NGINX Unauthorized API request with UN/PW prompt (OH3 / OpenHabian)

Setup, Configuration and Use Installation
,
1

OpenHabian (1.6 latest) running OH3 on a Pi 3B+. I have installed NGINX and configured for HTTPS as per the documentation. The port in my firewall is open, redirecting an obscure port number to my Pi IP on port 443.

  • If I browse to the domain from outside the local network, I get prompted for the username/password, sometimes 2-3 times in row. Then it goes to an empty black screen with nothing. But it does show certificate valid.
  • Openhab log when this happens shows [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Invalid Basic authentication credentials
  • If I browse to the domain name from a PC on the local network, it goes right in and shows certificate valid. Expected and seems correct?
  • If I browse to the local IP from a PC on the local network, it goes right in and shows the certificate warning since I’m not using the domain name. Expected and seems correct?
  • If I comment out the local IP range allow, and try to browse the domain name from the local network, the same problem happens.
  • If I set allow all and browse to the domain name from inside or outside the local network, it works properly with a valid certificate. Of course I can’t leave it like that…

So this seems to be related to the username/password handling. As any way in that does not have a UN/PW works fine.

Here’s the config file, with my domain name obscured:

server {
    listen                          80;
    server_name                     domainName.us;
    return 301                      https://$server_name$request_uri;
}
server {
    listen                          443 ssl;
    server_name                     domainName.us;

    ssl_certificate                 /etc/letsencrypt/live/domainName.us/fullchain.pem;
    ssl_certificate_key             /etc/letsencrypt/live/domainName.us/privkey.pem;
    add_header                      Strict-Transport-Security "max-age=31536000";

    location / {
        proxy_pass                              http://localhost:8080/;
        proxy_set_header Host                   $http_host;
        proxy_set_header X-Real-IP              $remote_addr;
        proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto      $scheme;
        proxy_set_header Upgrade                $http_upgrade;
        proxy_set_header Connection             "Upgrade";
        satisfy                                 any;
        allow                                   192.168.0.0/24;
        allow                                   127.0.0.1;
        deny                                    all;
        auth_basic                              "Username and Password Required";
        auth_basic_user_file                    /etc/nginx/.htpasswd;
    }

    #### When using Let's Encrypt Only ####
    location /.well-known/acme-challenge/ {
        root                                    /var/www/domainName.us;
    }
}
2

10 minutes after posting this, I found the problem. OpenHab 3 requires turning on the `Allow Basic Authorization" setting in the API Security menu. This is not in the current NGINX documentation.

I’m happy to update those docs since I’ll have some time in the next few days. I was about to delete this thread but I figure I won’t be the only person having this problem soon.

2 Likes
3

what documentation?

It’s possibly outdated (or more precisely hasn’t been updated to cater for the changes needed due to auth introduction in OH3).

Why didn’t you install via openhabian-config menu ?

4

That is the case. It’s the same instructions I used on OH2 and doesn’t reflect the API setting that now exists in OH3. It just needs a few sentences to direct this setting and everything else I think is still valid.

That was the first thing I tried actually. The automated configuration hung up towards the end and failed to complete. The only way out was to close the terminal window. I think it was right after the certbot test that it just stopped and didn’t go any further with just a blinking cursor.

The config file was created, but it never got to any of the lets encrypt steps where you put in your email and such. And upon rebooting the Pi, the NGINX web server was all messed up with errors and not letting anything in. I had to fully purge and reinstall it. Then configured the manual way per the instructions linked above.

The same thing happened when I tried this on RC1 with a totally fresh install. I’m guessing it is a bug that needs to be addressed since the identical failure has happened twice. But I’m not in a position to nuke my currently operating OH3 setup to keep trying it. If I had a spare pi laying around, I would hunt deeper for the problem.

5

Sure you are. Save /etc/nginx/*, take a system backup just to be sure, enable debugmode=maximum in openhabian.conf, start recording terminal output and install nginx from the menu., then open a Github issue with the log.
We (devs) can’t do anything about if you (users) don’t provide logs to show an actual problem let alone if you don’t provide any info at all (such as that you tried and failed).

6

Is the worst case scenario that I just need to purge and reinstall NGINX, and copy in the config again? I can live with that. I’ll try to do that this afternoon.

7

I ran it again and there was no failure. Figures.

But I have another problem that I can’t seem to trace down. Connected through the basic auth, Main UI won’t load on phone. Or it’s so sluggish it never displays. I’ve had it show up a few times after a long wait, but usually it just doesn’t even render. Using a laptop through basic auth, it renders the main UI but very sluggish. Either not going through basic auth (like with allow all set in NGINX), it loads immediately on all devices. Doesn’t matter if it’s going through the web or local net. Basic auth slow and sometimes just a blank screen.

8

I’ve already create an issue issue. If you run NGINX anway you can just disable auth and restore the OH2 state by using the following command in the karaf console:
bundle:stop org.openhab.core.io.rest.auth
Be aware that once you restart openhab you have to do it again. Unfortunately there is currently no option in the configuration files to disable it completely.

1 Like
9

After doing that, I can no longer log into admin. After the OH3 main UI Login screen, it just goes to an empty grey screen with nothing and the UI no longer responds. Doesn’t matter if you’re in though NGINX or locally on 8080. I had to start it again to gain access to admin.

Stopping that service did not fix the unresponsive UI when using NGINX basic auth either.

10

That would be vary appreciated yes. :slight_smile:
We had a similar talk in Disable REST authentication on OH3? - #8 by Spaceman_Spiff and following posts.

We should determine a working configuration ans explain how to achieve this using a reverse proxy.
I am currently running a nginx proxy with ssl enabled but basic auth disabled.

Until @Spaceman_Spiff s issue hasn’t been answered/solved we should maybe aim for a configuration that is working with an enabled api authentication.
Otherwise a restart will break a docs suggested configuration. I would like to avoid that without a proper way to deactivate auth in useful cases.

Just ping me if you want to start or have questions about the docs.

11

Yes I agree. That method spaceman suggested did not work for me. It actually broke being able to log into the main UI at all. Not sure why it works for him but now me.