I just did some re-planning for my home geeky stuff. I set up a x86 board where I put all my services running as containers. Today I put OpenHAB there too, which continued working perfectly, great!
As part of the replanning, I have OPNSense firewall in front of all containers. It does reverse proxying using HAProxy, and SSL offload using let’s encrypt for certs along with http auth. As ESH and OpenHAB can’t do path rewrite, I set up full domain for it. Still seemingly works fine, but somehow the connection seems to get dropped all the time. I get this string appearing at the bottom of the “basicui/app” page: “Offline: waiting for connection to become available”.
It’s due there is the HAProxy in between, but why? Woud anyone know what would be the right config for it to keep stream alive and thus not popping that connection error dialog? And what does that matter anyhow? I assume it still updates the screen, but only in few seconds intervals.
Some HAProxy configs here:
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
frontend default_ssl
bind 0.0.0.0:443 name 0.0.0.0:443 ssl crt-list /var/etc/haproxy/ssl/crtlist
mode http
option http-keep-alive
timeout client 30s
backend openhab_bep
mode http
balance source
stick-table type ip size 50k expire 30m
stick on src
timeout connect 30s
timeout server 30s
http-request add-header X-Forwarded-For %[src]
acl acl_5afc4930790c77.74502605 http_auth(foobar)
http-request auth realm foobar unless acl_5afc4930790c77.74502605
server OpenHAB internal_host:8083
BTW, this setup with OPNSense HAproxy -> containers is awesome, I do recommend
Debugging this further shows that it’s about authorizations. Now that HAproxy does auth check, it adds header “Authorization: xxxyyy” into request. From there after, I see it fails getting any of the REST calls through. It seems the web app subscribes to switch states on the pages, and tries to keep them up to date via REST subscription.
That subscription now gets failure. I see that in direct http connection to container it uses cookie to authenticate, right? Now with https terminated and authenticated at HAproxy it doesn’t get any cookie.
I noticed from chrome developer console that I get these. So time to learn about CORS:
No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘https://xxx.yyy.zzz’ is therefore not allowed access. The response had HTTP status code 401. Also it seems cookie might be totally unrelated, probably leftover in the browser that pops up due there are several sites behind the same haproxy.
This thing sorted out after dumping http headers with wireshark. It turned out some of the header mangling needed to be in HAproxy frontend settings, instead of backend settings. So nothing to do with OpenHAB, luckily. Just my own ignorance about HAproxy.
Eventually I ended up having these in frontend settings to make it work, in case someone else needs this too:
And kept the authorization in the backend settings. Otherwise some of the /rest GETs didn’t get Authorization header into them, and caused the 401 responces from HAproxy. Weird, but pheeew, finally it works