Securing access to openHAB - for local network

Hi,
TL;DR: What are some tips to protect openhab from intruders on the local network? (besides advices on protecting local network itself)

I read this documentation article about securing the access to the openhab, but it mostly focuses on securing the remote access to the openhab. For remote I use myopenhab.org so that is “solved”. However, I would like to improve security for local network, so that if someone gets f.eks. wifi password would not be able to do some damage or manipulate the system.

I read/saw local Norwegian article where a tv show was showing dangers of dumb “smart devices”, and a known guy that has “norwegian smartest home” was the target. He later discussed the topic explaining that security expert tried everything he could in a short time, but eventually the owner had to give the keys and open access for “a good show”. However his homeseer automation software still had protected access, so even though the expert connected to the wifi, he couldn’t control anything in the home. I see that the article I linked to describes nginx as reverse proxy for controlling access, but there are some limitations :
**Note:** There is currently an issue with Proxy Authentication and HABmin when using some browsers. If you require HABmin, consider connecting locally or using Safari for now"
So this also assumes that local network is safe.

Not openhab related, but I remember my landlord sharing a internet subscription with me, and one day he just connected some nas where he backed up all photos, and they all appeared in my picasa image organizer. This just reminds me that I cannot trust my local network and users that much.

I am considering using firewall on the linux pc where the openhab would be installed, but that introduces a bunch of rules due to device discovery for every binding etc. I also read on some topic that it might be basically pointless to have firewall running on linux, as no other ports are open/being listened to. First I was thinking to manually open IPs that can access the openhab itself, but running openhab in docker makes local firewall rules obsolete as docker goes around it basically, allowing all ports to the container. I know that Traefik could be used for docker containers, but man it all suddenly becomes very very complicated to set up and maintain.

Also node-red and perhaps grafanna etc that will live on the server, but I guess that is where nginx (or Traefik) would help with basic authentication.

Ahh… difficult topic for me, anyone that can simplify it please?
Perhaps improving existing documentation with more focus for local network?

Well it’s a complex topic and unfortunately a little bit of the wrong time to ask.
Just a couple of weeks ago there went code into 2.4 that was supposed to handle authentication, but it had to be backed out because it didn’t work properly yet. You can expect this to remain on the near-term roadmap, though.

I’m not sure if that warning regarding use of a proxy is still valid or maybe just a docs artefact leftover after code was adopted. At least a quick try seems to show habmin keeps working through my nginx.
That’s what I’d suggest try using if you don’t want to wait.

Well, that seems solve it then (on next update)!

Would authentication be only for user interface, or the API as well? How would api links look, including basic auth in the url (the usual way api’s work)?
Would this remove the need for firewall then (if it is needed today at all)?

I will most likely wait for next version with authentication properly implemented, but thinking of implementing anything else that could be useful in the future as well.

In your case when “your lan” is not exactly yours and landlords nas server was visible, proper firewalls is a must. Or do you have a gateway separating your networks?

@gitMiguel that was before we moved, he just got lan cable to my apartment from his router, and I installed my old router and set my own network, but somehow I got access to his nas (I think it was some “network media protoco” or something).
I just told him to remove it and didn’t think much of it (he actually never did remove it…). And he is some database admin or something, me a web developer, so it is a bit embarrassing for both of us “from it” doesn’t know what is going on