TUTORIAL: Use NGINX to protect the UI's whilst leaving HabPanel open

Hi All,

This configuration allows you to password protect access to the various UI’s found by visiting http://localhost:8080 whilst allowing HabPanel access to be open.

It assumes you have NGINX installed.

This works just fine for PC, but when using an IPhone or IPad, the Local URL for some reason needs to be set to http://localhost/habpanel/# - perhaps someone smarter than I can work that one out!

First,

Install the following:

sudo apt-get install apache2-utils

Once complete, then set a password using this command


sudo htpasswd -c /etc/nginx/.htpasswd username 

Replace username, with the username of your choice.

Finally, paste this configuration into a file of your naming choice, under /etc/nginx/sites-enabled/

NOTE: replace server_name with the real IP address of your OH2 server.

server {

  listen 80;
  listen [::]:80;

  server_name 192.168.0.87;


  location /rest/ {

    proxy_pass http://127.0.0.1:8080/rest/;
  }
  location /static/ {

    proxy_pass http://127.0.0.1:8080/static/;
  }

  location / {

    proxy_pass http://127.0.0.1:8080/;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    auth_basic "Username and Password Required";
    auth_basic_user_file /etc/nginx/.htpasswd;
  }

  location /habpanel/ {

    proxy_buffering off;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://127.0.0.1:8080/habpanel/;
  }
}

Then, issue command

sudo systemctl restart nginx

Finally, update the configuration file below, modifying the line (ensure you remove the # comment)

/etc/defaults/openhab

with


OPENHAB_HTTP_ADDRESS=127.0.0.1

This removes any client talking to the server, instead only allowing access from the server itself (NGINX)

This will now password protect the UI’s, but allow access to HabPanel.

Cheers

Why didn’t you go ahead and use a LetsEncrypt certificate to protect this with https ??

I did, but this is for LOCAL access, not designed to protect it over a HTTPS connection. It’s not needed on a LAN.

1 Like

It just looks like most of the work I did for Internet access, that’s all.

Why do you treat /rest and /static separately?
Why disable buffering for habpanel? Why not for the others?

You’re all welcome to edit the post or post your own tutorial, given it didnt exist, I felt it was better than the nothing, or the bits and pieces of informatoin available on the forum. I’m not an expert, I just posted what worked for me.

If you want to add to it, provide me the content and ill update it

1 Like

You have a full tutorial about security in the official documentation: https://www.openhab.org/docs/installation/security.html

No, it’s not a full tutorial at all.