Hi Guys,
Is there a way to stop the webpage from appearing that gives you the dashboard? or prevent access using an ACL (much like you can to the karaf console) other than using a firewall? This is for lan users. I dont want users to go into PaperUI etc.
Thanks!
If you setup a Nginx reverse proxy on the same server you could change the default OH page to be local only and server the pages from the Nginx server.
You can even add an https certificate if you wish.
Thanks Bruce, sure but a bit complex . I was hoping for something similiar to:
The network interface configuration is defined in the file org.apache.karaf.shell.cfg , located in the etc directory as mentioned above. As this file may get overwritten when upgrading openHAB, you can change this parameter in the runtime.cfg file which can be found in the $OPENHAB_CONF/services directory, e.g. /etc/openhab2/services/runtime.cfg .
The sshHost entry controls the interface address to bind to. sshHost = 127.0.0.1 (localhost) is the default due to obvious security reasons. If you are on a local network or you are fully aware of all risks of exposing your system to the public, you can change the bind address. Replace the sshHost IP 127.0.0.1 by 0.0.0.0 to bind to all available network interfaces. Please be aware, that the console will now be accessible from all devices in your subnet and is only secured by the password defined in users.properties (same path). You should thereby change the password. Depending on your network configuration the console may also be exposed to the public internet, so check your routing and firewall configuration.
To enable binding to all interfaces, uncomment the line
#org.apache.karaf.shell:sshHost = 0.0.0.0
in services/runtime.cfg
Well you would lockdown the OH web server like that an use the reverse proxy so you can access select OH2 parts as desired.
I use a reverse proxy to add https & a basic login to my OH so I can access it over the Internet.
Hi Bruce, can you show me your ‘basic’ login configuration for nginx? I assume you’re saying youve put a basic user/password on OH2:8080 when anyone tries to access
cheers
I actually use https… It could also work for http://OH2. There should be no need for the non-standard port.
I basically started by following the document here. You do not need to do the domain & ssl, etc.
Thanks Bruce, thats all working. However, I can still get to the direct URL:8080 even once NGINX with Password auth is running…
Assuming I need a redirect? I basically want to redirect 8080 to 80 i guess
I just checked & I did not actually lock access down, but this is the part for that. I need to figure out how best to do that.
Thanks but that wont do it, i want any address, just want to password access to the nginx site and the :8080 site or just remove access to :8080 entirely.
Password access works to :80 now, but you can just type :8080 on your LAN and away you go, straight back in. So not entirely sure what the purpose of NGINX is, if you cant remove the access
That would restrict access to 8080 so the nginx proxy could access openhab. You then control access with the nginx server.
I figured out what to do. In the file /etc/default/openhab2 there is a line
#OPENHAB_HTTP_ADDRESS=0.0.0.0
Remove the # from the line and change 0.0.0.0 to 127.0.0.1 and save the changes.
When you restart openhab it will be restricted.
Thanks Bruce, ill give it a whirl!
So, its blocked 8080, that’s good.
And it gives me a password to login to the server on the port 80, but I get a 502 bad gateway now 
my file is:
server {
listen 80;
server_name 192.168.1.3;
location / {
proxy_pass http://192.168.1.3:8080/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
Fixed. changed 192.168.1.3 iun the proxy_pass to 127.0.0.1
Replace the ip address here with wither localhost or 127.0.0.1. You likely need to restart nginx then.
Thanks Bruce! Works 
Great work mate
Hey Bruce, realised a major flaw - this actually locks access to Habpanel, because its normally accessible via the url http://localip/habpanel so I had to revert it.
It was the Oh2 setting that caused this
Not really. It is working as designed. Needing direct access for HabPanel was not mentioned initially. That will take some additional configuration work. Perhaps provide access through nginx on a different port.
Hi Bruce,
for example:
location /habpanel/ {
proxy_pass http://192.168.1.3/habpanel/;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_set_header X-Forwarded-Proto $scheme;
}
Hi Bruce, does this appear correct?
Essentially allowing access to habpanel unauthenticated using http://192.168.1.3/habpanel but authenticated to http://192.168.1.3 to prevent access to PaperUI/Habmin
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location /habpanel/ {
proxy_pass http://127.0.0.1/habpanel/;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /rest/ {
proxy_pass http://127.0.0.1:8080/rest/;
}
location /static/ {
proxy_pass http://127.0.0.1:8080/static/;
}