Reverse proxy session expiration

I had this on OH3.5 and through to OH4.1, and it’s beginning to irritate me, so here I am.

I already run Apache 2.4.51 on the box, so I am using this to reverse proxy to OH, and I’m using Basic HTTP authentication over TLS to authorise access from the Internet. I’ve followed the instructions I’ve found in the docs, as well as mixed it up a little bit with things people have recommended on these forums. The relevant bits from my config are thus:

       RequestHeader unset Authorization

        Header set Access-Control-Allow-Origin *
        Header set Access-Control-Allow_Credentials true
        Header set Access-Control-Allow-Headers "Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range"
        Header set Access-Control-Allow-Methods "GET,POST,OPTIONS,PUT,DELETE,PATCH"
        Header set Set-Cookie "X-OPENHAB-AUTH-HEADER=true;path=/;Secure"

This all works fine, and as expected. When I connect from an external IP, I have to provide HTTP authentication, which works, and the page is loaded just fine. I can see that I get the cookie request, and that gets sent back in requests.

Everything is peachy and it all works. Until it doesn’t. After what I assume is half an hour, my authorisation is revoked, and the first I know about is is when I can no longer open the model, or more usually when I try and save the script I’m changing in the UI and it tells me unauthorised in the corner.

For the purposes of this topic, I’m using Edge, as there appears to be a caching bug with Firefox where API responses aren’t invalidated from the cache.


  • If I work directly against the OH port, bypassing the proxy, I see the Authorization header holding a Bearer JWT.
  • If I work through the proxy, I see the JWT correctly being sent in the “X-Openhab-Token” header field.
  • Both tokens have a 30 minute expiry in the JWT.
  • A direct session will issue a POST to /rest/auth/token, where a new JWT is returned with another 30 minutes
  • The proxied session doesn’t even attempt to make this call

Does anybody know if this is a configuration problem that I can resolve? Is anybody else in this situation where it either does, or does not work?

I’ll raise a bug on GitHub if required, but I didn’t want to unnecessarily.

I have had the same issue with my apache reverse proxy ever since the asynchronous update to MainUI early in the 3’s. It doesn’t bother me much as I am almost never connected remotely for any extended period of time.

My apache config is a little different. I haven’t set any of the CORS headers, as I don’t believe they are required here (in fact, your allow origin and allow credentials settings are incompatible as I understand it). My cookie setting is slightly different as I just use the auth header:

Header set Set-Cookie "X-OPENHAB-AUTH-HEADER=1"

If it helps here is my Nginx config. I’m pretty sure I got this somewhere from this community, I’m not really an expert with this myself:

# Cross-Origin Resource Sharing.
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow_Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;

# openHAB 3 api authentication
add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;

The CORS stuff was a straight copy and paste from a forum post - one of the many variations of “this works for me” configs. Likewise, the cookie setting - although I checked that one in the source and found that it only needs to exist for OH to act on it.

@DrRSatzteil - does your nginx implementation keep the session alive after 30 minutes without having to relogin again?

Yeah I think so. I don’t think I ever used an open browser tab with OH for half an hour but I never noticed any problems like that.