I have a problem using a reverse proxy. I want to setup openhab together with traefik, because I don’t like the fact that openhab has no login on the local interface. For this i settet up a working docker-compose with both containers in the bridge network and the http works fine. The problem is, that openhab needs to be in the host network to work properly with the discovery features and so on…but when I put openhab in the host network, the containers ports can be accessed directly, which leads to bypass of the authentication implemented by the reverse proxy. Has anyone an Idea how to put openhab in the host network, but only accessible by the reverse proxy?
A reverse proxy should work fine. After it is working you set OpenHAB to only work for 127.0.0.1.
Of you have openhab bound to the default http and https ports (8080 and 8443) then only people that know about it can access it there. Anyone attempting to access through the proxy via 80 or 443 would hit the login.
The only way I can think of to remove openhab from the network entirely is to have nothing on the host net that needs to start connections with openhab. If you do have things that need to connect to your openhab server you could put them on a separate network hosted by your server, but that’s a lot of work.
Why do you need this level of security on your local network?
Tried this one, its not working due to the network of the default bridge network…
I don’t want everyone on my network to have admin privileges on openhab
And do you have other devices that need to make connections to openhab?
If so then you have to decide if you want to have a secure automation network or if you want to make a complicated proxy setup that secures front-end pages and not backend paths.
yes, for example samsung tvs must connect to openhab…i want to achieve both if possible…i want to make secure backend and frontend with proxy, but without interfere with communication if possible…but the frontend for app and browser needs to be secure to prevent others in my lan from messing with my settings or my data…or controlling my smarthome…
You will need to setup another network to achieve this. Either with your server as the gateway or using another router. If you need to connect to any devices on the secure network you would need to create either port forward rules to access device or static routes so that devices on the lan can reach only certain devices on the secure network. This will not be a simple thing to do.
Is it really necessary to prevent access at this level? Surely putting the admin pages behind basicauth using a different passwords file than user level access would be enough unless you expect malicious actors on your own local network?
I’hve achieved the first thing already, by using traefik 2.0 as a reverse proxy (it acts as a router) but the port forwarding is not very “future proof” as i don’t want to fiddle arround with the compose file as soon as I use a new binding…securing the adminpaghe and the api and all other things the lead to alter settings on local network will be enough…I found out that the approach of @Bruce_Osborne seems valid, but due to an issue in rancheros, which I use as host it doesn’t work: https://github.com/rancher/os/issues/2776. I was interessted if there would be a more secure method without the port thing or requiering tho fiddle arround with backend…
I’ve also a reccommondation for devs on impelemting auth fast in openhab…maybe they can use this: https://github.com/clems4ever/authelia or this
because I consider at least basic security by authentication as a mature feature nowadys…openhab is REALLY good but the lack of user auth and the usage of differnt users and permissions without cloud is a real downer…
Can you share the docker compose for this? I am trying exactly this and i am getting a bad gateway with traefik labels where the direct 8080 works. And did you find a way to bridge the host network and docker network to discover items? Either way please share how you got traefik to work. Thanks!
Yes you have to add this line to make it function:
This tells traefik where to proxy should work then. You can call service01 section according to your needs
To stop the auth-bypass, don’t open the port 8080 to host
Thanks! I missed that but got it to work now. did you end up configuring Auth? I am trying to setup traefik-forward-Auth with Microsoft OIDC now so I can use oAuth with several other docker containers and not just openhab!
No I just have Basic-Auth in place for now…but you can try this:
It supports multiple auth methds for multiple containers =)