OH3 Apache Reverse-proxy Authentication Fails Unauthorized access

I am having issues just recently when connecting remotely using the proxy setup. It gives me the same issue from the android app, iPhone app, and browser.

The issue began around the time of my update to openHAB 3.1.0.M3 from M2 but I can’t pinpoint the exact date or if it was due to that.

Here is some info that may be helpful. ( local IP’s and hostnames have been masked )

My apache config that has been stable since December of 2020 when I got my last issue resolved is below.

<VirtualHost *:444>
        ServerName xyz.example.com
        SSLEngine on
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
        ProxyPreserveHost on
        ProxyPass      / http://10.0.0.1:8080/
        ProxyPassReverse / http://10.0.0.1:8080/
        RequestHeader set X-Forwarded-Proto "https" env=HTTPS
        <Location />
                AuthType Basic
                AuthName "xyz.example.com 444 "
                AuthUserFile /etc/apache2/.passwd
                Require valid-user
                Allow from 10.0.0.0/255.255.255.0
        </Location>
</VirtualHost>

Here is the link to thread that helped me figure out what was wrong originally after migrating to OH3 when I had my first issue.

Below is my apache log when I try to use the openhab app on the android phone remotely using the apache proxy setup above. Notice that the first line gets a 200 response but the second gets a 401 Unauthorized access. This tells me that the username/password combo is correct because the first line goes through but somehow it is being prompted for authentication again and failing.

10.0.###.### - openhabuser [10/Apr/2021:08:35:55 -0400] "GET /rest/ HTTP/1.1" 200 6133 "-" "Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19"
10.0.###.### - openhabuser [10/Apr/2021:08:35:55 -0400] "GET /rest/sitemaps HTTP/1.1" 401 364 "-" "Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19"

I do have various virtualhosts set up on this server for other functions but to make sure that it is being captured by the correct virtualhost, I added the following two lines to my original virtualhost declaration up top and am now just looking at those two logs specific to this virtualhost. This assures me that it is not an issue with the virtualhost setup.

ErrorLog /var/log/apache2/oh_444_error.log
CustomLog /var/log/apache2/oh_444_access.log combined

I can access with no issue locally when I am on my home network (this bypasses the proxy and password setup).

When accessing from a firefox browser on an android phone remotely, I am able to get in. My basiui sitemaps however has a note on the bottom that says “SSE subscription failed. running in fallback mode” and I am getting these errors continuously.

166.175.167.22 - openhabuser [10/Apr/2021:10:11:10 -0400] "GET /rest/sitemaps/xyz/xyz?_=87906b6db52eb8 HTTP/1.1" 401 364 "https://xyz.example.com:444/basicui/app" "Mozilla/5.0 (Android 11; Mobile; rv:87.0) Gecko/87.0 Firefox/87.0"

I’m seeing the same 401 and SSE errors after an upgrade to M3 . I haven’t really had time to do any digging yet.

I have a few additional header lines in my conf

Header set Set-Cookie "X-OPENHAB-AUTH-HEADER=1"
Header add Authorization ""
RequestHeader set Authorization ""

And no Allow from, but otherwise my proxy has the same basic setup.

1 Like

I can confirm that it was the upgrade to M3. I just spun up a fresh M2 container and the reverse proxy works as expected again. So there’s appears to have been some breaking change in M3. I suggest you file an issue on github with the evidence you’ve collected.

Thanks Justin, I’ll do that later today.

As a +1, I have this issue too, after moving from 3.1.0 M1 to M3 in Docker using the milestone-debian image

Oddly, curl from my reverse proxy box to /rest/events/states or others on the OpenHAB endpoint gives a 200 response without my sending any auth credentials or setting any of the headers set in the reverse proxy config.

+1 seeing same 401 errors in the android app. Note, this is even without forward proxy
Loggin on from browser works fine.
Is there already a issue in github to track this?

Issue has been posted on github at this location. OH3 Apache Reverse-proxy Authentication Fails Unauthorized access · Issue #1277 · openhab/openhab-distro · GitHub

Issue continues to happen with latest milestone build M4.

Did anyone have any luck with this? Seems still broken with OH 3.1 stable for me. I guess I’ll have to downgrade for now until this is fixed

The github issue (link above) is still open. There was some discussion prior to the release of 3.1 but it doesn’t seem that lead to a resolution. If you’ve run into the problem feel free to add a comment there as well; the more data the more likely the issue can be tracked down.

Thanks, I’ve seen the issue but didn’t have to add anything. I’ll comment there, maybe it helps.

My working apache configuration with OH3.1

<IfModule mod_ssl.c>
<VirtualHost *:443>
	ProxyPreserveHost On
	ServerName openhab.mydomain.com

	 # Cross-Origin Resource Sharing
    Header add 'Access-Control-Allow-Origin' '*'
    Header add 'Access-Control-Allow_Credentials' 'true'
    Header add 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'
    Header add 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH'

	ProxyTimeout 3600
    RequestHeader unset Authorization
	Header add Set-Cookie "X-OPENHAB-AUTH-HEADER=true;path=/;Secure"
    
	<Location />
        
        Header add Authorization ""
        ProxyPass http://localhost:8080/
        ProxyPassReverse http://localhost:8080/
        Order allow,deny
        Allow from all

        AuthType Basic
        AuthName  "Username and Password Required"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Location>


SSLCertificateFile /etc/letsencrypt/live/openhab.mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/openhab.mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

4 Likes

Thank you for this! Based on what you’ve posted it appears that the problem for the rest of us is the line

RequestHeader set Authorization ""

Replaceing that with

RequestHeader unset Authorization

from your config seems to fix the problem. I don’t have time at the moment to do extensive testing but at least I was able to log in to the UI which is a major step in the correct direction.

Perhaps for some reason the UI is misinterpreting that "" in the request header…

Thanks for sharing! My last straw would have been setting the CORS headers, I did not notice anything wrong with the RequestHeader. Or perhaps the issue was X-OPENHAB-AUTH-HEADER=true vs X-OPENHAB-AUTH-HEADER=1. I guess we’ll never know (unless someone does some testing).

@Alahdal Thank you for the help here! I can confirm that the fix in my case was exactly what you mentioned and @JustinG confirmed.

RequestHeader set Authorization ""

needs to be replaced with ( Note you no longer need the " " at the end)

RequestHeader unset Authorization

My current working config is as follows.

<VirtualHost *:444>
        ServerName xyz.example.com
        SSLEngine on

        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

        ProxyPreserveHost on
        ProxyPass      / http://10.0.0.1:8080/
        ProxyPassReverse / http://10.0.0.1:8080/

        Header set Set-Cookie "X-OPENHAB-AUTH-HEADER=1"
        RequestHeader set X-Forwarded-Proto "https" env=HTTPS
        RequestHeader unset Authorization

        <Location />
                AuthType Basic
                AuthName "xyz.example.com 444 "
                AuthUserFile /etc/apache2/.passwd
                Require valid-user
                Allow from 10.0.0.0/255.255.255.0
        </Location>
</VirtualHost>

The following line doesn’t seem to make any difference but I left it in just in case it impacts something I am not seeing.

Header set Set-Cookie "X-OPENHAB-AUTH-HEADER=1"

I will post this in github and close out the bug report…

Header set Set-Cookie "X-OPENHAB-AUTH-HEADER=1"

In my setup this broke the login mechanism of grafana, which resides in a sub directory, since the above line replaces all other Set-Cookie headers including the X-OPENHAB-SESSIONID, which also resulted in being kicked out from the main UI and API explorer completely unusable.

I changed this to

Header add Set-Cookie "X-OPENHAB-AUTH-HEADER=true;path=/;Secure"

which looks much better to me.

1 Like