Set IP OH listens on

I use my debian server for many services that user 80 and 443. I don’t care for using 8080 and 8443 as nobody remembers and my wife certainly doesn’t. My debian box has multiple IP’s to combat this issue.

Part of my initial POC, I found a way to change jetty to bind to a specific IP. This has worked great but after upgrading to 1.8 and now to 1.8.1 I find it time consuming to go in and tweak jetty.xml and start.sh each time.

Of course it is possible neither file changed in the new builds and could be kept but it would be more time consuming to diff the two.

Perhaps I’m the only one buy I figure others would be interested in being able to optionally change which IP on a system OH binds to at startup.

The changes include adding reference to jetty.host in start.sh and jetty.xml.

One alternative solution that might work for you is a reverse proxy server. I used one for a time to add some additional security to a WebIOPi server I set up before I started with OH and I think it would work for this. You can config it so you can use, for example “http://host/openhab” to reach “http://host:8080”. It might be more work initially but it will make it so you don’t have to mess with jetty configs.

I can’t do that. I port forward my OH ip outside my firewall. With that solution, omitting the sub folder would give access to other 80 and 443 services on the host that I don’t want outside.

Having a dedicated secured interface/ip reduces exposure risk.

Hi Moxified.

Did you find a solution on this? I’ve the same issue and I’m searching for a solution.

Kind regards,
bertl1982

I just don’t upgrade

There hasn’t been anything new or fixed in the core that I need so I’ve been on 1.8.1 since. I upgraded my bindings yesterday to 1.8.3 but that part is pretty painless.

My long term solution is to build a small esxi home lab and start running my server pieces in separate Debian VM’s. That way I can snapshot before changes and not worry about updating or adding a new service and having it bring down OH or other services. I have quite a bit running on my little mini-itx server.

I’ve some good news for you!

After researching the server-configuration I found the way how the web-fronted is working. So I also found the way to configure an IP binding for the OH web-services.

Here a short summary for you:

1. Edit your etc/jetty.xml

Search for this part:

<!-- =========================================================== -->
<!-- Set connectors                                              -->
<!-- =========================================================== -->

    <Call name="addConnector">
            <Arg>
                    <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
                            <Set name="port"><Property name="jetty.port" /></Set>
                            <Set name="maxIdleTime">300000</Set>
                            <Set name="Acceptors">2</Set>
                            <Set name="statsOn">false</Set>
                            <Set name="lowResourcesConnections">20000</Set>
                            <Set name="lowResourcesMaxIdleTime">5000</Set>
                            <Set name="forwarded">true</Set>
                    </New>
            </Arg>
    </Call>

and add the “host”-Line as followed:

<!-- =========================================================== -->
<!-- Set connectors                                              -->
<!-- =========================================================== -->

    <Call name="addConnector">
            <Arg>
                    <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
                            <Set name="port"><Property name="jetty.port" /></Set>
                            <Set name="host"><Property name="jetty.host" /></Set>
                            <Set name="maxIdleTime">300000</Set>
                            <Set name="Acceptors">2</Set>
                            <Set name="statsOn">false</Set>
                            <Set name="lowResourcesConnections">20000</Set>
                            <Set name="lowResourcesMaxIdleTime">5000</Set>
                            <Set name="forwarded">true</Set>
                    </New>
            </Arg>
    </Call>

Do the same in the Sector for SSL. Just add the same “host”-Line under the “port”-Line. After that it should look like this:

<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<!-- To add a HTTPS SSL connector                                    -->
<!-- mixin jetty-ssl.xml:                                            -->
<!--   java -jar start.jar etc/jetty.xml etc/jetty-ssl.xml           -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->

    <Call name="addConnector">
            <Arg>
                    <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
                            <!-- prevent poodle attack see also https://groups.google.com/d/msg/scmmanager/sX_Ydy-wAPA/-Dvs5i7RHtQJ -->
                            <Arg>
                                    <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                                            <Set name="ExcludeProtocols">
                                                    <Array type="java.lang.String">
                                                            <Item>SSLv3</Item>
                                                    </Array>
                                            </Set>
                                    </New>
                            </Arg>
                            <Set name="port"><Property name="jetty.port.ssl" /></Set>
                            <Set name="host"><Property name="jetty.host" /></Set>
                            <Set name="maxIdleTime">30000</Set>
                            <Set name="Acceptors">2</Set>
                            <Set name="AcceptQueueSize">100</Set>
                            <Set name="Keystore"><SystemProperty name="jetty.config" default="." />/etc/keystore</Set>
                            <Set name="Password">OBF:1mpj1ci31jqi1jv81chf1mtj</Set>
                            <Set name="KeyPassword">OBF:1mpj1ci31jqi1jv81chf1mtj</Set>
                    </New>
            </Arg>
    </Call>

2. Edit your /etc/default/openhab.conf

Add this two lines changing <IP> through the IP you want to bind OH.

# set ip for HTTP(S) server
HOST=<IP>

3. Edit your /etc/init.d/openhab

Add -Djetty.host=$HOST to your java-command so that it looks like this:

java -Dosgi.clean=true -Declipse.ignoreApp=true -Dosgi.noShutdown=true -Djetty.port=$HTTP_PORT -Djetty.host=$HOST -Djetty.port.ssl=$HTTPS_PORT -Djetty.home=. -Dlogback.configurationFile=configurations/logback.xml -Dfelix.fileinstall.dir=addons -Djava.library.path=lib -Djava.security.auth.login.config=./etc/login.conf -Dorg.quartz.properties=./etc/quartz.properties -Dequinox.ds.block_timeout=240000 -Dequinox.scr.waitTimeOnBlock=60000 -Djava.awt.headless=true -jar $cp -console &> /dev/null

4. Restart / Reboot

Restart the service or the host itself. Attention! This is only working if you start/stop OH with the init.d-Script, not with start.sh!

Please give it a try. If you need assistance, don’t hesitate to contact me.

Oh sorry I already did that. I eluded to it but didn’t outline the tweaks like you did. [quote=“Moxified, post:1, topic:7160”]
Part of my initial POC, I found a way to change jetty to bind to a specific IP. This has worked great…
[/quote]

I could have saved you some time… sorry

The whole point of this thread was that making this tweak every time you replace the runtime is a bother. I was hoping they would add needed variables to the conf files so that I didn’t have to edit manually every time but it didn’t get much traction as not many of us want to bind the IP. I think if 1.x wasn’t winding down they might have.

I haven’t gotten into 2 yet as it is beta at best still I think so I’m waiting for a couple of full releases. I like helping and testing but unreliable automation is worse than no automation in my book so I’ll wait until a couple of full releases are out.