[SOLVED] OpenHAB in container behind HAproxy - offline popups?


I just did some re-planning for my home geeky stuff. I set up a x86 board where I put all my services running as containers. Today I put OpenHAB there too, which continued working perfectly, great!

As part of the replanning, I have OPNSense firewall in front of all containers. It does reverse proxying using HAProxy, and SSL offload using let’s encrypt for certs along with http auth. As ESH and OpenHAB can’t do path rewrite, I set up full domain for it. Still seemingly works fine, but somehow the connection seems to get dropped all the time. I get this string appearing at the bottom of the “basicui/app” page: “Offline: waiting for connection to become available”.

It’s due there is the HAProxy in between, but why? Woud anyone know what would be the right config for it to keep stream alive and thus not popping that connection error dialog? And what does that matter anyhow? I assume it still updates the screen, but only in few seconds intervals.

Some HAProxy configs here:

    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3

frontend default_ssl
    bind name ssl  crt-list /var/etc/haproxy/ssl/crtlist 
    mode http
    option http-keep-alive
   timeout client 30s

backend openhab_bep
    mode http
    balance source
    stick-table type ip size 50k expire 30m  
    stick on src
    timeout connect 30s
    timeout server 30s
    http-request add-header  X-Forwarded-For %[src]
    acl acl_5afc4930790c77.74502605 http_auth(foobar)
    http-request auth realm foobar unless acl_5afc4930790c77.74502605
    server OpenHAB internal_host:8083 

BTW, this setup with OPNSense HAproxy -> containers is awesome, I do recommend :slight_smile:

Debugging this further shows that it’s about authorizations. Now that HAproxy does auth check, it adds header “Authorization: xxxyyy” into request. From there after, I see it fails getting any of the REST calls through. It seems the web app subscribes to switch states on the pages, and tries to keep them up to date via REST subscription.

That subscription now gets failure. I see that in direct http connection to container it uses cookie to authenticate, right? Now with https terminated and authenticated at HAproxy it doesn’t get any cookie.

Why, how to get that right?

I noticed from chrome developer console that I get these. So time to learn about CORS:

No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘https://xxx.yyy.zzz’ is therefore not allowed access. The response had HTTP status code 401. Also it seems cookie might be totally unrelated, probably leftover in the browser that pops up due there are several sites behind the same haproxy.

This thing sorted out after dumping http headers with wireshark. It turned out some of the header mangling needed to be in HAproxy frontend settings, instead of backend settings. So nothing to do with OpenHAB, luckily. Just my own ignorance about HAproxy.

Eventually I ended up having these in frontend settings to make it work, in case someone else needs this too:

http-request add-header  X-Forwarded-For %[src]
http-response add-header Content-Security-Policy upgrade-insecure-requests
http-request add-header X-Forwarded-Proto https

And kept the authorization in the backend settings. Otherwise some of the /rest GETs didn’t get Authorization header into them, and caused the 401 responces from HAproxy. Weird, but pheeew, finally it works :slight_smile: