Securing OpenHAB for Web Access, OH2 android & HabPanel

dastrix80 · September 4, 2018, 12:53am

Hi All,

There seems to be a few tutorials which all work to secure various access methods and they work however they dont appear to work together.

I use Web browser access to OH2 via HTTPS, using NGINX. This works fine and works with a Username/password.

Using this NGINX Config, I can access OH2 but I cant access the OpenHab Cloud local instance, on 3000. It appears it only works by having location as set to / , how would I obtain access using HTTPS to both sites? both 3000 & 8080

Further, the instructions say to secure it with a user/pass by adding. Thats al well and good for a web browser, but when you enable this it breaks the openhab android app. So, maybe you secure the app via Certs - great, but that then that breaks the web browser access!!

Cant darn win!

  auth_basic                              "Username and Password Required";
        auth_basic_user_file                    /etc/nginx/.htpasswd;


    location / {
        proxy_pass http://localhost:8080;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr ;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
        proxy_set_header X-Forwarded-Proto https;
    }
    location /cloud/ {
        proxy_pass http://localhost:3000;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr ;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
        proxy_set_header X-Forwarded-Proto https;

Does anyone know how I can have BOTH sites running with HTTPS?

Regards
Kris

pacive · September 4, 2018, 5:25am

You can have web access using client certs, but that requires installing the certs on every device that should have access. It would be nice if you could have nginx check for a client certs and if not present, use basic auth, but that isn’t supported out of the box and requires some really hacky config. Also, you would be promoted for a certificate every time you try to visit the site which would be rather annoying, especially for family members who doesn’t know what to make of it.

As for the path issue with openhab cloud, I’ve been researching this as well (but with grafana and frontal). Grafana supports configuring a base path, but frontail doesn’t. I believe the only way is to purchase a domain name and configuring different subdomains in nginx. Just remember that if you are using let’s encrypt you must add all subdomains to the SAN-list to avoid cert warnings.

Edit: sorry for not being able to help more, I would be very happy as well if someone has a better answer

dastrix80 · September 4, 2018, 5:28am

OK, i wont use Certs, too complex/

I have a domain name and can create subdomains quite easily.

Im just confused as to what id do i NGINX to allow that to function.

pacive · September 4, 2018, 5:33am

Not entirely sure, haven’t done this yet, but I think you just have to add different server blocks for each subdomain:

server {
    listen 443 ssl;
    server_name yourdomain.org;

# config here
}
server {
    listen 443 ssl;
    server_name subdomain.yourdomain.org;

# config here
}

vbier · September 4, 2018, 5:54am

According to the frontail readme, there is the --url-path option:

dastrix80 · September 4, 2018, 6:03am

Thank you.

I would need to have two server blocks, one with Auth to protect on the internet and one without auth for openhab cloud for use on the Mobile device. Ill give it a go!

dastrix80 · September 4, 2018, 7:51am

I dont see how that helps because with a web browser you can still hit the server on the subdomain without the auth.

So, when you use OH2 Android Client, OpenHab Local Cloud and want Android & Web Access I cant see how you can protect both.

I installed OH2 Cloud locally and the Android cant connect on Port 3000, its not even clear if its meant to!

pacive · September 4, 2018, 9:11am

I have no experience in home to configure oh-cloud, so can’t help you there I’m afraid… But of course you would need some kind of authentication to prevent everyone having access.

Perhaps you could have two different subdomains proxying the same server but one using basic auth and the other certificate auth? You said in your first post that you got cert auth to work with the Android app no?

Edit: you need to configure the Android app to connect to port 443 (or if you tell nginx to listen to another port, 443 is just standard for ssl)

pacive · September 4, 2018, 9:15am

Was a while ago I tried, but as I recall there was a lot of issues reported to fix this, apparently it has been done now
Thanks for the tip!

dastrix80 · September 4, 2018, 9:19am

Yea the android app is configured to talk to 443. It says connected in the app beta version but theres no sitemap info.

pacive · September 4, 2018, 12:21pm

I can’t recreate your setup, since i don’t have an openhab-cloud instance running, and i don’t use openhab-cloud or the app very often, so can’t say what’s wrong. But if the app sys it’s connected then something must be working at least

dastrix80 · November 17, 2018, 4:49am

I fixed it in the end , paid a freelancer who is a specialist on nginx