OH2 Nginx redirection

AlexSmart · April 10, 2017, 3:07pm

I’m trying to configure a password protection for my OpenHab2 server. I followed:
http://docs.openhab.org/installation/security.html
which worked well. But, when I’m typing http://myhost.noip.com:8080/ I getting into OH2 without any password.
Nginx config:

server {
	listen                          80;
	server_name                     myhost.noip.com;
	return 301                      https://$server_name$request_uri;
}
server {
	listen                          443 ssl;
	server_name                     myhost.noip.com;

	ssl_certificate                 /etc/letsencrypt/live/myhost.noip.com/fullchain.pem; 
	ssl_certificate_key             /etc/letsencrypt/live/myhost.noip.com/privkey.pem;
	add_header                      Strict-Transport-Security "max-age=31536000";

	location / {
		proxy_pass                              http://localhost:8080/;
		proxy_set_header Host                   $http_host;
		proxy_set_header X-Real-IP              $remote_addr;
		proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto      $scheme;
		satisfy                                 any;
		allow                                   127.0.0.1;
		deny                                    all;
		auth_basic                              "Username and Password Required";
		auth_basic_user_file                    /etc/nginx/.htpasswd;
	}
	location /.well-known/acme-challenge/ {
		root                                    /var/www/myhost;
	}
}

chrishatesbeer · April 10, 2017, 3:50pm

You are accessing OH2 directly when going to :8080, try using https://myhost.noip.com:443 instead. 8080 should be blocked from external access and only 443 open to outside conenctions.

AlexSmart · April 10, 2017, 5:27pm

Do you by any chance know how to do it with nginx? I would really appreciate some help…

chrishatesbeer · April 10, 2017, 8:42pm

Your nguix setup looks correct, however by browsing to http://myhost.noip.com:8080/ you bypass nguix and are going directly to OpenHAB. You should browse to https://myhost.noip.com, which will reverse proxy you to the OpenHAB instance on 8080. In your firewall rules, ensure that you block access to port 8080 from outside.

AlexSmart · April 10, 2017, 8:51pm

I see. Can you recommend a firewall for Raspberry Pi3?

greg · April 10, 2017, 10:13pm

You need to block it on your home router.

AlexSmart · April 11, 2017, 7:50am

It seems it can be (and should be) done with nginx itself. But can’t manage to figure how.
I’m trying

server {
			listen                          8080;
			allow                          127.0.0.1;
			deny                           all;
		}

but getting nginx error

failed (98: Address already in use)

chrishatesbeer · April 12, 2017, 10:34pm

Alex,

So think of ports like telephone extensions, where you are on extension 8080 and your assistant is on 443. Normally you give your number out as 443 and your assistance filters your calls so you only get the ones that have been authenticated. In this situation you have given out 8080 and people are calling your directly without your assistant checking their details.

Back to OpenHAB, which is running on port 8080 and Nginx running on 443. When you attempt to connect to 443, it will ask you for a username and password, and if successful, will redirect you to port 8080. You are however going straight to 8080, which bypasses Nginx and accesses OpenHAB directly without authentication. In your latest post, it shows that you are trying to run Nginx on 8080, however OpenHAB is already running on 8080 and you can only have one application per port. Recommend you go back to the original configuration.

As @greg said, you should be able to port filtering on your router, which is probably the best method. You can also port filter on the Pi, just search google for your distribution and firewall. I assume you are using Raspbian so iptables is probably the recommended, though I have not used it personally.

Chris

AlexSmart · April 13, 2017, 8:33am

Thank you!

AlexSmart · April 13, 2017, 12:37pm

Working with iptables config:

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A interfaces -i lo -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -j REJECT --dport 8080 --reject-with tcp-reset 
#-A INPUT -p udp -j REJECT --dport 8080 --reject-with icmp-port-unreachable
-A INPUT -s 192.168.199.0/24 -j ACCEPT
-A INPUT -s 192.168.199.1/32 -i tcp -p tcp -m tcp --dport 22 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-P FORWARD DROP
-P OUTPUT ACCEPT
COMMIT