Openhab behind Nginx reverse proxy + fail2ban

Konstantin_Siliverst · May 3, 2023, 4:41pm

Hi, All
I’m trying to set up openhab behind nginx reverse proxy in conjunction with a fail2ban for user authentication but i meet a problem which i cannot solve

in normal log after wrong authentication there are records like this:
2023-05-03 19:04:06.184 [WARN ] [uth.internal.AbstractAuthPageServlet] - Authentication failed from 192.168.1.157: User not found: User
Where 192.168.1.157 address of the reverse proxy server

at the debug level log i can see information about Real user ip:

tail -1000 /var/log/openhab/openhab.log | grep ^X-

X-Real-IP: 179.171.80.232
X-Forwarded-For: 178.171.80.232

for fail2ban can be useful information about real user ip only
Is the possible to take this information from log files in the regular system work mode?

rlkoshak · May 3, 2023, 4:42pm

You need to set up fail2ban to run on the nginx logs. All OH will see is the IP address for NGINX as that’s where the request is coming from from it’s perspective.

Konstantin_Siliverst · May 3, 2023, 4:48pm

does this mean I have to use only basic auth from nginx?

rlkoshak · May 3, 2023, 5:06pm

I don’t know. I don’t know much about nginx. But if you want to use fail2ban to block failed login attempts the only way I know to do that is to do so based on the auth logs in the reverse proxy. It’s a really good idea to implement authentication at the reverse proxy anyway.

Konstantin_Siliverst · May 3, 2023, 5:17pm

Unfortunately, I did not succeed in setting up openhab normally behind a reverse proxy with basic authentication. constant re-requests for authorization from nginx and openhab and other artifacts. I had to consider alternative protection options including fail2ban.

Konstantin_Siliverst · May 3, 2023, 5:21pm

openhab> version
4.3.7
basic auth activated

nginx:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name my.domain;

# SSL
ssl_certificate         /etc/letsencrypt/live/my.domain/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/my.domain/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.domain/chain.pem;

# Logging
access_log              /var/log/nginx/shaome_access.log;
error_log               /var/log/nginx/shome_error.log warn;

# Cross-Origin Resource Sharing.
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow_Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;

# openHAB 3 api authentication
add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;

add_header                      Strict-Transport-Security "max-age=31536000"; 

location / {
    proxy_pass                              http://192.168.1.152:8080/;
    proxy_set_header Host                   $http_host;
    proxy_set_header X-Real-IP              $remote_addr;
    proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto      $scheme;
proxy_read_timeout                    3600;
    proxy_set_header Upgrade                $http_upgrade;
    proxy_set_header Connection             "Upgrade";
    proxy_set_header Authorization          "";
    auth_basic                              "Username and Password Required";
    auth_basic_user_file			/etc/nginx/auth.htpasswd;

}

}