Reverse proxy IIS + ARR

Hello everybody,

I started with OpenHab 2.2.0, running on a raspberryPi

Basic setup works fine, I added some bindings, things, items and sitemaps.

Now I configured a reverse proxy to allow a public connection to my OpenHab.
Reverse proxy is a WIN10-box + IIS + ARR
https://www.iis.net/downloads/microsoft/application-request-routing

internet --> http://myDomain --> ARR --> http://InternalIP:8080

I managed to configure my reverse proxy and can connect to my OpenHab box with a browser to the PaperUI.
Strange thing is that -when I go to the BasicUI, my items are displayed, but on my browser I get a message “Offline: waiting for connection to become available”.

Also, on my Android app: I can see my sitemaps, but when I open a sitemap, my items are NOT displayed, and I see a spinning wheel right on top of my app.

When I go directly to my OpenHab box (I opened my firewall on port 8080 and forwarded directly to my OpenHab-box), the BasicUI and Android app work properly.

So I suppose my reverse proxy rules are not complete.

Below you can find my web.config configuration file.

Has anybody an idea what’s wrong?
I can find documentation for other reverse proxies like ngix, apache, … but not for IIS

Any help is much appreciated!
Kind regards,
Bart

This is NOT working:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Let's Encrypt" enabled="true" stopProcessing="true">
                  <match url="(.well-known/acme-challenge/*)" />
                  <action type="None" />
                </rule>
                <rule name="Redirect to HTTPS" enabled="false" stopProcessing="true">
                  <match url="(.*)" />
                  <conditions>
                    <add input="{HTTPS}" pattern="^OFF$" />
                  </conditions>
                  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Temporary" />
                </rule>
                <rule name="ReverseProxy" stopProcessing="true">
                  <match url="(.*)" />
                  <action type="Rewrite" url="http://192.168.4.83:8080/{R:1}" logRewrittenUrl="true" />
                  <serverVariables>
                    <set name="HTTP_X_PRIVATE_TOKEN" value="We are the children of Korn!" />
                    <set name="HTTP_SEC_WEBSOCKET_EXTENSIONS" value="" />
                    <set name="HTTP_X_ORIGINAL_HOST" value="{HTTP_HOST}" />
                    <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" />
                    <set name="HTTP_X_FORWARDED_FOR" value="{PROXY_ADD_X_FORWARDED_FOR}" />
                    <set name="HTTP_X_FORWARDED_PROTO" value="HTTP" />
                  </serverVariables>
                </rule>
            </rules>
        </rewrite>
        <caching enabled="false" enableKernelCache="false" />
    </system.webServer>
</configuration>

PS.
I configured the same ARR to my other services (NexCloud, Domoticz, HASS, etc…) without any problem. So this should be something OpenHab specific…

Please post your ARR config once you get things sorted out. Could be a great help to those on the Windows side.

Squid

OK, it seems that I’ve got my IIS reverse proxy working now with OpenHab.
Solution: I had to define also an outbound rule.

My web.config looks now like:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Let's Encrypt" enabled="true" stopProcessing="true">
                  <match url="(.well-known/acme-challenge/*)" />
                  <action type="None" />
                </rule>
                <rule name="Redirect to HTTPS" enabled="true" stopProcessing="true">
                  <match url="(.*)" />
                  <conditions>
                    <add input="{HTTPS}" pattern="^OFF$" />
                  </conditions>
                  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Temporary" />
                </rule>
                <rule name="ReverseProxy" stopProcessing="true">
                  <match url="(.*)" />
                  <action type="Rewrite" url="http://192.168.4.83:8080/{R:1}" logRewrittenUrl="true" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Outbound" enabled="true">
                    <match filterByTags="None" pattern="http://192.168.4.83:8080" />
                    <action type="Rewrite" value="https://myPublicOpenHabDomain" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
        <caching enabled="false" enableKernelCache="false" />
    </system.webServer>
</configuration>


Can somebody confirm this is working on his own setup? @KidSquid?

kind regards,
B

1 Like

It works. Thanks.

I cannot get the URL-REWRITE + ARR working on IIS on Windows 2016 server. No matter what I do, I can use the browser to connect but the OpenHab Android app would not connect. Tried via HTTPS and HTTP.
Any help would be greatly appreciated.
Thanks.

Finally got it working. Posting the solution hoping that it will help others.

My configuration:
OpenHab running on 192.168.1.114, port 8080
IIS running on 192.168.1.116
Goal:
Connect to OpenHab server from a mobile app, using basic authentication and SSL.

Steps:

  1. If you don’t already have one, obtain a free SSL certificate from sslforfree.com (note: while it is free, the “catch” is that you will have to renew it every 90 days).
  2. Log in to IIS box and create a new web site (right click on “Sites”, select “Add Website…”.
  3. Install url-rewrite and ARR modules.
  4. install SSL certificate on the newly created web site. (follow instructions on sslforfree.com).
  5. Edit web site bindings and set type=https, port=8843. Select the proper certificate.
  6. Double click on “SSL Settings” module and enable “Require SSL” option.
  7. Double click on “Authentication” module. Disable “Anonymous Authentication” and enable “Basic Authentication”.
  8. Create users on the local box that runs IIS, or in DC if IIS box is a part of a domain.
  9. Configure your router by adding the NAT rule: external port 8443 <->192.168.1.116 port 8843
  10. Set the following url-rewrite rule:
         <rewrite>
            <rules>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://192.168.1.114:8080/{R:1}" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1" stopProcessing="false">
                    <match filterByTags="None" pattern="http(s)?://192.168.1.114:8080/(./*)" />
                    <action type="Rewrite" value="https://mydomain.com:8443/{R:2}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^(application/json)" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>

Note: if you create the rule from template, make sure the “Enable SSL Offloading” option is enabled.

Finally, open the OpenHab mobile app settings and set the remote URL to

https://mydomain.com:8443

Use user credentials created on step 8 above.

Good luck!

Hello,
I tried this config Files but the login won’t work…

I can’t unlock Admin Menu… any idea?

Hello. Are you on OH2 or OH3?
Adding here since I hit the limitation of maximum of 3 replies per thread.


I suspect the issue is that the password is not taken by the OpenHab. If so then this is because the UrlRewrite passes the Basic Authentication header to the OpenHab which “does not know” what to do with it. To address this, you need to enable the “Basic Authentication” in OpenHab. This can be done in Settings, API Security after enabling “Show Advanced” option.
I had another “gocha”. OpenHab is using some characters in URL that are considered “invalid” by IIS. To work around this, you can disable “invalid” characters by adding the following line to the configuration/system.web section of your web.config file:

<httpRuntime requestPathInvalidCharacters="" />

See this for more details: HttpRuntimeSection.RequestPathInvalidCharacters Property (System.Web.Configuration) | Microsoft Docs
Here is my full config but I’m pretty sure the one above should work as well (replace <INTENRAL_IP ADDRESS> and <EXTERNAL_URL> with your own values).

<rewrite>
            <rules>
		<rule name="Encrypt" enabled="true" stopProcessing="true">
                  <match url="(.well-known/acme-challenge/*)" />
                  <action type="None" />
                </rule>
                <rule name="Redirect to HTTPS" enabled="true" stopProcessing="true">
                  <match url="(.*)" />
                  <conditions>
                    <add input="{HTTPS}" pattern="^OFF$" />
                  </conditions>
                  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Temporary" />
                </rule>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://<INTERNAL_IP_ADDRESS>:8080/{R:1}" logRewrittenUrl="true" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1" stopProcessing="false">
                    <match filterByTags="None" pattern="http(s)?://<INTERNAL_IP_ADDRESS>:8080/(./*)" />
                    <action type="Rewrite" value="https://<EXTERNAL_URL>:8443/{R:2}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^(application/json)" />
                    </preCondition>
                    <preCondition name="ResponseIsHtml2">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>

Adding my reply here because I exceeded the number of allowed replies :frowning:
@maxin Can you please post any errors that you see? You can do that by enabling the url rewrite and then access the openhab from an external address. The best way to get a network log is to open the browser dev tools (Press F12) and then export the content of the Network tab (note the “arrow down” icon in the header for exporting network log into a HAR file).
I would also recommend installing the “Failed Request Tracing Rules” which allows debugging the URL Rewrite component specifically (see Using Failed Request Tracing Rules to Troubleshoot Application Request Routing | Microsoft Docs)

openHAB 3.2.0

Release Build

Hello. I tried your config, but unfortunately it doesn’t work. Could you take a look at my thread for any ideas?

Thank You!