Note: from a security perspective, that second line is rather important to include when you’re doing authorization at the reverse proxy level, it ensures the header containing the credentials meant to be exclusively for the proxy, are filtered out and not transmitted (likely in clear text) in the internal network.
Is there a link to the authentication model for OH3 and X-OPENHAB-AUTH-HEADER? A quick search here doesn’t match anything. I’m confused about the authentication support in OH3. I use a webbrowser that doesn’t support Basic Authentication and it would great if OH3 kept a cookie or supported Oauth.
See the current template at https://github.com/openhab/openhabian/edit/master/includes/nginx.conf.
Should I just add another add_header (i.e. line 24) or does it have to be inside the ‘location’ block as @ysc said ? Would I even need another such block ?
OH2 with nginx with Basic Auth - when I open Paper UI or Basic UI I needed to enter login and password same as in /etc/nginx/.htpasswd
on same nginx conf but on OH3 - when I open Openhab Main UI or Basic UI I needed to enter login and password set for administrator from Main UI
now I added SSL to nginx and on OH3 - when I open Main UI or Basic UI I enter login and pass from .htpasswd and also in Main UI addidtional login and pass for administrator.
You would need to create a user other than admin inside OH3, preferrably same name what you use in your oh client app and nginx conf.
Dunno how I think I saw some post here about doing that in Karaf console but I don’t find it any more.
(ping @hmerk I might be mistaken but wasn it you to write that?)
Of course there is if you do not remove it from nginx.
Since you probably want to access without password, you need to create an oh user (and use that on the client side) inside oh3 and disable auth in nginx.
That’s a rather bumpy migration path in terms of security.
I had a haproxy setup with OH2 which works as expected.
On OH3, the first thing i had done (for some minutes at least) was to remove the basicauth in haproxy, because i thought, this would be handled by OH3 now.
I was wrong and my KNX/Hue/Zigbee-Setup was exposed to the world.
Will there be a usermanagement/basicauth for REST and basicui on the OH3-Side?
Basic Auth for managing in the REST API is available but turned off by default since in most cases the API Token is more secure.
The Main UI has authentication for management but not for operation. Since the Basic UI is controlled by managed site maps and does not manage OH there is no authentication.