OH5 Apache Reverse Proxy issues

bens95 · February 7, 2025, 3:01am

Platform information:
- Hardware: Docker on a very capable unraid server
- Image (pretty much the latest snapshot): https://hub.docker.com/layers/openhab/openhab/snapshot/images/sha256-3a00c9a9c932f9849d855534b8fb1c6f290ce37bbf0d95e0d26d4e026f8ba4a8
Issue of the topic:
I have just started with OpenHAB and decided I wanted to run snapshots, as I dont have anything critical here. I set up the entire system, and decided to expose it through a reverse proxy. I am using apache2 as the reverse proxy on a separate host, since that is what I have to handle inbound internet traffic. This resulted in a 502 bad gateway in my browser. Note: I can access directly via local IP with no issues at all. Wget gives invalid_preface. See below karaf logs as well. Does 5.0.0 only support http2? Am I doing something wrong? Ideally I do not want to use apache mod_proxy_http2.

Update: I have tried a variety of apache settings (aside from mod_proxy_http2) and I am convinced that this is a http2 issue as opposed to proxy settings. Setting reverse proxy to use http instead of https, the site is loading fine. wget works as well. It seems specifically restricted to https. I would still prefer to use https even internally though. Can anyone confirm if this is the case in 4.3 as well?

Please post configurations (if applicable):
probably not applicable here
If logs where generated please post these here using code fences:

java.io.IOException: protocol_error/invalid_preface
        at org.eclipse.jetty.http2.HTTP2Session.toFailure(HTTP2Session.java:631) ~[?:?]
        at org.eclipse.jetty.http2.HTTP2Session.access$2800(HTTP2Session.java:81) ~[?:?]
        at org.eclipse.jetty.http2.HTTP2Session$StreamsState.onSessionFailure(HTTP2Session.java:1921) ~[?:?]
        at org.eclipse.jetty.http2.HTTP2Session$StreamsState.access$400(HTTP2Session.java:1488) ~[?:?]
        at org.eclipse.jetty.http2.HTTP2Session.onSessionFailure(HTTP2Session.java:576) ~[?:?]
        at org.eclipse.jetty.http2.HTTP2Session.onConnectionFailure(HTTP2Session.java:571) ~[?:?]
        at org.eclipse.jetty.http2.parser.Parser$Listener$Wrapper.onConnectionFailure(Parser.java:450) ~[?:?]
        at org.eclipse.jetty.http2.HTTP2Connection$ParserListener.onConnectionFailure(HTTP2Connection.java:407) ~[?:?]
        at org.eclipse.jetty.http2.parser.PrefaceParser.notifyConnectionFailure(PrefaceParser.java:81) ~[?:?]
        at org.eclipse.jetty.http2.parser.PrefaceParser.parse(PrefaceParser.java:62) ~[?:?]
        at org.eclipse.jetty.http2.parser.ServerParser.parse(ServerParser.java:105) ~[?:?]
        at org.eclipse.jetty.http2.HTTP2Connection$HTTP2Producer.produce(HTTP2Connection.java:271) ~[?:?]
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produceTask(EatWhatYouKill.java:362) ~[bundleFile:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:186) ~[bundleFile:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) ~[bundleFile:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137) ~[bundleFile:9.4.57.v20241219]
        at org.eclipse.jetty.http2.HTTP2Connection.produce(HTTP2Connection.java:193) ~[?:?]
        at org.eclipse.jetty.http2.server.HTTP2ServerConnection.onOpen(HTTP2ServerConnection.java:138) ~[?:?]
        at org.eclipse.jetty.io.AbstractEndPoint.upgrade(AbstractEndPoint.java:444) ~[?:?]
        at org.eclipse.jetty.server.NegotiatingServerConnection.onFillable(NegotiatingServerConnection.java:130) ~[?:?]
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) ~[?:?]
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) ~[?:?]
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555) ~[?:?]
        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410) ~[?:?]
        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164) ~[?:?]
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) ~[?:?]
        at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) ~[?:?]
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) ~[bundleFile:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) ~[bundleFile:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) ~[bundleFile:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) ~[bundleFile:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409) ~[bundleFile:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) ~[bundleFile:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) ~[bundleFile:9.4.57.v20241219]
        at java.lang.Thread.run(Unknown Source) [?:?]

bens95 · February 7, 2025, 6:20pm

I decided to try using apache proxy_http2 while I wait. No luck unfortunately, so that was not my ?only? issue.

root@webserver:/etc/apache2/sites-available# a2query -m proxy_http2
proxy_http2 (enabled by site administrator)

Here is my apache config (I have tried various ssl settings found in other threads).

<VirtualHost *:443>

    ServerName smarthub.<domain removed>
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/<domain removed>/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/<domain removed>/privkey.pem
    ProxyPreserveHost On
    SSLProxyEngine on
    SSLProxyVerify none
    #RequestHeader unset Authorization
    SSLProxyCheckPeerName off

    <Location />
        Require ip 192.168
        ProxyPass "https://<IP Removed>/"
        ProxyPassReverse "https://<IP Removed>/"
    </Location>

    ErrorLog ${APACHE_LOG_DIR}/smarthub.<domain removed>-error.log
    CustomLog ${APACHE_LOG_DIR}/<domain removed>-access.log combined
</VirtualHost>

I have a longer log of one connection attempt, but unfortunately it is too long to put in text here, and I am a new user so upload is disabled.

Baschtlwaschtl · February 8, 2025, 2:50pm

Hi, my proxy pass setting is not in the ‘location’ tag.
This is my config for openhab 4.1.2

<VirtualHost *:443>
ServerName [name] 

SSLEngine on
SSLProxyEngine on
SSLProxyVerify none 
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLHonorCipherOrder on
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 
SSLCipherSuite SSL ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
ProxyPreserveHost On
ProxyPass / https://myopenhab:8443/
ProxyPassReverse / https://myopenhab:8443/ /
RequestHeader set Authorization ""

<Location />
AuthType Basic 
AuthName "restricted" 
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>

SSLCertificateFile /etc/letsencrypt/live/[name]/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[name]/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

bens95 · February 8, 2025, 3:11pm

Thank you for the response! I actually used to have the proxypass outside the location tag, but I moved it in to clean it up.It works inside the location tags with plain http too. I will try to mirror these other settings and see if it makes a difference.

Update: I replaced my config with yours, and it worked. I started removing config to see what setting it was, and nothing ended up breaking my config… I went back to my original config and it worked. I think this was a caching issue since I did not clear browser after enabling proxy_http2.

Do you have this mod enabled, or does OH4.X accept HTTP1.1 requests? I know that even though this mod is “experimental” it is very stable, but I am concerned about potential changes to it.

a2query -m proxy_http2

PS. You have an extra ‘/’ after your proxyreverse, and your letsencrypt options include probably overwrites some of your SSL settings

bens95 · February 8, 2025, 7:36pm

Ah dang. He is correct.I am complaining. Doc change would be useful. If I have permissions I will try to update them sometime this week.

florian-h05 · February 8, 2025, 8:26pm

When using a proxy, you normally would proxy the plain HTTP port …

bens95 · February 8, 2025, 8:45pm

Yes, for sure normally. However, even though there is not a ton of reason to use encrypted connections internally, I believe is becoming more and more common. There is nothing wrong with it. I know it is nitpicking/paranoid, but there could be a device on my network that I do not fully trust/could have some sort of vulnerability/etc. Just from the reading I have done while trying to figure out my issue, there have been a dozen+ threads about it. Apache ?and nginx? will probably still use HTTP 1.1 for default backend https connections by the time 5.0 is released stable, and there will be others encountering this “issue”.

All that being said, I am not in a position here to ask for HTTP 1.1 support for my somewhat trivial case. It certainly isn’t worth any real effort or sacrifices. Apache proxy_http2 ?and the nginx equivalent? are well developed and fully featured for a use case like this AFAIK. Doc updates should be done.