Nginx with https as reverse proxy for openhab2

I’m trying to use nginx as reverse proxy to provide security and encryption for openhab2. Most seems to work, but the API call for “/rest/sitemaps” always return content with http:// - even though “X-Forwarded-Scheme: https” is in the request.

Any ideas?

Forgot to mention, but the reverse proxy uses the normal port 8080 in upstream config.

I’ve just been playing with this myself and saw you post without an answer, instead of X-Forwarded-Scheme, try using:

proxy_set_header X-Forwarded-Proto      $scheme;

I’ve made a PR to address the documentation, which also suggests to turn off proxy buffering.

This may also fix some issues people are having with HABdroid when using a reverse proxy and https and authentication.

@mtryfoss this is what I’m using right now, but I need to check out the changes that @Benjy mentions.

ldap_server example {
    url "ldaps://127.0.0.1:636/dc=example,dc=org?uid?sub?(objectClass=inetOrgPerson)";
    binddn "cn=admin,dc=example,dc=org";
    binddn_passwd "example";
    satisfy all;
    require valid_user;
}

server {
    listen *:80;
    listen [::]:80;
    charset utf-8;
    server_name openhab.example.org;

    root /var/www/openhab.example.org;
    
    location /.well-known/acme-challenge {
        default_type "text/plain";
    }
  
    location / {
        return https://$server_name$request_uri;
    }
}

server {
    listen                    *:443 ssl http2;
    listen                    [::]:443 ssl http2;

    server_name               openhab.example.org;

    ssl                       on;
    
    ssl_certificate           /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/example.org/privkey.pem;

    charset utf-8;

    root /var/www/openhab.example.org;

    location / {
        auth_ldap          "openHAB";
        auth_ldap_servers  example;
        
        proxy_http_version 1.1;
        proxy_set_header   Authorization     "";
        proxy_set_header   Host              $http_host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   Upgrade           $http_upgrade;
        proxy_set_header   Connection        $connection_upgrade;
        proxy_cache_bypass $cookie_session;
        proxy_no_cache     $cookie_session;
        proxy_pass         https://127.0.0.1:8443;
        proxy_redirect     ~*(https?://[^:]+):\d+(/.+)$ $1$2;
    }
}

X-Forwarded-Proto seemed to do the trick :slight_smile: Already disabled buffering. That’s very obvious for events to be returned to client instantly.

However, tried using habmin with http basic auth on the reverse proxy with Chrome? It seems to mess up auth for some ajax requests. Authorization header sent is suddenly blank. Safari seems to work ok. I just wanted to be sure it’s not only on my installation.

Seems like a few people are having trouble with auth and habmin, I’ll try to see what’s happening here and let you know what I find.

For my setup I wanted more control over authentication than openHAB provides natively (at least in 1.x) so I have nginx do the authentication. That’s why nginx sends a blank Authorization header to openHAB (which I believe actually deletes it from the request sent to openHAB). If you want to have nginx pass through the Authorization header that the client sends, remove the “proxy_set_header Authorization” line from the config. It’s also possible to have nginx send a different Authorization header (with a different username/password) to openHAB.

I too have the problem with Nginx reverse proxy with Auth and Habmin on Chrome. However BasicUI and PaperUI work without problem on Chrome. On Safari Habmin also works without problem.

Wasn’t able to fix this.

I thinks this is a javascript-issue in habmin. The request from client to nginx is missing auth headers.

I also got issues with nginx, but only on my LG G5.
It is working without any issues in a browser and in Habdroid on my samsung tablet.
On the LG G5 I have to disable the ssl check (ignore ssl hostname) but on the Samsung device I don’t have to disable anything.

Are there any subdirectories that could cause the issue?
Something like smarthome/rest/items
But I checked the known directories.

By the way: I am using openhab 2

@Benjy have you found anything on this yet? It’s still happening with build 657 from a few days ago, both through my local nginx reverse proxy as well as through the new myopenhab cloud service.

hmm, just found this issue on GitHub, but things have been quiet for a while.

Hi @jcollie, yes unfortunately I came to a point in HABmin’s implementation as you have seen but am not savvy with that code to be of any use at the moment.

Yeah, the code probably never took into consideration that the virtual origin for the site would be anything but that of the Jetty server, not to mention that the scheme might change (https vs http).

openHAB is reverse proxied at https://www.example.com/exposed/path/

Known broken in “release” 2.0.0 so far:

  • GET / on the Jetty instance with an original scheme of https
    • redirects to http (not https as was the original request)
    • redirects to /start/index (rather than /exposed/path/start/index)
  • HABmin is making its requests to /rest/items (again, rather than to /exposed/path/rest/items

Looking into the first issue, https://www.example.com/exposed/path/ sends the browser to http://www.example.com/start/index

From what I can tell, the source from openhab-master launch/home/etc/jetty.xml causes a redirect, rather than a rewrite

<New class="org.eclipse.jetty.rewrite.handler.RedirectRegexRule">
  <Set name="regex">/$</Set>
  <Set name="replacement">/start/index</Set>
</New>

Unfortunately, it also appears that this is “compiled in” and is not present in /var/lib/openhab2/etc/jetty.xml

See further

I have a reverse proxy running to Openhab2, the html comes through fine but the CSS and Graphics don’t. The graphics are showing errors “file not found”.
*************NOTE: /usr/share/nginx/html is located on the Host, not the Server.
2017/04/28 16:06:55 [error] 18505#0: *1145 open() “/usr/share/nginx/html/icon/switch” failed (2: No such file or directory), client: 10.10.231.107, server: 10.10.231.242, request: “GET /icon/switch?state=home&format=svg HTTP/1.1”, host: “10.10.231.241”, referrer: “http://10.10.231.241/openhab/


I am configured as shown by JCOLLIE earlier in this thread

I am running two RPi, one with Openhab2 (http and Openhabian) and one with NGINX (https and Raspian).

The location “/” with a local root setting runs fine.

any help? thanks