Nginx redirect to port 80

I was using openHAB in a VM for some time and it worked great. I now have a spare RPi and decided to move it from the VM to the RPi to reduce the load on my server, which led me to try out OH2. I followed the guide for setting up nginx and SSL. However…

I use port 80 for a different web service. I cannot easily move what’s using port 80 to a different port.

So, when I log in to https://mydomain.com I’m redirected to http://mydomain.com/start/index after I’m successfully authenticated.

Is there a way to change this behavior? If it simply redirected to https://mydomain.com/start/index I wouldn’t have any problems.

This doesn’t sound like an openHAB issue so you may get more help from the nginx community, however to me that sounds backwards to what it should be, can I see your full nginx configuration?

server {
        listen                          80;
        server_name                     thedomain.com;
        return 301                      https://$server_name$request_uri;
}

server {
        listen                          443 ssl ;
        server_name                     thedomain.com;

        ssl_certificate                 /etc/letsencrypt/live/thedomain.com$
        ssl_certificate_key             /etc/letsencrypt/live/thedomain.com$
        add_header                      Strict-Transport-Security "max-age=3153$

        location / {
                proxy_pass                            http://localhost:8080/;
                proxy_set_header Host                 $http_host;
                proxy_set_header X-Real-IP            $remote_addr;
                proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_fo$
                proxy_set_header X-Forwarded-Proto    $scheme;

                auth_basic              "Username and Password Required";
                auth_basic_user_file    /etc/nginx/.htpasswd;
        }

        location /.well-known/acme-challenge/ {
                root                            /var/www/thedomain;
        }
}

So, this is strange. Now that I’m using my laptop, the problem has stopped. Perhaps my PC at work had a cached value or something? So far I cannot reproduce it at home. My work PC has some terrible Group Policies applied to it, so it may be related to some sort of web filtering. I will try again from work tomorrow and see if I still have the same issue.

Thanks for the quick reply and the help!

No problem! Glad it’s partially sorted. If you never want to connect through http, you can get rid of that top part so that port 80 won’t redirect to https.

So, testing from work in both IE and Firefox (the only available installed browsers), I still get the same results. Interestingly, IE reproduces the error every time, but with Firefox, it works when I leave off “www.” but redirects to port 80 when it is included.

Actually this is an OH 2 issue. I have the same problem with both Apache and NGINX. The problem is OH2 is ignoring X-Forwarded-Proto header and is incorrectly sending a 302 redirect to http://host/start/index

$ wget --no-check-certificate https://localhost/
--2017-02-10 12:21:41--  https://localhost/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:443... connected.
WARNING: The certificate of ‘localhost’ is not trusted.
WARNING: The certificate of ‘localhost’ hasn't got a known issuer.
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to [localhost]:443.
HTTP request sent, awaiting response... 302 Found
Location: http://localhost/start/index [following]
--2017-02-10 12:21:41--  http://localhost/start/index
Connecting to localhost (localhost)|::1|:80... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:80... failed: Connection refused.
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:80... failed: Connection refused.

A workaround is to add the following for the server block that listens on 443:

rewrite ^(/)$ https://$http_host/start/index;

With this in place, you should see something similar to:

$ wget --no-check-certificate https://localhost/
--2017-02-10 12:26:19--  https://localhost/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:443... connected.
WARNING: The certificate of ‘localhost’ is not trusted.
WARNING: The certificate of ‘localhost’ hasn't got a known issuer.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://localhost/start/index [following]
--2017-02-10 12:26:19--  https://localhost/start/index
Reusing existing connection to [localhost]:443.
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to [localhost]:443.
HTTP request sent, awaiting response... 200 OK
Length: 3667 (3.6K) [text/html]
Saving to: ‘index.html’

index.html                                100%[====================================================================================>]   3.58K  --.-KB/s   in 0s

2017-02-10 12:26:20 (13.9 MB/s) - ‘index.html’ saved [3667/3667]

Here’s my working configuration which only uses port 443:

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        ssl_certificate     /etc/ssl/openhab.crt;
        ssl_certificate_key /etc/ssl/openhab.key;
        add_header          Strict-Transport-Security "max-age=31536000";

        rewrite ^(/)$ https://$http_host/start/index;

        location / {
                proxy_pass                            http://localhost:8080/;
                proxy_set_header Host                 $http_host;
                proxy_set_header X-Real-IP            $remote_addr;
                proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto    $scheme;
                auth_basic                            "Go Away!";
                auth_basic_user_file                  /etc/nginx/htpasswd;
        }
}
1 Like

If it is indeed an openHAB fault, then you may need to make an issue about it on the Eclipse Smarthome Git repo.

Does changing proxy_set_header Host to $proxy_host; work for you?

Issue https://github.com/openhab/openhab-distro/issues/423 created.