I want to share the nginx configuration I put together that works to restrict access to sitemaps and some of the administrative access interfaces in openhab. This is just a starting block that I have working. I’m sure someone can make this more efficient/pretty. It has a bunch of if statements which apparently are evil…
I hope it’s useful for someone. To get nginx setup there is a fantastic guide already for openhab:
This works by checking the username that you use to login against the MY_ADMIN_USER_NAME
in the configuration below. Replace that with your admin username. All of the sitemaps I don’t want to be accessible are prefixed with admin_*. Those will be filtered so only the admin login can see them. There are 2 blocks that function to restrict the sitemaps. One is for the web app and one is for iOS. The last few blocks restrict access to the start page, habmin, paperui, and habpanel.
##
# openHAB nginx sitemap user access control
##
server {
listen 8989 ssl;
server_name mydomain_or_myip;
port_in_redirect off;
ssl_certificate /etc/ssl/openhab.crt;
ssl_certificate_key /etc/ssl/openhab.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
keepalive_timeout 70;
location / {
set $test root;
if ($args ~ sitemap=admin_*) {
set $test "${test}+found";
}
if ($remote_user !~ "MY_ADMIN_USER_NAME") {
set $test "${test}+no_auth_token";
}
if ($test = "root+found+no_auth_token") {
return 405;
break;
}
proxy_pass http://localhost:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
}
#location check to block sitemaps in iOS
location ~ /rest/sitemaps/admin* {
set $test root;
if ($remote_user !~ "MY_ADMIN_USER_NAME") {
set $test "${test}+no_auth_token";
}
if ($test = "root+no_auth_token") {
return 405;
break;
}
proxy_pass http://localhost:8080;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#location check to block start site
location ~ /start* {
set $test root;
if ($remote_user !~ "MY_ADMIN_USER_NAME") {
set $test "${test}+no_auth_token";
}
if ($test = "root+no_auth_token") {
# rewrite ^(.*) /basicui/app redirect;
rewrite ^(/start/.*) /basicui/app redirect;
#break;
}
proxy_pass http://localhost:8080;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#location check to block habmin
location ~ /habmin* {
set $test root;
if ($remote_user !~ "MY_ADMIN_USER_NAME") {
set $test "${test}+no_auth_token";
}
if ($test = "root+no_auth_token") {
# rewrite ^(.*) /basicui/app redirect;
rewrite ^(/habmin/.*) /basicui/app redirect;
#break;
}
proxy_pass http://localhost:8080;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#location check to block paperui
location ~ /paperui* {
set $test root;
if ($remote_user !~ "MY_ADMIN_USER_NAME") {
set $test "${test}+no_auth_token";
}
if ($test = "root+no_auth_token") {
# rewrite ^(.*) /basicui/app redirect;
rewrite ^(/paperui/.*) /basicui/app redirect;
#break;
}
proxy_pass http://localhost:8080;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#location check to block habpanel
location ~ /habpanel* {
set $test root;
if ($remote_user !~ "MY_ADMIN_USER_NAME") {
set $test "${test}+no_auth_token";
}
if ($test = "root+no_auth_token") {
# rewrite ^(.*) /basicui/app redirect;
rewrite ^(/habpanel/.*) /basicui/app redirect;
#break;
}
proxy_pass http://localhost:8080;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}