OPENHAB_HTTP_ADDRESS leaves the language server open

weberjn · October 16, 2023, 9:42pm

OPENHAB_HTTP_ADDRESS does not affect the language server. How can I protect it without needing firewall rules?

tcp6       0      0 :::5007                 :::*                    LISTEN      124589/java
tcp6       0      0 127.0.0.1:33491         :::*                    LISTEN      124589/java
tcp6       0      0 127.0.0.1:8443          :::*                    LISTEN      124589/java
tcp6       0      0 127.0.0.1:8101          :::*                    LISTEN      124589/java
tcp6       0      0 127.0.0.1:8080          :::*                    LISTEN      124589/java

Wolfgang_S · October 17, 2023, 7:03am

Do you use it or would it be an alternative to turn that service off ?
In Disabling / Binding to an IP the Language Server Protocol (LSP) service it was suggested to deinstall the related bundle.

weberjn · October 17, 2023, 7:31am

I tried that, but had no success, the post is from '18, and did not try further.

Anyway, this behaviour should be documented in the docs. I was surprised when I ran netstat.

Wolfgang_S · October 17, 2023, 7:34am

You also did a restart after uninstalling the bundle ?

Udo_Hartmann · October 17, 2023, 10:52am

The bundle name has changed

please try

bundle:stop org.openhab.core.model.lsp

from the karaf console.

It should also be possible to uninstall the service, if you don’t want to use it.
Of course, there should be an option to bind the websocket to an ip address (so maybe open an issue in github.

should be the right one.

rlkoshak · October 18, 2023, 3:11am

What are you trying to accomplished here though?

If you are planning on putting OH directly on the Internet, please don’t. Use (in order of preference) myopenhab.org, a VPN (tailscale and Cloudflare are ready and popular), a self hosted openHAB cloud server, or a reverse proxy.

What little security that exists built into OH itself is not sufficient to protect itself if directly exposed to the Internet. And even if it were, you’d want to set up firewall rules, in addition to fail2ban and a monitoring system and regimen.

I’ll also note that many add-ons open additional ports unique to that add-on.

If you are not exposing OH to the Internet, what are you protecting OH from?

weberjn · October 18, 2023, 7:13am

Actually the idea is to only bind to localhost and not expose the server to the internet.

weberjn · October 18, 2023, 7:09pm

Thanks very much, that works.

The lsp listener is gone.

I have opened

add option to bind Language Server Protocol Listener to a specific interface