Restrict access to OH2 for particular IP address / deactivation of HTTP

Setup, Configuration and Use Installation
, ,
1

Hi all,

in the official OH documentation it is referred to restricting access for particular source IP addresses:
https://www.openhab.org/docs/installation/security.html#authentication-and-access-control

I’d like to restrict access for an IP range or at least some single entries.

I know that none of this syntax work:

OPENHAB_HTTP_ADDRESS=127.0.0.1, 192.168.0.1, 192.168.0.22

neither

OPENHAB_HTTP_ADDRESS=127.0.0.1,192.168.0.1,192.168.0.22

nor

OPENHAB_HTTP_ADDRESS=127.0.0.1, 
OPENHAB_HTTP_ADDRESS=192.168.0.1
OPENHAB_HTTP_ADDRESS=192.168.0.22

Is there an option at all to configure it?

In addition can it be configured that OH service is not listening to HTTP but only on HTTPS?

Regards,
becken

2

As far as I can tell, you can only specify one address.
For HTTP vs. HTTPS, you might have to proxy through nginx.

1 Like
3

I suggest xternal firewall. Under linux iptables and ip6tables does the job. You can sort the rules with destination ports.

4

I wouldn’t even be sure it works at all. It was a feature in OHv1 that was dropped in v2, and there recently were attempts to introduce that back into 2.4, but those failed and were removed. I’m not 100% sure if that “one address” was left in or if it’s a docs bug.

What you can and should do for the time being is to deploy a reverse proxy like nginx and do the authentication there (based on IPs and/or user). It can also do HTTPS.
A preconfigured nginx is part of openHABian.