OH4 behind nginx reverse proxy

manumunier · January 29, 2024, 12:42pm

Hi,

I have a OH4 instance running on a Raspberry Pi (http://192.168.1.151:8080/) behind a wifi router. I can’t access it directly from outside. On the same network I have an old laptop (Dell Latitude 2100) running nginx I want to configure as reverse proxy. Nginx is listening on port 4040 and I want to access my OH instance with URL http://dell_latitude_2100:4040/raspi3-01/openhab/

Here is my actual nginx config on the laptop; I found some tips on forums… and I did my best…

server {
  listen 4040;

  # Cross-Origin Resource Sharing
  add_header 'Access-Control-Allow-Origin' '*' always;
  add_header 'Access-Control-Allow_Credentials' 'true' always;
  add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
  add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
  add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
  proxy_set_header Authorization          "";

  location /raspi3-01/openhab/ {
    proxy_pass                            http://192.168.1.151:8080/;
    proxy_set_header Host                 $http_host;
    proxy_set_header X-Real-IP            $remote_addr;
    proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto    $scheme;
    proxy_read_timeout                    3600;
    proxy_set_header Upgrade              $http_upgrade;
    proxy_set_header Connection           "Upgrade";

    sub_filter_types application/javascript text/xml text/css text/javascript application/json text/plain;
    sub_filter_once off;
    sub_filter ' href="/' ' href="/raspi3-01/openhab/';
    sub_filter ' src="/' ' src="/raspi3-01/openhab/';
    sub_filter ' action="/' ' action="/raspi3-01/openhab/';

    sub_filter '/rest/' '/raspi3-01/openhab/rest/';
    sub_filter '"/icon/' '"/raspi3-01/openhab/icon/';
    sub_filter '"/basicui/' '"/raspi3-01/openhab/basicui/';
    sub_filter '"/chart' '"/raspi3-01/openhab/chart';
  }
}

I can reach my OH instance… but after some seconds OH returns a web page with a “openHAB is offline” error. If I use http://192.168.1.151:8080/ I get the login page, so OH is ok.

If I remove the sub_filter lines, I get a blank page and nothing happens.

What’s wrong ?

Thks,
Manuel

Wolfgang_S · January 29, 2024, 1:56pm

Wouldn’t it be easier and more secure to use myopenhab.or and the cloud plugin?

manumunier · January 29, 2024, 3:57pm

Thank you Wolfgang for your reply.

I didn’t look at myopenhab yet. But I’m trying to stay as independent as possible from external services

And here are some more details: For my research activities (on data governance) I’m using several IoT platforms. I’m currently using two OH4 instances (1 Raspberry Pi 3 B+, 1 Raspberry Pi 4), one HomeAssistant instance (another Raspberry Pi 3 B+), one (old) laptop to fetch open data and send it via MQTT, a standalone weather station, etc. So I put all those devices on a private network behind my router, which is itself behind the university NAT. No access from outside for now, even from the university network (I don’t want students to “enter” my testbed). But they can publish data to outside that I get on my working laptop (running another OH4 instance and another HA instance and some other programs…).

When I’m near my wifi router, I can connect to it and, being inside my private network, I can access GUI for OH or HA. But when I’m “anywhere else” on the university network, I want to be able to access those GUIs through a nginx proxy for instance (cf. various “location” entries). Doing so, I’ll need to open only one port on my router (ex: 4040).

Hope I succeeded to explain my needs

But if myopenhab can go through 2 routers, doesn’t need to open too many ports and can manage several OH instances (or do I need several accounts ?), it could be a interesting solution.

MM

mstormi · January 29, 2024, 6:36pm

I suggest not spending time on reinventing the wheel on basic stuff to figure out all the details. That’s a totally unnecessary, time and nerves consuming task.
Put your time and energy into better home automation instead.

So my prime suggestion would be to check out myopenhab.org, too.
It’s professionally managed, reliable, someone operates it for you 24/7, and it’s free (unlike is with Home Assistant …) so why not use it ?

If by all means you want to do it on your own, use openHABian. It has a ready-to-use nginx option.

Wolfgang_S · January 29, 2024, 6:45pm

I think you meant openhabian

rlkoshak · January 29, 2024, 6:45pm

myopenhba.org can work with any OH instance that can reach out to the Internet and requires 0 open ports. The OH initiates the connection t0o myopenhab.org so there’s no need for anything from the Internet to initiate a connection through your firewall (i.e. no open ports).

However, you will need a separate account for each OH instance.

You can run your own instance of myopenhab.org (i.e. the openHAB Cloud Server) but that needs to be accessible from the Internet. All you’ve really done is move the original problem, not solved it.

If that doesn’t work for you or you need a more universal solution to access other services than OH, a VPN of some sort might be a better solution. It’s easier to secure and monitor a VPN than it is a reverse proxy. Some like Tailscale do not even require opening ports.

mstormi · January 29, 2024, 6:53pm

yes of course

Zsolt_Bodnar · January 29, 2024, 7:25pm

Hi,
You should check the nginx error logs first, if you have Linux it is under “/var/log/nginx” if you have windows I have no clue where it is . It could contain some hints what the issue is.