NGINX to secure openhab

chriscolden · February 28, 2017, 1:06pm

Hi,

I’m trying to secure openhab for external connections.

I have the following in my nginx config.

location / {
		proxy_pass                              http://localhost:8080/;
		proxy_set_header Host                   $http_host;
		proxy_set_header X-Real-IP              $remote_addr;
		proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto      $scheme;
		satisfy                                 any;
		allow                                   192.168.1.0./24;
		allow                                   127.0.0.1;
		deny                                    all;
		auth_basic                              "Username and Password Required";
		auth_basic_user_file                    /etc/nginx/.htpasswd;
	}

However it never asks for a password.

if I change it to deny the internal ip of the router before I allow the internal network range it will ask for a password on external connections.

Is this expected behaviour?

I’m doing a simple port forward on DD-WRT to forward port 80 and 443 to my openhab server.

It’s as though NGINX is seeing the external connections as coming from the routers internal ip not the external ip of the user.

Any ideas on how to resolve this?

Thanks
Chris

ranielsen · February 28, 2017, 1:35pm

You are missing listen 80 or listen 443. Here’s my working configuration for ssl only, along with gzip compression:

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        ssl_certificate     /etc/ssl/openhab.crt;
        ssl_certificate_key /etc/ssl/openhab.key;
        add_header          Strict-Transport-Security "max-age=31536000";

        # this is needed until https://github.com/openhab/openhab-distro/issues/423 is fixed
        rewrite ^(/)$ https://$http_host/start/index;

        gzip on;
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
        # compress everything until https://github.com/eclipse/smarthome/issues/3017 is fixed
        #gzip_types text/plain text/css application/json application/javascript text/xml application/xml text/javascript image/svg+xml font/woff font/woff2 text/event-stream;
        gzip_types *;

        location / {
                proxy_pass                            http://localhost:8080/;
                proxy_set_header Host                 $http_host;
                proxy_set_header X-Real-IP            $remote_addr;
                proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto    $scheme;
                auth_basic                            "Go Away!";
                auth_basic_user_file                  /etc/nginx/htpasswd;

        }
}

chriscolden · February 28, 2017, 1:38pm

Hi,

I do have those, I only posted the location section. Maybe I should have included it all.

It all working fine as long as I block the router IP and force it to use the password.

Very interesting stuff with gzip. I may have to look at that.

Thanks for the reply.

Chris