Nginx redirect to port 80

William_Hedrick · November 15, 2016, 8:57pm

I was using openHAB in a VM for some time and it worked great. I now have a spare RPi and decided to move it from the VM to the RPi to reduce the load on my server, which led me to try out OH2. I followed the guide for setting up nginx and SSL. However…

I use port 80 for a different web service. I cannot easily move what’s using port 80 to a different port.

So, when I log in to https://mydomain.com I’m redirected to http://mydomain.com/start/index after I’m successfully authenticated.

Is there a way to change this behavior? If it simply redirected to https://mydomain.com/start/index I wouldn’t have any problems.

Benjy · November 15, 2016, 11:08pm

This doesn’t sound like an openHAB issue so you may get more help from the nginx community, however to me that sounds backwards to what it should be, can I see your full nginx configuration?

William_Hedrick · November 16, 2016, 3:23am

server {
        listen                          80;
        server_name                     thedomain.com;
        return 301                      https://$server_name$request_uri;
}

server {
        listen                          443 ssl ;
        server_name                     thedomain.com;

        ssl_certificate                 /etc/letsencrypt/live/thedomain.com$
        ssl_certificate_key             /etc/letsencrypt/live/thedomain.com$
        add_header                      Strict-Transport-Security "max-age=3153$

        location / {
                proxy_pass                            http://localhost:8080/;
                proxy_set_header Host                 $http_host;
                proxy_set_header X-Real-IP            $remote_addr;
                proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_fo$
                proxy_set_header X-Forwarded-Proto    $scheme;

                auth_basic              "Username and Password Required";
                auth_basic_user_file    /etc/nginx/.htpasswd;
        }

        location /.well-known/acme-challenge/ {
                root                            /var/www/thedomain;
        }
}

So, this is strange. Now that I’m using my laptop, the problem has stopped. Perhaps my PC at work had a cached value or something? So far I cannot reproduce it at home. My work PC has some terrible Group Policies applied to it, so it may be related to some sort of web filtering. I will try again from work tomorrow and see if I still have the same issue.

Thanks for the quick reply and the help!

Benjy · November 16, 2016, 9:28am

No problem! Glad it’s partially sorted. If you never want to connect through http, you can get rid of that top part so that port 80 won’t redirect to https.

William_Hedrick · November 16, 2016, 4:45pm

So, testing from work in both IE and Firefox (the only available installed browsers), I still get the same results. Interestingly, IE reproduces the error every time, but with Firefox, it works when I leave off “www.” but redirects to port 80 when it is included.

ranielsen · February 10, 2017, 6:40pm

Actually this is an OH 2 issue. I have the same problem with both Apache and NGINX. The problem is OH2 is ignoring X-Forwarded-Proto header and is incorrectly sending a 302 redirect to http://host/start/index

$ wget --no-check-certificate https://localhost/
--2017-02-10 12:21:41--  https://localhost/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:443... connected.
WARNING: The certificate of ‘localhost’ is not trusted.
WARNING: The certificate of ‘localhost’ hasn't got a known issuer.
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to [localhost]:443.
HTTP request sent, awaiting response... 302 Found
Location: http://localhost/start/index [following]
--2017-02-10 12:21:41--  http://localhost/start/index
Connecting to localhost (localhost)|::1|:80... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:80... failed: Connection refused.
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:80... failed: Connection refused.

A workaround is to add the following for the server block that listens on 443:

rewrite ^(/)$ https://$http_host/start/index;

With this in place, you should see something similar to:

$ wget --no-check-certificate https://localhost/
--2017-02-10 12:26:19--  https://localhost/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:443... connected.
WARNING: The certificate of ‘localhost’ is not trusted.
WARNING: The certificate of ‘localhost’ hasn't got a known issuer.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://localhost/start/index [following]
--2017-02-10 12:26:19--  https://localhost/start/index
Reusing existing connection to [localhost]:443.
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to [localhost]:443.
HTTP request sent, awaiting response... 200 OK
Length: 3667 (3.6K) [text/html]
Saving to: ‘index.html’

index.html                                100%[====================================================================================>]   3.58K  --.-KB/s   in 0s

2017-02-10 12:26:20 (13.9 MB/s) - ‘index.html’ saved [3667/3667]

Here’s my working configuration which only uses port 443:

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        ssl_certificate     /etc/ssl/openhab.crt;
        ssl_certificate_key /etc/ssl/openhab.key;
        add_header          Strict-Transport-Security "max-age=31536000";

        rewrite ^(/)$ https://$http_host/start/index;

        location / {
                proxy_pass                            http://localhost:8080/;
                proxy_set_header Host                 $http_host;
                proxy_set_header X-Real-IP            $remote_addr;
                proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto    $scheme;
                auth_basic                            "Go Away!";
                auth_basic_user_file                  /etc/nginx/htpasswd;
        }
}

Benjy · February 13, 2017, 4:36pm

If it is indeed an openHAB fault, then you may need to make an issue about it on the Eclipse Smarthome Git repo.

Does changing proxy_set_header Host to $proxy_host; work for you?

ranielsen · February 15, 2017, 8:06pm

Issue Wrong redirection when behind a reverse proxy server · Issue #423 · openhab/openhab-distro · GitHub created.