Is there a way to stop the webpage from appearing that gives you the dashboard? or prevent access using an ACL (much like you can to the karaf console) other than using a firewall? This is for lan users. I dont want users to go into PaperUI etc.
If you setup a Nginx reverse proxy on the same server you could change the default OH page to be local only and server the pages from the Nginx server.
You can even add an https certificate if you wish.
Thanks Bruce, sure but a bit complex . I was hoping for something similiar to:
Bind Console to All Interfaces
The network interface configuration is defined in the file org.apache.karaf.shell.cfg , located in the etc directory as mentioned above. As this file may get overwritten when upgrading openHAB, you can change this parameter in the runtime.cfg file which can be found in the $OPENHAB_CONF/services directory, e.g. /etc/openhab2/services/runtime.cfg .
The sshHost entry controls the interface address to bind to. sshHost = 127.0.0.1 (localhost) is the default due to obvious security reasons. If you are on a local network or you are fully aware of all risks of exposing your system to the public, you can change the bind address. Replace the sshHost IP 127.0.0.1 by 0.0.0.0 to bind to all available network interfaces. Please be aware, that the console will now be accessible from all devices in your subnet and is only secured by the password defined in users.properties (same path). You should thereby change the password. Depending on your network configuration the console may also be exposed to the public internet, so check your routing and firewall configuration.
To enable binding to all interfaces, uncomment the line
Well you would lockdown the OH web server like that an use the reverse proxy so you can access select OH2 parts as desired.
I use a reverse proxy to add https & a basic login to my OH so I can access it over the Internet.
Hi Bruce, can you show me your ‘basic’ login configuration for nginx? I assume you’re saying youve put a basic user/password on OH2:8080 when anyone tries to access
Thanks but that wont do it, i want any address, just want to password access to the nginx site and the :8080 site or just remove access to :8080 entirely.
Password access works to :80 now, but you can just type :8080 on your LAN and away you go, straight back in. So not entirely sure what the purpose of NGINX is, if you cant remove the access
I figured out what to do. In the file /etc/default/openhab2 there is a line #OPENHAB_HTTP_ADDRESS=0.0.0.0
Remove the # from the line and change 0.0.0.0 to 127.0.0.1 and save the changes.
When you restart openhab it will be restricted.
Hey Bruce, realised a major flaw - this actually locks access to Habpanel, because its normally accessible via the url http://localip/habpanel so I had to revert it.
Not really. It is working as designed. Needing direct access for HabPanel was not mentioned initially. That will take some additional configuration work. Perhaps provide access through nginx on a different port.