Openhab3 behind traefik edge router with basic auth

Hello :wink:

My setup:

  • openhab3 on raspi4 running in docker
    • auth via admin account
  • traefik reverse proxy
    • basic auth with openhabuser:another_password

This causes the following issue:

  • Traefik configured to keep the auth headers of basic auth

    • after entering traefiks basic auth: empty page with HTTP 401 on some URLs
  • Traefik configured to drop the auth headers of basic auth

    • after entering traefik basic auth: openhab3 unauthed view works fine
    • Clicking login and entering admin credentials: empty page with HTTP 401 on some URLs

so basically there seems to be a problem with the different auth mechanism.
When I keep the traefik auth headers, OH3 seems to interpret them and fails to login (which is okay, because i do not want the admin password for the OH instance to be the same as the one i use to keep the public away from my oh UI.
When i drop the headers, it seems that they are also used for authenticatin the admin user while doing admin stuff => no admin stuff at all :smiley:

here my traefik config if relevant:

      - "traefik.enable=true"
      - "traefik.http.routers.openhab.rule=Host(`oh.mydomain.com`)"
      - "traefik.http.routers.openhab.entrypoints=websecure"
      - "traefik.http.routers.openhab.tls=true"
      - "traefik.http.routers.openhab.middlewares=openhab-auth"
      - "traefik.http.services.openhab.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.openhab-auth.basicauth.users=openhabuser:hashed_PW"
      - "traefik.http.middlewares.openhab-auth.basicauth.removeheader=true" # auth header am openhab macht komische dinge
1 Like

have a look to this thread: OH3 with NGINX Reverse Proxy and Authentication