abasel
(Andre)
October 30, 2019, 2:05am
1
I secured my site as per the OpenHAB security documentation and so my ngnix config looks as follows:
server {
listen 80;
server_name 192.168.1.25;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name 192.168.1.25;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
ssl_certificate /etc/ssl/openhab.crt;
ssl_certificate_key /etc/ssl/openhab.key;
location / {
proxy_pass http://localhost:8080/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
I want to limit access to my paperui URL so that I can only access it from 192.168.1.51. I therefore added the following location block in; just before the last curly brackets
location ~ paperui {
allow 192.168.1.51;
deny all;
}
This however results in a 404 error whenever I visit https://192.168.1.25/paperui/index.html#/inbox/search (or any link with paperui in it).
I have posted to the nginx forum but had no response so I was hoping that someone with experience with nginx (and understand https://www.openhab.org/docs/installation/security.html more fully) would be able to point me in the right direction.
abasel
(Andre)
October 30, 2019, 2:40am
2
Nearly there I think. The below gives me the correct 403 response. If I however add
allow 192.168.1.51
I then get a 404 error.
I think it has something to do with the reverse proxy.
location ^~ /paperui/ {
proxy_pass http://localhost:8080/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
deny all;
auth_basic “Username and Password Required”;
auth_basic_user_file /etc/nginx/.htpasswd;
}
abasel
(Andre)
October 30, 2019, 3:58am
3
I got it working, there was a trailing “/” that I needed to remove from the proxy_pass entry
Here is the final config file
server {
listen 80;
server_name 192.168.1.25;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name 192.168.1.25;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
ssl_certificate /etc/ssl/openhab.crt;
ssl_certificate_key /etc/ssl/openhab.key;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location ^~ /paperui {
proxy_pass http://localhost:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
allow 192.168.1.51;
deny all;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
Now that I know how this works, I will change it so that only the BasicUI is allowed, the HABPanel is accessed via whitelisted devices and paperui only from one or two other devices.
pacive
(Anders Alfredsson)
October 30, 2019, 6:03am
4
Don’t forget to allow access to the rest API (location = /rest
), otherwise none of the uis will work.
abasel
(Andre)
October 30, 2019, 9:07am
5
My config looks as follows and it all appears to be working:
server {
listen 80;
server_name 192.168.1.25;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name 192.168.1.25;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
ssl_certificate /etc/ssl/openhab.crt;
ssl_certificate_key /etc/ssl/openhab.key;
location / {
include shared_1.conf;
}
location /paperui/ {
include shared_2.conf;
}
location /homebuilder/ {
include shared_2.conf;
}
location /habmin/ {
include shared_2.conf;
}
location /doc/ {
include shared_2.conf;
}
}
shared_1.conf is
proxy_pass http://localhost:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
And shared_2.conf is
proxy_pass http://localhost:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
allow 192.168.1.51;
deny all;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
I was hoping to do something like
location ~ index { .......
As this would have blocked everything except basicui but it would not work with proxy_pass and so I settled with the above.
pacive
(Anders Alfredsson)
October 30, 2019, 11:30am
6
Yes that works, since /rest
is handled by /
. But if you should allow only basicui and block everything else, it wouldn’t work.
abasel
(Andre)
October 30, 2019, 5:24pm
8
Changed the locations to
location / {
include shared_2.conf;
}
location /basicui/ {
include shared_1.conf;
}
This allows 192.168.1.52 to access anything but everyone else to only access basicui
I will ultimately create a whilelist for habpannel
pacive
(Anders Alfredsson)
October 30, 2019, 5:30pm
9
And that’s when you need to allow everyone access to the rest API.
location /rest/ {
include shared_1.conf;
}
When you start basicui it connects to the rest api in the background to get the sitemap and all item states. If that connection is blocked nothing will work.
abasel
(Andre)
October 30, 2019, 5:35pm
10
Perfect; I am now totally sorted… thanks