Nginx Reverse Proxy Authentication

L_B · August 13, 2024, 11:59am

I am trying to force authentication on any user that attempts to access OpenHAB, I basically want to do the following:

access openhab (localhost:8080 or :8080) → redirect to nginx authentication page → redirect back to openhab

so far I have this in conf file for nginx:

  server {
  listen                          81;
  server_name                     localhost
  return 301                      http://$server_name$request_uri;
  }
  server {
      listen                          80;
      server_name                     mydomain_or_myip;

      # Cross-Origin Resource Sharing.
      add_header 'Access-Control-Allow-Origin' '*' always;
      add_header 'Access-Control-Allow_Credentials' 'true' always;
      add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
      add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;

      # openHAB 3 api authentication
      add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
      add_header                      Strict-Transport-Security "max-age=31536000"; # Remove if using self-signed and are having trouble.

      location / {
          auth_basic                              "Username and Password Required";
          auth_basic_user_file                    C:/nginx/conf/.htpasswd;
          proxy_pass                              http://localhost:8080/;
          # proxy_set_header Host                   $http_host;
          # proxy_set_header X-Real-IP              $remote_addr;
          # proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
          # proxy_set_header X-Forwarded-Proto      $scheme;
          # proxy_set_header Upgrade                $http_upgrade;
          add_header Cache-Control no-store;
          # proxy_set_header Connection             "Upgrade";
          # proxy_set_header Authorization          "";
          # satisfy                                 any;
          # allow                                   192.168.0.0/24;
          # allow                                   127.0.0.1;
          # deny                                    all;
      }
  }

but the only way I can authenticate is if I access localhost:81/authentication, but I can go just directly to localhost:8080 (which is openhab) without authentication. This is why I wanna be able to redirecct to /authentication even if I accessed localhost:8080 directly.

rlkoshak · August 13, 2024, 3:12pm

That’s not how reverse proxies work. What you want is to set up firewall rules to prevent all access to the openHAB server and port except by NGINX. Then the only way to access OH is through NGINX. You can’t do this with redirects.

Also, it’s probably a bad idea to block access to OH on localhost. It doesn’t add much security anyway as if someone is already on localhost, they can change the firewall rules anyway. Usually you want to prevent access from other machines.

Also, don’t ignore the option to turn off the implicit user role (Settings → API Security). That will not let anyone do anything with OH without logging in first. Though this doesn’t work with the older UIs like BasicUI.

L_B · August 13, 2024, 4:15pm

I already tried turning on implicit user mode, the issue with it is that it doesn’t work with Basic UI like you mentioned (Error 401 unauthorized). This is why I am trying to find an alternative other than the flag. I want to force logging in to any user that accesses OpenHAB, or any other part of it regardless.

I couldn’t find an easier way in OpenHAB itself to allow any user who accesses OpenHAB to always authenticate other than the implicit user role flag.

system · September 24, 2024, 8:16am

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.