Lock access down to http://oh2:8080

Hi Guys,

Is there a way to stop the webpage from appearing that gives you the dashboard? or prevent access using an ACL (much like you can to the karaf console) other than using a firewall? This is for lan users. I dont want users to go into PaperUI etc.

Thanks!

If you setup a Nginx reverse proxy on the same server you could change the default OH page to be local only and server the pages from the Nginx server.
You can even add an https certificate if you wish.

Thanks Bruce, sure but a bit complex . I was hoping for something similiar to:

Bind Console to All Interfaces

The network interface configuration is defined in the file org.apache.karaf.shell.cfg , located in the etc directory as mentioned above. As this file may get overwritten when upgrading openHAB, you can change this parameter in the runtime.cfg file which can be found in the $OPENHAB_CONF/services directory, e.g. /etc/openhab2/services/runtime.cfg .

The sshHost entry controls the interface address to bind to. sshHost = 127.0.0.1 (localhost) is the default due to obvious security reasons. If you are on a local network or you are fully aware of all risks of exposing your system to the public, you can change the bind address. Replace the sshHost IP 127.0.0.1 by 0.0.0.0 to bind to all available network interfaces. Please be aware, that the console will now be accessible from all devices in your subnet and is only secured by the password defined in users.properties (same path). You should thereby change the password. Depending on your network configuration the console may also be exposed to the public internet, so check your routing and firewall configuration.

To enable binding to all interfaces, uncomment the line

#org.apache.karaf.shell:sshHost = 0.0.0.0

in services/runtime.cfg

Well you would lockdown the OH web server like that an use the reverse proxy so you can access select OH2 parts as desired.
I use a reverse proxy to add https & a basic login to my OH so I can access it over the Internet.

Hi Bruce, can you show me your ‘basic’ login configuration for nginx? I assume you’re saying youve put a basic user/password on OH2:8080 when anyone tries to access

cheers

I actually use https… It could also work for http://OH2. There should be no need for the non-standard port.

I basically started by following the document here. You do not need to do the domain & ssl, etc.

1 Like

Thanks Bruce, thats all working. However, I can still get to the direct URL:8080 even once NGINX with Password auth is running…

Assuming I need a redirect? I basically want to redirect 8080 to 80 i guess

I just checked & I did not actually lock access down, but this is the part for that. I need to figure out how best to do that.

Thanks but that wont do it, i want any address, just want to password access to the nginx site and the :8080 site or just remove access to :8080 entirely.

Password access works to :80 now, but you can just type :8080 on your LAN and away you go, straight back in. So not entirely sure what the purpose of NGINX is, if you cant remove the access

That would restrict access to 8080 so the nginx proxy could access openhab. You then control access with the nginx server.

I figured out what to do. In the file /etc/default/openhab2 there is a line
#OPENHAB_HTTP_ADDRESS=0.0.0.0
Remove the # from the line and change 0.0.0.0 to 127.0.0.1 and save the changes.
When you restart openhab it will be restricted.

1 Like

Thanks Bruce, ill give it a whirl!

1 Like

So, its blocked 8080, that’s good.

And it gives me a password to login to the server on the port 80, but I get a 502 bad gateway now :frowning:

my file is:

server {
    listen                                    80;
    server_name                               192.168.1.3;

    location / {
        proxy_pass                            http://192.168.1.3:8080/;
        proxy_set_header Host                 $http_host;
        proxy_set_header X-Real-IP            $remote_addr;
        proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto    $scheme;
        auth_basic                            "Username and Password Required";
        auth_basic_user_file                  /etc/nginx/.htpasswd;
    }
}

Fixed. changed 192.168.1.3 iun the proxy_pass to 127.0.0.1

Replace the ip address here with wither localhost or 127.0.0.1. You likely need to restart nginx then.

1 Like

Thanks Bruce! Works :smiley:
Great work mate

1 Like