Not able to access openHAB UI outside of local network using reverse proxy

Hello everyone,

I decided to install openHAB 3.1.0 on an old Rpi 2B+ I had in stock a few day ago (Mostly for the fun of setting it up).
I was able to install openHAB on a Raspbian OS lite, everything work properly, I am able to access the openHAB UI with my browser as long as I am on the local network.

The next step was to install nginx 1.18.0 on the RPi to access openHAB when I’m outside of the local network, and that were I am stuck at.
I did setup a domain name, that go through Cloudflare, and then a DynDNS-like service. That seems to work, as I am able to SSH into the RPi from outside.
I then install nginx, and did all the setup to connect to openHAB through https, using self-signed certificate.

And there is the problem : I can’t manage to get access to the UI.
When I type my domain name in the URL bar, I am prompted for the Username/Password by nginx, and once I am logged into nginx, I am asked by openHAB for an other Username/Password. I have no idea what this login could be, I tried all the password I could think of (openHAB admin password, nginx password, …).

I did some research, but from what I get from the documentation and forum thread, there is no password for openHAB UI (exept for the Administrator session).
I was not able to find any record of the same problem, so I am pretty sure I missed something really obvious somewhere.
So questions are : What is this Login/Password ? Why it is even asked ? The problem come from my openHAB setup, or from the nginx setup ?

I used this page to setup nginx, as it is the first time I am working with this kind of service :

This is a screenshot of the login windows I am stuck at.
Screenshot 2021-12-02 at 15.05.32
(There is only this windows, on a otherwise black page)

I hope someone will have an idea and help me, because I really want to know where I did something wrong.
I will post the solution here anyway if I come across one.

Thank you for reading !

If you are using a Raspi, why not using openHABian which has an option to setup nginx ?
Or why not using our free myopenHAB service ???

Thank you for your answer !

When I started to setup this, I didn’t knew about openHABian, and now I don’t really want to start all over again.

I don’t want to use a cloud service, I’d like to keep everything on server I own, that’s why I went for the reverse proxy solution (the VPN solution looks like a hassle to use on a everyday basis).
Anyway, even if I end up using an other solution, I would really like to get the solution to this, just because I am curious :smiley:

What does your nginx.conf configuration look like? If you’ve set up nginx there are a few dependencies, passing URL to openhab UI would be one and of course something that is routable in the public domain. you’ve probably seen this but just in case How To Set Up Nginx Server Blocks (Virtual Hosts) on Ubuntu 16.04 | DigitalOcean

Did you add this to your nginx configuration? (As specified here)

        add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
        proxy_set_header Authorization          "";

That is vital if you want to use basic auth through nginx, as the OH UI otherwise overwrites the authorization header, which causes nginx to refuse the requests.

I should have add the nginx configuration file in the original post, sorry about that.

Even with your post, I still can’t figure where my mistake is :confused:

server {
    listen                          80;
    server_name                     _;
    return 301                      https://$server_name$request_uri;

server {
    listen                          443 ssl;
    server_name                     _;
    ssl_certificate                 /etc/ssl/openhab.crt;
    ssl_certificate_key             /etc/ssl/openhab.key;

    # Cross-Origin Resource Sharing
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow_Credentials' 'true' always;
    add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
    add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
    add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
    proxy_set_header Authorization          "";

    location / {
        proxy_pass                            http://localhost:8080/;
        proxy_set_header Host                 $http_host;
        proxy_set_header X-Real-IP            $remote_addr;
        proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto    $scheme;
        proxy_read_timeout                    3600;
        auth_basic                            "Username and Password Required";
        auth_basic_user_file                  /etc/nginx/.htpasswd;
        satisfy  any;
        deny     all;


You must add the following two directives underneath the add_header (in the server block) and proxy_set_header (in the location / block) items respectively:

The proxy_set_header-directive should go inside the location-block


That’s crazy how a small misplaced line can give such a headache !
It work perfectly with the proxy_set_header Authorization ""; placed in the location section !

Thank you so much for the help, have a wonderful day :slight_smile: !

1 Like