I’m using MOH for some time now, but as I learn trough network security I have some question, hope its information that is publicly available.
MyOpenHab sounds to me like reverse proxy, is that so ?
Since the authentication is based on user/pass, it might raise a security issue if that’s the case.
I’m trying to put together list of cons/pros between MOH approach and having CloudFlare to protect my deployment, with port forwarding on the router level
It depends on how technical you want to get with your definition of “reverse proxy.” In general layman’s terms yes, myopenhab.org is a reverse proxy. But it only reverse proxies the openHAB web server. Period. You can’t get to any other network services on your network through myopenhab.org.
With OH 3, even then all that someone can access are your Items unless they authenticate with your OH instance as an admin user.
The way it works is your openHAB instance initiates the connection to myopenhab.org, encrypted using standard TLS. The UID you entered when registering for myopenhab.org is used to associate that connection with your login. The secret is used to authenticate that your openHAB instance, kind of like the private key in a PKI.
- all communications are encrypted using standard end-to-end techniques
- there is authentication between your openHAB instance and the cloud server
- there is authentication between your browser and the cloud server
- the only thing that can be accessed through myopenhab.org is stuff that is served up by openHAB itself, nothing else from your LAN is available, and even then only if an attacker manages to crack your username and password
- without logging in to the OH instance, the only thing that can be accessed are Items
From an attack surface perspective, using myopenhab.org is going to be way safer than opening ports on your router for almost all users. Pretty much the only vulnerable point is that username and password.
Another safer approach includes setting up a VPN (I like Tailscale since it doesn’t require opening a port on your firewall and it’s dead simply to set up).
You could host your own instance of myopenhab.org on a VPS out on the cloud somewhere and set up additional forms of authentication (if that’s what you are worried about) but you will lose Alexa, Google Assistant, and push notifications I think. But if you do that you need to make sure that you monitor and mitigate attacks. No one, not even Cloudflare, is going to do that for you.
Opening your LAN up to the Internet would be the least safe approach and I strongly recommend against it, even with what protections CloudFlare may provide (which is mostly DDoS protection unless you’re going to pay for the pro or business level). When the service is attacked you don’t want that to be anywhere near your LAN. Therefore, even if the attack is successful, they can’t get to your network.