Hi all,
I would like to have security for internal and external access.
Setting security:EXTERNAL worked - I get internal access without user/password and external access (via my.openhab) only after providing username and password.
So that’s fine.
But when trying to get security for internal access (security:ON or removing security:netmask), too, it does not work.
Any ideas/hints?
Did you clear the cache or close the browser between testing you external login verses the internal login? If not the authorization cookie that got set when you logged in successfully to the external address may still be valid when you log in internally. You need to clear that cookie out.
The my.opnehab binding connects back to your system over localhost, so having this on for internal auth will probably not work. I don’t remember if my.openhab it leaves the basic auth header in the proxied request, you may want to make your internal username and password the same as my.openhab and see what happens (it might work then with internal auth on).
@digitaldan, my.openhab will not work with security set to ON. It connects like an internal client but is unable to provide a username or password so the best you can do with my.openhab is security EXTERNAL.
But @michel53 makes no mention of using my.openhab.
@rlkoshak, @digitaldan, thanks for your hints.
I am using my.openhab via Web-Browser and via Android app.
I restarted the browser after changing the settings.
I added an internal user with same username and password as the my.openhab user.
Still the same:
When using security:EXTERNAL and having netmask 192.168.178.0/24 set, internal access is without password, external access is with password.
When using security:ON or (security:EXTERNAL and clearing netmask 192.168.178.0/24), internal access is with password, external access is not possible.
What else can I try?
Background is that I would like to keep my network closed and do not allow anybody in my WLAN (especially not the kids having fun) to control openhab via android app.
As I said and as is documented here:
my.openHAB doesn’t pass authentication data through connection with your openHAB for security reasons, so you need to disable local authentication, so that bundle will be able to make requests to your openHAB. To do that you need to set security:option=EXTERNAL and adjust security:netmask= to your local LAN IP subnet in your openhab.cfg. After that my.openHAB bundle will be able to make requests while external requests will still be authenticated against your local users.cfg. If you don’t expose your openHAB to outer world you can set security:option to OFF to switch authentication off completely.
In short, you cannot use both my.openhab and have security:ON.
If you always want users to have to provide a password whether internal or not your choices are:
Stop using my.openhab, set security:ON, and punch a hole through your router so you can get to your OH from outside your network.
Setup a reverse proxy (e.g. nginx) and implement the authentication/authorization there. Then configure your network and firewall rules so the only thing that can talk to OH on your internal network is the reverse proxy.
Segregate your home automation (HA) onto a separate WLAN and control access to this separate WLAN. Only those local users who can get on your HA WLAN are able to interact with HA.
Set up your host based firewall to only allow connections to OH port 8080/8443 (or whatever ports you are running on) from localhost and everything else, whether it is on the LAN or not must go through my.openhab.
Ahh, somehow I missed that in the documentation.
I will see what I can do with the choices you showed up.
Thanks for clarification!