[SOLVED] [BUG] OpenHAB with nginx redirects HTTPS to HTTP

Setup, Configuration and Use Installation
1

I have set up OpenHAB with nginx as reverse proxy which also does HTTPS, I used the usual config:

server {
    listen       8084 ssl;
    server_name  openhab.<mydomain>;

    location / {
        proxy_pass                            http://localhost:8080/;
        proxy_set_header Host                 $http_host;
        proxy_set_header X-Real-IP            $remote_addr;
        proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto    $scheme;
    }

    ssl on;
    ssl_certificate /etc/nginx/ssl/openhab.<mydomain>/server.crt;
    ssl_certificate_key /etc/nginx/ssl/openhab.<mydomain>/server.key;
}

Normal usage is okay, but every time I access https://openhab.<mydomain>:8084/ OpenHAB redirects to http://openhab.<mydomain>:8084/start/index without HTTPS, which results in a 400 Bad Request:

firefox_2019-01-07_08-51-23
firefox_2019-01-07_08-51-23.png1276Ă—615 54.4 KB

This is the same for OpenHAB 2.3.0 and 2.4.0

Luckily that can be simply worked around with defining a “HTTPS error page” for the non-standard HTTP error code 497

error_page 497 =301 https://$host:$server_port$request_uri;

firefox_2019-01-07_09-02-03
firefox_2019-01-07_09-02-03.png1276Ă—615 63.6 KB

… but is this a known bug or just a configuration error on my side / in the documented example?

2

Found it, it’s a known bug: https://github.com/openhab/openhab-distro/issues/423

3

It looks to be a bug with openHAB’s Jetty configuration, which is expecting both X-Forwarded-Proto and the unspecified X-Forwarded-Scheme.

Try adding the following in the location block as a workaround for now:

 proxy_set_header X-Forwarded-Scheme    $scheme;

You shouldn’t need an error redirect afterwards.

4

Thanks, that works :slight_smile:

I still need the error redirect because I use a non-standard port for HTTPS. So if some user would type in openhab.<mydomain>:8084 the browser would still do a HTTP request, which would result in a 400 Bad Request

So putting my redirect and your header together it works:

openhabDoubleRedirect
openhabDoubleRedirect.png975Ă—93 5.29 KB

5

As proposed in the bug it’s possible to change jetty.xml, then it looks like this:

openhabRedirectJettyModified
openhabRedirectJettyModified.png1203Ă—277 22.9 KB

Now I call this topic solved :slight_smile:
Next steps will follow in bug/pull request

1 Like