Securing the RestAPI

So I’ve been thinking about how OpenHAB’s RestAPI is setup and a number of threads on securing items using ghost items (for code entry etc). However if your network was ever compromised I can see no way of restricting a subset of the API (We are after all protecting houses here, and networks get compromised/misconfigured all the time). An ideal solution to this would be a flag/tag which could be set on an item in order to prevent any API operations on the item or potentially limit to read only. This would give a significant security boost to the Openhab runtime.

Is this something openhab have looked at, or have I missed an obvious feature in the restAPI which would enable me to achieve this? The only other way I can think of is to create a proxy api runner which masks the internal API somehow but this feels backwards.

Interested in how others have approached this problem / engineered a solution

There have been issues open since OH 2.0 to add authentication and authorization of various different flavors. No one has been willing to take on the code and submit a PR.

Honestly, just being able to require a username/password to access OH in the first place would be sufficient to mitigate the problem you mention. From a security perspective simple is almost always more secure than complex.

The current work around is to indeed use a reverse proxy and implement authentication and authorization in the reverse proxy.

Essentially you configure your host firewall and OH to only allow connections from localhost. Then run an Apache or Nginx server that adds in the authentication/authorization. All access to your OH REST API (and therefore your OH UIs) is through the reverse proxy.

It may feel backwards to you but it is actually a pretty common way to protect servers in the industry. A web server like Apache or Nginx will be more reliable and more secure than anything that will ever exist in OH natively.

And both Nginx and Apache are flexible enough to limit access to specific sitemaps or specific REST API calls if you wanted to go down that path.

I’m very familiar with the concept of reverse proxying servers :wink: I’m already implementing a reverse proxy for external access to the instance (ie from outside the network).

In the current setup I have 6 panels permanently mounted to the wall and then a number of personal devices. I’ve found that basic auth internally is a PITA as panels forget/timeout the auth token so I’ve currently resolved this by disabling the basic auth for the internal subnets, but this then leaves the restAPI exposed.

I hadn’t thought about just using a URL filter within nginx to limit access to certain itmes. I guess to achieve this I could adopt a naming convention (eg: SECURE_) and then nginx access control the /rest/items/SECURE_* path

Am I correct that the websocket is only for reporting the event bus changes and cannot recieve control messages

I’ve no idea actually. I would assume so but you will probably need to look at the source code to verify.

Maybe deploying your own local instance of openHAB Cloud would work better. I’m assuming you are using HABPanel instead of the apps so this might not buy you much, but it might help with the auth problems.