OH2 Nginx redirection

I’m trying to configure a password protection for my OpenHab2 server. I followed:
which worked well. But, when I’m typing http://myhost.noip.com:8080/ I getting into OH2 without any password.
Nginx config:

server {
	listen                          80;
	server_name                     myhost.noip.com;
	return 301                      https://$server_name$request_uri;
server {
	listen                          443 ssl;
	server_name                     myhost.noip.com;

	ssl_certificate                 /etc/letsencrypt/live/myhost.noip.com/fullchain.pem; 
	ssl_certificate_key             /etc/letsencrypt/live/myhost.noip.com/privkey.pem;
	add_header                      Strict-Transport-Security "max-age=31536000";

	location / {
		proxy_pass                              http://localhost:8080/;
		proxy_set_header Host                   $http_host;
		proxy_set_header X-Real-IP              $remote_addr;
		proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto      $scheme;
		satisfy                                 any;
		allow                         ;
		deny                                    all;
		auth_basic                              "Username and Password Required";
		auth_basic_user_file                    /etc/nginx/.htpasswd;
	location /.well-known/acme-challenge/ {
		root                                    /var/www/myhost;

You are accessing OH2 directly when going to :8080, try using https://myhost.noip.com:443 instead. 8080 should be blocked from external access and only 443 open to outside conenctions.

Do you by any chance know how to do it with nginx? I would really appreciate some help…

Your nguix setup looks correct, however by browsing to http://myhost.noip.com:8080/ you bypass nguix and are going directly to OpenHAB. You should browse to https://myhost.noip.com, which will reverse proxy you to the OpenHAB instance on 8080. In your firewall rules, ensure that you block access to port 8080 from outside.

I see. Can you recommend a firewall for Raspberry Pi3?

You need to block it on your home router.

It seems it can be (and should be) done with nginx itself. But can’t manage to figure how.
I’m trying

server {
			listen                          8080;
			allow                ;
			deny                           all;

but getting nginx error

failed (98: Address already in use)


So think of ports like telephone extensions, where you are on extension 8080 and your assistant is on 443. Normally you give your number out as 443 and your assistance filters your calls so you only get the ones that have been authenticated. In this situation you have given out 8080 and people are calling your directly without your assistant checking their details.

Back to OpenHAB, which is running on port 8080 and Nginx running on 443. When you attempt to connect to 443, it will ask you for a username and password, and if successful, will redirect you to port 8080. You are however going straight to 8080, which bypasses Nginx and accesses OpenHAB directly without authentication. In your latest post, it shows that you are trying to run Nginx on 8080, however OpenHAB is already running on 8080 and you can only have one application per port. Recommend you go back to the original configuration.

As @greg said, you should be able to port filtering on your router, which is probably the best method. You can also port filter on the Pi, just search google for your distribution and firewall. I assume you are using Raspbian so iptables is probably the recommended, though I have not used it personally.


1 Like

Thank you!

Working with iptables config:

-A interfaces -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -j REJECT --dport 8080 --reject-with tcp-reset 
#-A INPUT -p udp -j REJECT --dport 8080 --reject-with icmp-port-unreachable
-A INPUT -s -i tcp -p tcp -m tcp --dport 22 -j DROP