19, 2024, 11:15am
2
Can you double check your jetty.xml? I’ve checked pax-web sources and it still seem to honor org.osgi.service.http.secure.enabled setting. If you find in your jetty configuration something similar to this:
<New class="org.eclipse.jetty.server.ServerConnector">
It means that port allocation is done through jetty configuration, and not pax-web. I’ve checked OH distro and it seems to be a case:
<!-- Add a HTTPS Connector. -->
<!-- Configure an o.e.j.server.ServerConnector with connection -->
<!-- factories for TLS (aka SSL) and HTTP to provide HTTPS. -->
<!-- All accepted TLS connections are wired to a HTTP connection. -->
<!-- -->
<!-- Consult the javadoc of o.e.j.server.ServerConnector, -->
<!-- o.e.j.server.SslConnectionFactory and -->
<!-- o.e.j.server.HttpConnectionFactory for all configuration -->
<!-- that may be set here. -->
<!-- =========================================================== -->
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector" id="sslConnectorId">
<Arg name="server">
<Ref refid="Server" />
</Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
Sim
February 19, 2024, 12:00pm
3
@splatch I found two files:
/var/lib/openhab/etc/jetty.xml
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!-- =========================================================== -->
<!-- Set connectors -->
<!-- =========================================================== -->
<!-- One of each type! -->
<!-- =========================================================== -->
<!-- Use this connector for many frequently idle connections and for
threadless continuations. -->
<New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Set name="secureScheme">https</Set>
<Set name="securePort">
<Property name="jetty.secure.port" default="8443" />
</Set>
<Set name="outputBufferSize">32768</Set>
<Set name="requestHeaderSize">8192</Set>
<Set name="responseHeaderSize">8192</Set>
<Set name="sendServerVersion">true</Set>
<Set name="sendDateHeader">false</Set>
<Set name="headerCacheSize">512</Set>
</New>
and
/usr/share/openhab/runtime/etc/jetty.xml
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector" id="sslConnectorId">
<Arg name="server">
<Ref refid="Server" />
</Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory">
<Ref refid="sslContextFactory" />
</Arg>
</New>
</Item>
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config">
<Ref refid="httpConfig" />
</Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="name">
<SystemProperty name="jetty.host" default="127.0.0.1" />:<SystemProperty name="org.osgi.service.http.port.secure" default="8443" />
</Set>
<Set name="host">
<SystemProperty name="jetty.host" />
</Set>
<Set name="port">
<SystemProperty name="org.osgi.service.http.port.secure" default="8443" />
</Set>
<Set name="idleTimeout">
<SystemProperty name="https.timeout" default="30000" />
</Set>
</New>
</Arg>
</Call>
<Call name="setAttribute">
<Arg>org.eclipse.jetty.server.Request.maxFormContentSize</Arg>
<Arg>300000</Arg>
</Call>
As you can see I changed:
<SystemProperty name="jetty.host" default="127.0.0.1" />:<SystemProperty name="org.osgi.service.http.port.secure" default="8443" />
And tested this too:
<Set name="name">
<SystemProperty name="jetty.host" default="127.0.0.1" />:<SystemProperty name="org.osgi.service.http.port.secure" default="8443" />
</Set>
<Set name="host">
<SystemProperty name="jetty.host" default="127.0.0.1" />
</Set>
<Set name="port">
But the result is always the same:
# netstat -nap | grep LIST | grep java
tcp6 0 0 127.0.0.1:8101 :::* LISTEN 2372570/java
tcp6 0 0 127.0.0.1:44787 :::* LISTEN 2372570/java
tcp6 0 0 :::8443 :::* LISTEN 2372570/java
tcp6 0 0 127.0.0.1:18080 :::* LISTEN 2372570/java
Sim
February 19, 2024, 1:05pm
4
Can be this a solution?
/etc/systemd/system/multi-user.target.wants/openhab.service
[Unit]
Description=openHAB - empowering the smart home
Documentation=https://www.openhab.org/docs/
Documentation=https://community.openhab.org
Wants=network-online.target
After=network-online.target
[Service]
Environment=OPENHAB_HOME=/usr/share/openhab
Environment=OPENHAB_CONF=/etc/openhab
Environment=OPENHAB_RUNTIME=/usr/share/openhab/runtime
Environment=OPENHAB_USERDATA=/var/lib/openhab
Environment=OPENHAB_LOGDIR=/var/log/openhab
Environment=OPENHAB_STARTMODE=daemon
Environment=OPENHAB_HTTP_ADDRESS=127.0.0.1 <------ ADDED THIS
EnvironmentFile=-/etc/default/openhab
And now :
# netstat -nap | grep LIST | grep java
tcp6 0 0 172.19.0.1:9123 :::* LISTEN 2379996/java
tcp6 0 0 127.0.0.1:8101 :::* LISTEN 2379996/java
tcp6 0 0 127.0.0.1:40905 :::* LISTEN 2379996/java
tcp6 0 0 :::5007 :::* LISTEN 2379996/java
tcp6 0 0 127.0.0.1:18080 :::* LISTEN 2379996/java
I was expecting to see:
tcp6 0 0 127.0.0.1:8443
…instead it disappeared.
It’s fine in my case too, but I don’t understand if it’s normal
splatch
February 19, 2024, 1:30pm
5
