Openhabianpi:9001 - logs basic authentification


is a basic authentification available for Logs and how can it be made?
I have made port forwarding to use it outside the network, but i do not want to leave it open.


You should check that bevor you open up ports to the Internet.
If I remember correctly frontail is used.
And the GitHub docs state something about basic authentication

  -U, --user <username>         Basic Authentication username, option works only along with -P option
  -P, --password <password>     Basic Authentication password, option works only along with -U option

Try that.

1 Like

Thanks but how do i use it, where is configuration file?

Did you even visited and read the frontail link I’ve posted? …

Okay I did some research for you.
I can see from your title that you are using openhabian so I guess you installed frontail via openhabian-config.
Therefor I visted the openHABian GitHub and searched for frontail.
I can see a service file aka. autostart from systemctl.


Description=Frontail openHAB instance, reachable at http://%H:9001

ExecStart=/usr/bin/frontail --ui-highlight --ui-highlight-preset /usr/lib/node_modules/frontail/preset/openhab.json -t openhab -l 2000 -n 200 /var/log/openhab2/openhab.log /var/log/openhab2/events.log


With the frontail GitHub I can conclude that I should add the -U and -P parameter to the startup to gain the basic authentication feature.

This is just what I researched, you have to test it and see if it’s correct what I say :slight_smile:

1 Like

Or they could read the official documentation and try a nginx reverse proxy.


Thant’s true :wink: thanks for adding this info to the discussion!
I only thought about frontail hence he only asked about that specific tool.

1 Like

My basic rule of thumb is if you have to ask a question like this you probably do not have the skills nor the time to safely set up a port forward that exposes your home network to the entire Internet. Doing this safely requires a huge amount of time and a lot of specialized skills, skills which if you had means you probably would have been able to answer the above question yourself.

There are lots of safer alternatives. I personally recommend setting up a VPN service (with certificate based authentication), ssh tunnels (with certificate based authentication) or using something like the services discussed here.


That is only for console or desktop GUI access. Good server practices say to not install a needless GUI so your solution would not help for web access only.

Sorry but that’s wrong.
Via. SSH tunneling you can redirect ports to you local machine.

ssh -L 8080:localhost:8080

This way I can access on my local device http://localhost:8080 and can use the Web GUI of openHAB which I am connected to via SSH.

Also, If I can access the Desktop of the openHAB instance… I can open a browser… and… You know where this is going right? :smiley:

That does not exist on Raspbian Lite, for instance. Even Microsoft does not install a graphical UI on servers by default any more. It generally adds useless load to the server.
The link used VNC not ssh tunneling.

 ssh tunnels (with certificate based authentication)

He suggested multible ways, which one the end-user takes is his decision.
And I can tell you, if a normal user with no knowledge about SSH and stuff can get access like RDP on Windows they are happy :slight_smile:
I strongly agree with you that RDP and VNC is not the best thing to do but I have friend myself who refuse to use a console based setup, they need their Desktop.

Sorry to the OP for hijacking his topic :rofl:

Far far far better to install X or interact with your machine through the command line than to expose your LAN to the Internet without knowing what you are doing. Any open port will become attacked in minutes of exposure.“Good server practices” only apply when you have skilled and knowledgeable people designing, configuring, and monitoring those servers when they are exposed to the Internet. For the typical home user, you need to do what is safes with the least amount of technical knowledge, skills, and long term monitoring required.

That means using some other service as a go-between from your RPi and your remote service so you don’t have to expose your LAN to the Internet (e.g. or set up a secure way to tunnel into your LAN using software that has undergone far more testing and security audits (e.g. OpenVPN, OpenSSH, if you are not risk adverse WireGuard) than FronTail with basic auth will ever have.

We are not dealing with server farms here with “IT best practices” ™. We are talking about home users who are not experts in security exposing themselves to the Internet. I would venture to guess that maybe 100-200 out of ALL openHAB users world wide are qualified to do this safely. And I suspect that the majority of those, like myself, don’t do it as it’s too much work.

If you had scrolled down on that link you would have seen that there are two services presented. One is indeed VNC but the other is command line only. And the two presented in that article are just two of a dozen+ such services a google search away, most of which are free, that can give you access to your RPi remotely, with X installed or not, without requiring you to open a port on your LAN to the Internet.

Never never ever open a port to the Internet unless you have the skills and are willing to spend the time to monitor your machines, their logs, and add some defense in depth to your network. Otherwise it’s not a matter of if, but when you will get hacked. If you are lucky, all they will do is burn up your RPi doing cryptomining. Though is you are being directly targeted, having access to your home automation machine, even if it’s just the logs, is a bonnanza of useful information to an attacker.

1 Like