I was just coming here to add this, thanks! 
Note: from a security perspective, that second line is rather important to include when you’re doing authorization at the reverse proxy level, it ensures the header containing the credentials meant to be exclusively for the proxy, are filtered out and not transmitted (likely in clear text) in the internal network.
Is there a link to the authentication model for OH3 and X-OPENHAB-AUTH-HEADER? A quick search here doesn’t match anything. I’m confused about the authentication support in OH3. I use a webbrowser that doesn’t support Basic Authentication and it would great if OH3 kept a cookie or supported Oauth.
If you use Traefik as reverse proxy, these lines do the job for basic auth. Append them to the OH service under “labels” in your docker-compose file.
- traefik.http.routers.openhab.middlewares=auth,oh
- traefik.http.middlewares.auth.basicauth.users=[generated by htpasswd]
- traefik.http.middlewares.auth.basicauth.removeHeader=true
- traefik.http.middlewares.oh.headers.customresponseheaders.Set-Cookie=X-OPENHAB-AUTH-HEADER=1
See the current template at https://github.com/openhab/openhabian/edit/master/includes/nginx.conf.
Should I just add another add_header (i.e. line 24) or does it have to be inside the ‘location’ block as @ysc said ? Would I even need another such block ?
Hello,
I’m trying to make it work, but even after adding this lines to nginx config file I still get “502 Bad Gateway” response.
Any ideas?
Thanks @ranielsen 
would someone happen to know the equivalent for apache?
edit: a bit of digging late, i found a working config!
Header set Set-Cookie "X-OPENHAB-AUTH-HEADER=1"
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse http://127.0.0.1:8080/ /
Header add Authorization ""
RequestHeader set Authorization ""This is my nginx config:
#################################
# openHABian NGINX Confiuration #
#################################
## Reverse Proxy to openHAB
server {
listen 1234;
server_name xxxxxxxxx;
add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Authorization "";
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
And OPENHAB 3 settings:
So if I have proxy_set_header Authorization ""; added to nginx config I can turn off “Allow Basic Authentication” in OH settings?
When now OH3 uses API Tokens does the lines need to be still in nginx conf?
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
What is the best way now to secure connections to OPENHAB 3.0?
did you or anyone figure out?
as far as I checked:
OH2 with nginx with Basic Auth - when I open Paper UI or Basic UI I needed to enter login and password same as in /etc/nginx/.htpasswd
on same nginx conf but on OH3 - when I open Openhab Main UI or Basic UI I needed to enter login and password set for administrator from Main UI
now I added SSL to nginx and on OH3 - when I open Main UI or Basic UI I enter login and pass from .htpasswd and also in Main UI addidtional login and pass for administrator.
here is my new nginx config:
#################################
# openHABian NGINX Confiuration #
#################################
## Reverse Proxy to openHAB
server {
listen 80;
server_name xxxxxxxx;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name xxxxxxxx;
ssl_certificate /etc/ssl/openhab.crt;
ssl_certificate_key /etc/ssl/openhab.key;
add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Authorization "";
satisfy any;
allow 192.168.0.0/24;
allow 127.0.0.1;
deny all;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location /grafana/ {
proxy_pass http://localhost:3000/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
auth_basic "Unauthorised access prohibited";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location /frontail/ {
proxy_pass http://localhost:9001;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
}
}You would need to create a user other than admin inside OH3, preferrably same name what you use in your oh client app and nginx conf.
Dunno how I think I saw some post here about doing that in Karaf console but I don’t find it any more.
(ping @hmerk I might be mistaken but wasn it you to write that?)
Sorry but I dont understand?
I only wrote that Now there is two levels of security. First is login and pass from nginx and then login and pass for administrator in Main UI.
Of course there is if you do not remove it from nginx.
Since you probably want to access without password, you need to create an oh user (and use that on the client side) inside oh3 and disable auth in nginx.
do you find the post?
EDIT: see Apache Karaf 2.4.5-SNAPSHOT Guides
The post you are looking for is here
sorry but I still dont understand for what is it for?
I want to have secured connections with OPENHAB.
So if I delete this lines from nginx:
auth_basic “Username and Password Required”;
auth_basic_user_file /etc/nginx/.htpasswd;
then I will ony need to log in by login:ass set in OH3?
Will it secure connection for Basic UI also?
yes
it’ll encrypt it with a cert. It won’t do auth again.
That’s a rather bumpy migration path in terms of security.
I had a haproxy setup with OH2 which works as expected.
On OH3, the first thing i had done (for some minutes at least) was to remove the basicauth in haproxy, because i thought, this would be handled by OH3 now.
I was wrong and my KNX/Hue/Zigbee-Setup was exposed to the world.
Will there be a usermanagement/basicauth for REST and basicui on the OH3-Side?
cheers
boecko
Basic Auth for managing in the REST API is available but turned off by default since in most cases the API Token is more secure.
The Main UI has authentication for management but not for operation. Since the Basic UI is controlled by managed site maps and does not manage OH there is no authentication.
I see. But the iOS App needs a user name and password.
How is this supposed to work?
