iOS app through Nginx Reverse Proxy using Basic Auth [kind of solved]

I access my system while away from home through an Nginx reverse proxy that uses Let’sEncrypt certs and forwards to the internal server on 8080.

This proxy also forces users to authenticate with basic auth.

While on internet, I can get to the system web site just fine through my iOS web browser after authenticating.

The iOS app though fails to connect.

I see a user/pw in the app settings and an “always send credentials” flag. I can’t seem to find a combination that works.

Any advice?

isn’t that auth on your proxy, which means it’s probably before the openhab app knows about it. Ie if you used safari you’d probably get your username password prompt.

I myself, I use a vpn to access my openhab…or for another option use cloudflare in front which can set up vpn rules and/or access. Though unsure if access would have teh same issue, in that teh openhab ios app, wouldn’t figure out it needs to authenticate.

1 Like

Yes, auth is being checked by the proxy before forwarding the traffic on to the OH server.

From what I can tell, the locally hosted version doesn’t have a user/pw so the only choice is to use the proxy to provide that.

When I hit the same URl with the web browser on the phone, I get prompted for credentials then after entering the correct credentials I get to the OH web page.

That’s what I said would happen. I don’t know if the app knows about authentication, especially since it’s external to openHAB.

There were some options in my first reply, or you could try and authentication certificate

The app is designed to communicate without authentication on your local network or to the openHAB cloud connector.

You need to configure your vpn outside of the openHAB app to use the way you are asking currently. Unless you can embed the authentication in the url somehow.
If you want anything different submit a request for the app on GitHub and see if you can have a feature added.

This should work. uses Basic Auth I believe so the app should be able to connect through the reverse proxy with basic auth as well. I know it used to work. I suspect that the forum would be full of complaints if it stopped working with

Unfortunately I don’t have any Apple products so can’t offer much more than it should work. Maybe double check that you have defined the remote URL correctly in the app. Once you have confirmed that it can’t possible be a misconfiguration on your part I recommend filing an issue on the iOS app.

This should work and I can confirm that it does work on the Android app.

From the app’s perspective it’s exactly the same whether it’s connecting through or some other reverse proxy. In both cases it has a base URL that it uses and it authenticates using basic auth. From that point on it accesses the REST API through the proxy.

1 Like

Thanks for Clarification Rick, I didnt have this information. Good to know!

I’m not using the cloud version but a locally hosted instance.

Sounds like the iOS app (and maybe the Android one) are expecting that user/pw setting to only be used on the cloud instance.

Maybe I’ll try using a client cert for auth. I have switched my reverse proxy to use client certs rather than basic auth. I installed the client cert using the Apply-Hack-Method (for some reason the only way to install certs is to mail them to yourself in a mail account that the iOS mail reader has access to).

Now my iOS Safari Browser is using the client cert on my proxy and granting me through to my OH2 instance.

Trying to figure out how to get my cert into the iOS app now.

I see a setting or Client Certs, but can’t figure out how to add it… hmmmmm.

OK, here are my findings…

  • The user/pw iOS app setting are NOT useful for logging into a reverse proxy protected local instance. You can surely protect your OH2 local install behind a reverse proxy with Basic Auth. This will allow you to get to the site using your iOS browser of choice using user/pw credentials but the App will not work.

  • The App WILL work if you set up your reverse proxy to use client certificates. You then need to take your client certificate generated on your reverse proxy (we’ll call it jimmy.p12) and rename it from jimmy.p12 to jimmy.ohp12 and email both the jimmy.pk12 and the jimmy.ohpk12 to yourself or whoever you are trying to grant access to. In your iOS mail app (it has to be the iOS mail app and not the gmail app) if you download and then tap the jimmy.p12 file you can then to to Setting-General-Profiles and install it. This will allow the Safari browser to access your site using the client cert but you can’t get that cert into the OH iOS App. This is where the jimmy.ohp12 file comes in. Download and tap that file and select Copy-to-OpenHab App as the action. This will put it into the OH iOS app where you can then see it in the App Settings Client Certs setting.

1 Like