Hello together,
Goal
my goal is to secure my local openhab installation also against the local network. So I followed the guide provided Running openHAB Behind a Reverse Proxy which is quite straight forward. Additionally I disabled openhab listening on the lan on port 8080 by changing
OPENHAB_HTTP_ADDRESS=127.0.0.1
So far so good - everything works perfect - and all request are going through the nginx Proxy on port 80 which is forwarded to 127.0.0.1:8080 (yes I know it might be better using ssl - but at the moment I don’t care on my local network).
Problem
After this changes my sonos binding stoped partly working. Partly in the sense, that commands sending to the sonos working fine, but updates from the sonos system aren’t transmitted to the corresponding openhab items (e.g. Volume or state when changing at the speaker)
Findings so far
The state from the sonos has to be transfared from the sonos to openhab. Looking at the following link Sonos Firewall different ports are used. I tried to open the different UDP Ports - without any success. Looking at the network traffic with disabled firewall showed me that the state ist transmitted via http requests on port 8080:
192.168.x.104.38049 > 192.168…20.8080: Flags [.], cksum 0x22c2 (correct), seq 1812005778:1812007226, ack 4060895772, win 1460, options [nop,nop,TS val 83766754 ecr 74613054], length 1448: HTTP, le
ngth: 1448
NOTIFY /upnpcallback/dev/RINCON_5CAAFD46885E01400_MR/svc/upnp-org/AVTransport/event/cb HTTP/1.1
HOST: 192.168.x.20:8080
CONNECTION: close
CONTENT-TYPE: text/xml
CONTENT-LENGTH: 2090
NT: upnp:event
NTS: upnp:propchange
SID: uuid:RINCON_5CAAFD46885E01400_sub0000000501
SEQ: 274
<e:propertyset xmlns:e=“urn:schemas-upnp-org:event-1-0”><e:property><LastChange><Event xmlns="urn:schemas-upnp-org:metadata-1-0/AVT/" xmlns:r="urn:schemas-rinconnetworks-com:me
tadata-1-0/"><InstanceID val="0"><TransportState val="PAUSED_PLAYBACK"/><CurrentPlayMode val="NORMAL"/><CurrentCrossfadeMode val="0"/
><NumberOfTracks val="2"/><CurrentTrack val="2"/><CurrentSection val="0"/><CurrentTrackURI val="x-file-cifs://192.168.x.60/Media/music/rxxxx.mp3"/><CurrentTrackDuration val="1:00:03"/><CurrentTrackMetaData val="<DIDL-Lite xmlns:dc="http://purl.org/dc/el
ements/1.1/" xmlns:upnp="urn:schemas-upnp-org:metadata-1-0/upnp/" xmlns:r="urn:schemas-rinconnetworks-com:metadata-1-0/" xmlns="urn:schemas-upnp-org
:metadata-1-0/DIDL-Lite/"><item id="-1" parentID="-1" restricted="true">&am[!http]
10:23:01.312717 IP (tos 0x0, ttl 64, id 11890, offset 0, flags [DF], proto TCP (6), length 981)
192.168.x.104.38049 > 192.168.x.20.8080: Flags [P.], cksum 0xcf4a (correct), seq 1448:2377, ack 1, win 1460, options [nop,nop,TS val 83766754 ecr 74613054], length 929: HTTP
10:23:01.374963 IP (tos 0x0, ttl 64, id 11891, offset 0, flags [DF], proto TCP (6), length 52)
192.168.x.104.38049 > 192.168.x.20.8080: Flags [R.], cksum 0xb8db (correct), seq 2377, ack 134, win 1460, options [nop,nop,TS val 83766766 ecr 74613058], length 0
10:23:01.374967 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
192.168.x.104.38049 > 192.168.x.20.8080: Flags [R], cksum 0xfd05 (correct), seq 1812008155, win 0, length 0
10:23:01.463829 IP (tos 0x0, ttl 64, id 63534, offset 0, flags [DF], proto TCP (6), length 60)
192.168.x.104.38052 > 192.168.x.20.8080: Flags [S], cksum 0x81d7 (correct), seq 1815074342, win 5840, options [mss 1460,sackOK,TS val 83766792 ecr 0,nop,wscale 2], length 0
10:23:01.466815 IP (tos 0x0, ttl 64, id 63535, offset 0, flags [DF], proto TCP (6), length 1500)
192.168.x.104.38052 > 192.168.x.20.8080: Flags [.], cksum 0xacee (correct), seq 1815074343:1815075791, ack 2224430947, win 1460, options [nop,nop,TS val 83766793 ecr 74613070], length 1448: HTTP, le
ngth: 1448
NOTIFY /upnpcallback/dev/RINCON_5CAAFD46885E01400/svc/upnp-org/DeviceProperties/event/cb HTTP/1.1
HOST: 192.168.x.20:8080
CONNECTION: close
CONTENT-TYPE: text/xml
CONTENT-LENGTH: 1760
NT: upnp:event
NTS: upnp:propchange
SID: uuid:RINCON_5CAAFD46885E01400_sub0000007406
SEQ: 19
So it seems, that the sonos binding is somehow registering at the sonos device and then gets state updates via normal http calls…
My idea is, to somehow configure the port on which the sonos binding will be listening and only allow traffic to this port.
The second best method I already tried is only allowing some hosts (based on IP) to allow access on port 8080. But I think in terms of security this isn’t the best solution…
Any ideas on this ?
P.S.: I didn’t have a lool at the hue binding - but perhaps there it is the same problem ?