I have had OH behind OPNsense firewall’s HAproxy for years. Now that I updated to OH3 I can’t get the login to work. It just lloops me in credentials popup dialog. Nothing in OH logs, but firefox has this for each auth try:
Initializing state tracking store proxy app.js:37:1835
Uncaught (in promise) undefined
Uncaught (in promise) undefined
Using passed credentials app.js:7:121713
Uncaught (in promise) undefined app.js:32:436561
loadData https://o.mydomain.com/js/app.js:32
Uncaught (in promise) undefined
Uncaught (in promise) undefined
You can see from there I did the same as @rikoshak did with pfsense, which likely is pretty much the same implementation of haproxy. But for me it won’t work:
These settings are from /usr/local/etc/haproxy.conf so it’s easier than describing the gui. So as discussed in the thread, I add the options for the cookie, and drop the Authorization -header.
Any idea what goes wrong there in auth dialog? HAproxy does basic-auth first, I want there to be the point of https termination and authorization to get to any of my home things. Then I’d like the openhab to authenticate for the admin user. But that fails now.
OpenHAB itself is running on Fedora-IoT Linux within podman container, which works fine from local network over http, including the auth when using it from local net bypassing the haproxy.
I can try, just please tell me how? I saw basic auth for API setting, do you meam that? And do I have to change something for the cookie setting in haproxy?
How is the architecture of web GUI? Is it such modern separated service that openhab would be totally API driven and the web GUIs just use the same APIs as any external automation? So is it a question of this web app now having troubles authenticating to API as there is HAproxy in between not doing something it should?
XHRPOSThttps://o.mydomain.com/rest/auth/token?useCookie=true
[HTTP/1.1 200 OK 440ms]
Cookie “X-OPENHAB-SESSIONID” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite token
XHRHEADhttps://o.mydomain.com/rest/sitemaps
[HTTP/1.1 200 OK 39ms]
Stop tracking states app.js:37:3383
XHRGEThttps://o.mydomain.com/rest/
[HTTP/1.1 401 Unauthorized 2ms]
Uncaught (in promise) undefined
XHRGEThttps://o.mydomain.com/rest/
[HTTP/1.1 401 Unauthorized 10ms]
Uncaught (in promise) undefined
Using passed credentials app.js:7:121713
XHRGEThttps://o.mydomain.com/rest/
[HTTP/1.1 401 Unauthorized 3ms]
Uncaught (in promise) undefined app.js:32:436561
XHRGEThttps://o.mydomain.com/rest/
[HTTP/1.1 401 Unauthorized 26ms]
Uncaught (in promise) undefined
XHRGEThttps://o.mydomain.com/rest/
[HTTP/1.1 401 Unauthorized 22ms]
Uncaught (in promise) undefined
Using passed credentials app.js:7:121713
XHRGEThttps://o.mydomain.com/rest/
[HTTP/1.1 401 Unauthorized 27ms]
Uncaught (in promise) undefined app.js:32:436561
XHRGEThttps://o.mydomain.com/rest/
[HTTP/1.1 401 Unauthorized 26ms]
Uncaught (in promise) undefined
XHRGEThttps://o.mydomain.com/rest/
[HTTP/1.1 401 Unauthorized 26ms]
Uncaught (in promise) undefined
BTW, I tested the rest api with curl and postman, and using basic auth at HAproxy, it lists items and toggles devices on and off just fine. API is now set back to having basic auth off.
curl -u foo:bar -X GET --header "Accept: application/json" "https://o.mydomain.com/rest/items?recursive=false"
