Problem using Apache as reverse proxy for OH2

pulsar · February 8, 2017, 4:05pm

My first post here. I searched the forum and couldn’t find the answer, so posting this in a new thread.

I am trying to set up a reverse proxy for OH2 using Apache 2.4 server on my Win7 PC. I found this tutorial which is written for NGINX server, but couldn’t find anything similar for Apache.

This is what I have now (see below). It works partially - I can access the top level page of OH2 using address my_domain/openhab , and also I can enter the Basic UI page and see the top level groups listed. But when I click on a group (which contains one Switch and one Number items), OH keeps showing the running line at the top and never shows the items.

So basically addresses like xxx:8080/basicui/app get translated to yyy/openhab/basicui/app without issues, but for the address xxx:8080/basicui/app?w=0000&sitemap=demo the translation doesn’t work.

Here is my Apache’s virtual host code:

<VirtualHost _default_:443>
    ServerAdmin admin@commaster.net
    ServerName xxxx
    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^xxxx$ [NC]
    RewriteRule ^/?(.*)$ https://xxxx/$1 [NE,L,R=301]
    SSLEngine on
    SSLCertificateFile "C:/Users/**.pem"
    SSLCertificateKeyFile "C:/Users/**.pem"
    SSLCertificateChainFile "C:/Users/*.pem"
 <Location "/openhab">
    AuthType Basic
    AuthName "private"
    AuthUserFile "c:\Apache24\***"
    Require valid-user
    ProxyPass "http://localhost:8080"
    ProxyPassReverse "http://localhost:8080"
 </Location>
</VirtualHost>

I am sure I am doing something wrong, just can’t figure out what exactly. My suspicion is that my code doesn’t have something equivalent to the four “proxy_set_header” lines in the tutorial, as I don’t know how to implement that in Apache. Can anyone please give me a hand here?

EDIT: Looking at Apache logs, it looks like initially the links are translated properly (have /openhab at the beginning), but one POST and one GET at the end do not start with /openhab, so not surprisingly I get 404 code for them:

"GET /openhab/basicui/smarthome.js HTTP/1.1" 304 -
"GET /openhab/basicui/mdl/material.min.js HTTP/1.1" 304 -
"GET /openhab/basicui/favicon.ico HTTP/1.1" 304 -
"POST /rest/sitemaps/events/subscribe HTTP/1.1" 404 228
"GET /openhab/icon/3d_printer?state=UNDEF&format=png HTTP/1.1" 200 17385
"GET /basicui/app?w=0000&sitemap=demo&subscriptionId=undefined&__async=true HTTP/1.1" 404 209

It looks like when a query is present in the path, translation is broken.

rlkoshak · February 9, 2017, 8:44pm

This can’t be done according to my research. The only way to make it work where you provide /openhab/ between the base URL and the server being proxied is if the server supports it.

The problem is that the reverse proxy can only change the URLs that are sent to it. It doesn’t edit the returned HMTL files to change the URLs embedded in the web pages that get returned. So your initial request works because that is a URL you craft and send. However, all of the links on the page you receive lack the /openhab/ part of the URL so when you click on something if tries to go to an address without the /openhab/.

I hope that makes sense.

In any case, this is a feature that would have to be added to the OH UIs so that it converts the URLs embedded in the HTML of the web pages themselves to use the /openhab/. I’ve found some systems that do this (gogs and calibre in particular) but OH does not.

pulsar · February 9, 2017, 8:54pm

I see - thanks. It sounds like I can’t use a non-root location with Nginx server as well, for the same reason.

So the ideal solution would be for OH2 to have its own authentication. I heard some work is done in that direction - do you know if it close to be implemented?

Temar · February 9, 2017, 8:58pm

This can be done with mod_proxy_html: https://httpd.apache.org/docs/2.4/mod/mod_proxy_html.html

However there might still be problems with self referencing URLs generated by JavaScript code. In that case it gets far more complex.

rlkoshak · February 9, 2017, 9:03pm

I have no idea the status of implementing authentication but it is in work. However, I’m not sure how that will solve your /openhab/ problem. OH will still be served from the root location.

pulsar · February 9, 2017, 9:07pm

OH authentication will allow me to continue using my regular web site / server as before, and then assign OH2 to a custom port, so no need to run a reverse proxy.

I think I have a reasonable workaround for now: I will move all my normal web stuff to non-root locations (/pub, /priv), and keep the OH2 with reverse proxy at the root location. I’ll test it now.

Temar · February 9, 2017, 9:09pm

Why not just create a new VirtualHost for OpenHAB so it can use the root domain and then use that VirtualHost as reverse proxy?

If you really need to move the folder, then try the mod_proxy_html module which can rewrite HTML pages.

rlkoshak · February 9, 2017, 9:10pm

At least with Nginx you cna assign OH2 to a custom port too. Just set up a server the same way you would otherwise but have it listen on a different port from 433 and/or 80.

It looks like you can do the same with Apache, just chage VirtualHose default:433 to some other port number.

pulsar · February 9, 2017, 9:20pm

Thanks everyone for the suggestions!

This simple trick seems to do what I wanted (Nginx): I simply added a few extra lines in the same virtual host (server{}):

       location /priv {
                auth_basic                              "Username and Password Required";
                auth_basic_user_file                    .htpasswd;
       }

      location /pub {
       alias H:/WWW;
      }

      location ~ /\. { deny  all; }

The “alias” trick allowed me to keep all the public files were they were. Now I can access the public stuff via domain/pub, private - via domain/priv, and OH2 behind reverse proxy - via domain. (Everything is using SSL, generated with Let’s Encrypt). Only one port (443) needs to be forwarded in my router. And only one web server has to run.

Everything seems to be working now.

billfor · April 7, 2017, 4:57am

In case it helps for Apache 2.4 , I was able to get all the UI’s working with this configuration (this is independent of SSL and auth).

ProxyPass  /rest http://alarmpi:8080/rest
ProxyPass  /basicui http://alarmpi:8080/basicui
ProxyPass  /icon http://alarmpi:8080/icon
ProxyPass  /chart http://alarmpi:8080/chart
<Location /openhab/>
        ProxyPass  http://alarmpi:8080/
        ProxyPassReverse http://alarmpi:8080/
        ProxyPassReverse  /
        ProxyHTMLEnable On
        ProxyHTMLURLMap /openhab/ /openhab/
#       ProxyHTMLURLMap / /openhab/
</Location>
#RewriteEngine on
#RewriteRule ^/openhab$ /openhab/ [R]

kovaga · August 15, 2019, 3:20pm

Followed your example and all works apart from the error Appearing at the bottom of the page
“SSE subscription failed: running in fallback mode”

I’ve noticed that some people are having the same issue. Did you experience something similar?

That’s the error I am getting.
Request URL: https://xxx.xxx.home/rest/sitemaps/events/subscribe
error: {message: “Max number of subscriptions is reached.”, http-code: 503}

Ok, the error is gone after I rerarted Openhab2 service.

Now the new error
“Offline: waiting for connection to become available”
Request URL: http://xxx.xxx.home/rest/sitemaps/events/4ef3ed30-4e2c-4409-9451-91ec89230a9d?sitemap=Our_home&pageid=Our_home
Referrer Policy: no-referrer-when-downgrade

It is strange that the request is going to HTTP rather then HTTPS.

This is solved by including
RequestHeader set X-Forwarded-Proto “https” env=HTTPS