Planning Questions: Installing OH in Home Network that has Nginx Proxy

Platform information:
Hardware: Raspberry Pi 4 Model B Rev 1.2Release
OS: Raspbian GNU/Linux 10 (buster), Kernel = Linux 4.19.97-v7l+
Java Runtime Environment: openjdk version “1.8.0_252”
openHAB version: openHAB 2.5.5-1 (Release Build)

Background: I am planning to install OH in my home network that already has multiple other servers. I have a separate system running an Nginx proxy behind my internet gateway (Unifi USG) to forward HTTP/HTTPS requests to the systems (services) on my home LAN. I have spent the last couple days digging though the OH documentation and community posts to understand if its possible to use my existing proxy to “front-end” OH on my network. At this point I am looking for some help confirming my assumptions and answering a few outstanding questions I have.

  1. Assumption. The Openhabian-config tool has an option to set up an Nginx reverse proxy, but it assumes my OH server will be listening on port 80 and/or 443 facing the Internet. This wont work for my environment since I already have an Nginx proxy listening on these ports. Is that a correct assumption?

  2. Assumption. I don’t have any experience with Jetty web services/servers, can I assume that I can simply use a proxy_pass statement in the virtual host I define for OH that references the OH servers internal IP address on port 8080? Are there any Nginx proxy parameters specific to this I need to include. I seem to be using all of the ones I see referenced in the posts…

  3. Question. I have not been able to find any posts or examples where the standard setup is configured to use private certs. Did I miss something that should be obvious?

Thanks in advance and I would greatly appreciate any advice the Community can provide on this topic.

Your description is confusing.
So you run openHAB on an openHABian box but your nginx on another box ?
Then no, it will work, you can have multiple proxies point to the same server.
If you meant to say you run your own nginx on the obianHABian box, too, then of course yes, that won’t work.

On 2., sure you can.
My suggestion would be to setup nginx from openhabian-config and to have a look at the config,
then decide which of your two nginx to use and merge the configs there.

On 3, openHABian uses Let’s encrypt certbot incl. auto renewal. Granted it’s not documented but works as far as we know.

Thanks for the insight Markus.

I successfully used the nginx setup option on openhabian-config. Selected the no user authentication, HTTP only option which created an Nginx proxy on the OH RPI server that is listening on port 80. I set up a virtual host on my front end proxy and pointed it at the OH RPI servers ip-address:80 and was able to connect to the Openhab over HTTPS. I noticed the log viewer is served on port 9001 so will need to add a location for that in the proxy on OH but all is good. I will post my configs in case others would be interested…

Regarding the first point, " Your description is confusing." Let me try to clarify my architecture and maybe this is already obvious to you, but to be sure… My servers sit on local networks behind a Gateway device (routing, firewall, IDS-IPS, etc) that faces the Internet, from there all traffic on ports 80 and 443 (only ports the gateway allows traffic to enter on) hits the Proxy (nginx) server. The Proxy server is the “front end” for all servers in my network that can be accessed from the Internet - e.g this server does not host any other software/systems - “its sole purpose is to proxy”. The proxy looks at the subdomain name and matches to one of my virtual server definitions (rewrites HTTP to HTTPS if needed) and passes the request to the server on my local network. Any new servers that would require access from outside the network are added to this proxy by defining a new virtual host configuration (for instance openhab.my-domain.com). I don’t want/need to run another proxy on my local network; which means I would have to open more ports and have more exposure to the Internet.

Regarding your second point. I assume that in order for me to set up nginx using openhabian-config, I would have to shut down my current proxy to ensure no other service is listening on ports 80/443. Then run the install routine letting it use ports 80/443 in order to have it successfully complete the setup and generate a config. I noticed there is an option to create an HTTP only proxy, no authentication. Seems like the best option for my architecture as I assume this will serve OH up on port 80 for that server and I don’t need to shut down my proxy. This is the approach I will try…

Regarding the third point. I use Letsencrypt on my proxy, if I were to use that option on the OH server - would need to shut down my proxy so that the openhabian-config Nginx setup could use/listen on port 80 (and 443) to do the Letsencrypt validation and cert renewal. Thus would be running openhab on my proxy. I want to keep the proxy on a separate host from other services for resiliency and troubleshooting…