First I’ll start by saying I have had the same apache setup for years now with it working perfectly till upgrading to OH3. When trying to access from an external location to my network either via the android app or a browser, I am getting invalid login issues. If I append the basicui/app to the end of the URL It seems to want to load but only partially loads the page. let’s assume my openHAB internal ip is 10.0.0.1 and I am using 444 as the external port on apache. Internal to my network it all works perfectly.
Here is my apache config.
<VirtualHost *:444>
ServerName xyz.example.com
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
ProxyPreserveHost on
ProxyPass / http://10.0.0.1:8080/
ProxyPassReverse / http://10.0.0.1:8080/
RequestHeader set X-Forwarded-Proto "https" env=HTTPS
<Location />
AuthType Basic
AuthName "xyz.example.com 444 "
AuthUserFile /etc/apache2/.passwd
Require valid-user
Allow from 10.0.0.0/255.255.255.0
</Location>
</VirtualHost>
if I go to http://10.0.0.1:8080/basicui/app internally it works as expected. Now if I go to https://xyz.example.com:444 It fails from the app and on a browser, if I go to https://xyz.example.com:444/basicui/app it halfway loads and seems to fail midway. I don’t see anything odd in my apache logs. It seems the new UI may have impacted the functionality. I tried playing around with the API Security and toggled allow basic authentication as well as the implicit user role options but it seems to have no effect. I imagine those options are for if you use openhab.org. Either way, not sure if anyone has any ideas I can try. My workaround now is just using OpenVPN but it’s an extra step or two to turn that on. I would rather use the reverse-proxy option as I have done previously.
@Bruce_Osborne that did the trick thank you… Here is the working config I have in case anyone runs into this in the future.
This particular config will use the passwords set in the .htpasswd file. Local access will bypass authentication but if you don’t want that you can remove the “Allow from” line.
<VirtualHost *:444>
ServerName xyz.example.com
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Header set Set-Cookie "X-OPENHAB-AUTH-HEADER=1"
ProxyPreserveHost on
ProxyPass / http://10.0.0.1:8080/
ProxyPassReverse http://10.0.0.1:8080/ /
RequestHeader set X-Forwarded-Proto "https" env=HTTPS
Header add Authorization ""
RequestHeader set Authorization ""
<Location />
AuthType Basic
AuthName "xyz.example.com 444 "
AuthUserFile /etc/apache2/.passwd
Require valid-user
Allow from 10.0.0.0/255.255.255.0
</Location>
</VirtualHost>
Thanks that helped me out.
If someone gets an error after restarting Apache2 (like I did) :
“Invalid command ‘Header’, perhaps misspelled or defined by a module not included in the server configuration”, then just run a2enmod headers to enable the mod_headers.
After that restart your Apache
Hello,
can someone confirm that it is still working with 3.1?
I am always getting an openhab login page in addition to the webserver login popup.
Thanks
Marco
For any reason this didn’t work with LDAP. I was always asked for the admin after the browser/server login.
This is the configuration which works for me: