openHAB 3 Apache Reverse Proxy setup issue

First I’ll start by saying I have had the same apache setup for years now with it working perfectly till upgrading to OH3. When trying to access from an external location to my network either via the android app or a browser, I am getting invalid login issues. If I append the basicui/app to the end of the URL It seems to want to load but only partially loads the page. let’s assume my openHAB internal ip is 10.0.0.1 and I am using 444 as the external port on apache. Internal to my network it all works perfectly.

Here is my apache config.

<VirtualHost *:444>
        ServerName xyz.example.com
        SSLEngine on
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
        ProxyPreserveHost on
        ProxyPass      / http://10.0.0.1:8080/
        ProxyPassReverse / http://10.0.0.1:8080/
        RequestHeader set X-Forwarded-Proto "https" env=HTTPS
        <Location />
                AuthType Basic
                AuthName "xyz.example.com 444 "
                AuthUserFile /etc/apache2/.passwd
                Require valid-user
                Allow from 10.0.0.0/255.255.255.0
        </Location>
</VirtualHost>

if I go to http://10.0.0.1:8080/basicui/app internally it works as expected. Now if I go to https://xyz.example.com:444 It fails from the app and on a browser, if I go to https://xyz.example.com:444/basicui/app it halfway loads and seems to fail midway. I don’t see anything odd in my apache logs. It seems the new UI may have impacted the functionality. I tried playing around with the API Security and toggled allow basic authentication as well as the implicit user role options but it seems to have no effect. I imagine those options are for if you use openhab.org. Either way, not sure if anyone has any ideas I can try. My workaround now is just using OpenVPN but it’s an extra step or two to turn that on. I would rather use the reverse-proxy option as I have done previously.

You might find some ideas in this NGINX thread.

EDIT This post looks like your answer.

@Bruce_Osborne that did the trick thank you… Here is the working config I have in case anyone runs into this in the future.

This particular config will use the passwords set in the .htpasswd file. Local access will bypass authentication but if you don’t want that you can remove the “Allow from” line.

<VirtualHost *:444>
        ServerName xyz.example.com
        SSLEngine on
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
        Header set Set-Cookie "X-OPENHAB-AUTH-HEADER=1"
        ProxyPreserveHost on
        ProxyPass      / http://10.0.0.1:8080/
        ProxyPassReverse http://10.0.0.1:8080/ /
        RequestHeader set X-Forwarded-Proto "https" env=HTTPS
  	Header add Authorization ""
  	RequestHeader set Authorization ""
        <Location />
                AuthType Basic
                AuthName "xyz.example.com 444 "
                AuthUserFile /etc/apache2/.passwd
                Require valid-user
                Allow from 10.0.0.0/255.255.255.0
        </Location>
</VirtualHost>
5 Likes

Thanks that helped me out.
If someone gets an error after restarting Apache2 (like I did) :
“Invalid command ‘Header’, perhaps misspelled or defined by a module not included in the server configuration”, then just run a2enmod headers to enable the mod_headers.
After that restart your Apache

Hello,
can someone confirm that it is still working with 3.1?
I am always getting an openhab login page in addition to the webserver login popup.
Thanks
Marco

@marco_hoefle I can confirm that it is working for me and I am on the latest milestone build. Same config as above.

For any reason this didn’t work with LDAP. I was always asked for the admin after the browser/server login.
This is the configuration which works for me:

<VirtualHost *:80>
        ServerName myserver
        Redirect permanent / https://myserver
</VirtualHost>


<VirtualHost *:443>
        ServerName myserver

        Include /etc/apache2/sites-available/ssl_config.incl

        Header set Set-Cookie "X-OPENHAB-AUTH-HEADER=1"
        ProxyPass / http://172.17.0.1:8080/
        ProxyPassReverse http://172.17.0.1:8080/ /

        ProxyPreserveHost on

        RequestHeader unset Authorization

        <Location />
                AuthType Basic
                AuthName "dahoam"
                Include /etc/apache2/sites-available/ldap_config.incl
                Require ldap-group CN=...,CN=Users,DC=..,DC=..
        </Location>

        ErrorLog ${APACHE_LOG_DIR}/dahoam_error.log
        CustomLog ${APACHE_LOG_DIR}/dahoam_access.log combined
</VirtualHost>