Nginx reverse proxy help

andrewm659 · April 20, 2021, 5:21pm

I am trying to to set up nginx to do basic reverse proxy. I hve been following some of the other posts on this topic. I’m am making some progress but if OpenHAB asks you to auth alrady what is the point of adding auth in nginx, other than extra security? I’m not exposing this to the internet. But I can’t seem to make the reverse proxy work without it. Is the backend tomcat, or jetty or something else? I feel like there is a file that needs to be edited to tell it serve from this location, similar to doing this with tomcat.

This is what I have in my config so far.

#       https://nginx.org/en/docs/http/ngx_http_auth_request_module.html says auth_request may not be combined with auth_basic,
#       This is because 401 redirects to vouch, and you never get the basic auth form.
#       However,  openhab apps are configured and send the correct auth info without triggering 401, so this works for that case.
        location /openhab/ {
#          auth_basic                              "Username and Password Required";
#          auth_basic_user_file                    /var/lib/openhab/etc/.htpasswd-openhab; #htpasswd -c openhab username

#          proxy_pass http://localhost:8080/;
          proxy_buffering                       off;
          proxy_set_header Host                 $http_host/openhab;
          proxy_set_header X-Real-IP            $remote_addr;
          proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for; # add the real ip of the client
          proxy_set_header X-Forwarded-Proto    $scheme;
          proxy_set_header Upgrade              $http_upgrade;
          proxy_set_header Connection           "Upgrade";
#          resolver 10.150.10.110 valid=30s;
          set $upstream_app 127.0.0.1;
          set $upstream_port 8080;
          set $upstream_proto http;
          proxy_pass $upstream_proto://$upstream_app:$upstream_port;

          #  change the normal "start" redirect directly to the basic ui;
#          proxy_redirect http://localhost/openhab/start/index /openhab/basicui/app;

          sub_filter_types application/javascript text/xml text/css text/javascript application/json text/plain;
          sub_filter_once off;
          sub_filter '/rest/' '/openhab/rest/';
          sub_filter '"/icon/' '"/openhab/icon/';
          sub_filter '"/basicui/' '"/openhab/basicui/';
          sub_filter '"/chart' '"/openhab/chart';
        }

        # User management at sitemap level -> strip openhab json file
        location = /rest/sitemaps {
          resolver 127.0.0.1;
          proxy_set_header        X-Forwarded-Host        $http_host;
          proxy_pass http://localhost/cgi-bin/ohsitemap/filter?user=$remote_user;
        }

#       location /.well-known/acme-challenge/ {
#       root                                    /var/www/acme-challenge;
#       }

Thoughts?

Confectrician · April 20, 2021, 5:59pm

Hi Andrew,

Are you aware that we have a security articlew in the docs describing how to setup nginx for openHAB(3)?

The config file above doesn’t look very familiar to me.
Don’t know where this is coming from.

andrewm659 · April 20, 2021, 6:13pm

I created the config file piecing together what I found on other threads. It now looks more like the one in documentation with some modification since I am running other applications on this server. Still getting the following when I browse to it.

andrewm659 · April 20, 2021, 6:18pm

Now i’m getting this when I browse to the IP address OR the FQDN.

Here are the logs from nginx

2021/04/20 13:13:41 [error] 45951#0: *105 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 10.150.1.199, server: homeautomation01.caprica.local, request: "GET /favicon.ico HTTP/1.1", host: "10.150.10.236", referrer: "http://10.150.10.236/openhab/"
2021/04/20 13:14:11 [error] 45951#0: *109 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 10.150.1.199, server: homeautomation01.caprica.local, request: "GET /favicon.ico HTTP/1.1", host: "10.150.10.236", referrer: "http://10.150.10.236/openhab/"
2021/04/20 13:15:13 [error] 46011#0: *3 "/usr/share/nginx/html/rest/index.html" is not found (2: No such file or directory), client: 10.150.1.199, server: homeautomation01.caprica.local, request: "GET /rest/ HTTP/1.1", host: "10.150.10.236", referrer: "http://10.150.10.236/openhab/"
2021/04/20 13:15:42 [error] 46011#0: *10 "/usr/share/nginx/html/rest/index.html" is not found (2: No such file or directory), client: 10.150.1.199, server: homeautomation01.caprica.local, request: "GET /rest/ HTTP/1.1", host: "homeautomation01.caprica.local", referrer: "http://homeautomation01.caprica.local/openhab/"

Here is the openhab portion of my config:

location /openhab/ {
          add_header 'Access-Control-Allow-Origin' '*' always;
          add_header 'Access-Control-Allow_Credentials' 'true' always;
          add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
          add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;

          proxy_pass http://localhost:8080/;
          proxy_set_header Host                 $http_host/openhab;
          proxy_set_header X-Real-IP            $remote_addr;
          proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for; # add the real ip of the client
          proxy_set_header X-Forwarded-Proto    $scheme;
          proxy_set_header Upgrade              $http_upgrade;
          proxy_set_header Connection           "Upgrade";
          proxy_read_timeout                    3600;

          #  change the normal "start" redirect directly to the basic ui;
#          proxy_redirect http://localhost/openhab/start/index /openhab/basicui/app;
        }

Confectrician · April 20, 2021, 6:30pm

I am no nginx expert to be honest.

Only thing that confuses me is this line:

I would guess that you don’t need to add the openhab, since this is inside the /openhab/ location config.

Here is my “node red” location which should be a similar approach to what you want to acchieve:

location /nodered/ {
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_http_version      1.1;
                proxy_set_header Upgrade        $http_upgrade;
                proxy_set_header Connection     "upgrade";
                proxy_pass http://localhost:1880/;

                satisfy any;
                allow   192.168.176.0/22;
                allow   127.0.0.1;
                deny    all;
        }

andrewm659 · April 20, 2021, 6:36pm

So I tried removing the /openhab and I still get the same results.

Here is what my config looks like now:

location /openhab/ {
          add_header 'Access-Control-Allow-Origin' '*' always;
          add_header 'Access-Control-Allow_Credentials' 'true' always;
          add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
          add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;

          proxy_pass http://localhost:8080/;
          proxy_set_header Host                 $http_host;
          proxy_set_header X-Real-IP            $remote_addr;
          proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for; # add the real ip of the client
          proxy_set_header X-Forwarded-Proto    $scheme;
          proxy_set_header Upgrade              $http_upgrade;
          proxy_set_header Connection           "upgrade";
          proxy_read_timeout                    3600;
          satisfy                               any;

          #  change the normal "start" redirect directly to the basic ui;
#          proxy_redirect http://localhost/openhab/start/index /openhab/basicui/app;
        }

2021/04/20 13:19:22 [error] 46011#0: *34 "/usr/share/nginx/html/rest/index.html" is not found (2: No such file or directory), client: 10.150.1.199, server: homeautomation01.caprica.local, request: "GET /rest/ HTTP/1.1", host: "homeautomation01.caprica.local", referrer: "http://homeautomation01.caprica.local/openhab/"
2021/04/20 13:33:10 [error] 46275#0: *8 "/usr/share/nginx/html/rest/index.html" is not found (2: No such file or directory), client: 10.150.1.199, server: homeautomation01.caprica.local, request: "GET /rest/ HTTP/1.1", host: "homeautomation01.caprica.local", referrer: "http://homeautomation01.caprica.local/openhab/"
2021/04/20 13:33:28 [error] 46275#0: *10 "/usr/share/nginx/html/rest/index.html" is not found (2: No such file or directory), client: 10.150.1.199, server: homeautomation01.caprica.local, request: "GET /rest/ HTTP/1.1", host: "homeautomation01.caprica.local", referrer: "http://homeautomation01.caprica.local/openhab/"

Maximo · April 21, 2021, 10:23am

Here’s my NGINX config below, it may be of some use to you. As you’ll see I’m running with Lets Encrypt certificates at present, so if your not using them I would suggest you skip that part of the configuration. Note though, I’m not running OH3 presently. But hopefully this will give you a direction. .

server {

        access_log /var/log/nginx/openhab.access.log;
        error_log /var/log/nginx/openhab.error.log;

        server_name      openhab;
        client_max_body_size 0;
        underscores_in_headers on;

        location / {
                proxy_headers_hash_max_size 512;
                proxy_headers_hash_bucket_size 64;

                add_header Front-End-Https on;
                proxy_pass                            http://172.16.10.1:8080;
                proxy_set_header Host                 $http_host;
                proxy_set_header X-Real-IP            $remote_addr;
                proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto    $scheme;
                auth_basic                            "Username and Password Required";
                auth_basic_user_file                  /etc/nginx/conf.d/.htpasswd;
                satisfy any;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/openhab/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/openhab/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = openhab) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 192.168.10.1;

        server_name      openhab;
    return 404; # managed by Certbot


}

mstormi · April 21, 2021, 12:23pm

why don’t you just install openHABian ? It has a menu option to setup nginx for you.

andrewm659 · April 21, 2021, 1:28pm

I’m not installing this on a raspi.

mstormi · April 21, 2021, 1:52pm

it works on x86 Debian, too (and probably others, at least to install the nginx config)

andrewm659 · April 21, 2021, 2:17pm

You mean use the debian packages?

mstormi · April 21, 2021, 2:46pm

andrewm659 · April 21, 2021, 6:34pm

So part of the reason i’m not using the openHABian is i’m using CentOS/Fedora.

mstormi · April 21, 2021, 7:42pm

I mean just use the manual install method from the link und try running the menu option that installs nginx

andrewm659 · April 22, 2021, 5:33am

So I think my issue still persists. Because i’m trying to access it from a folder. {http,https}://automation.example.com/openhab. Is there a way to change the java config to tell it i’m coming from a different url or a url with a folder? I know this can be done w/ tomcat.

system · June 2, 2021, 9:34pm

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.