I’ve corrected both ssl and Nginx confs as you wrote - still ssl error in log viewer and graphana port 3000
I’ve corrected also my above post to be in line with my files and reload cert in Windows.
You are not proxying port 9001 I believe log viewer does http on port 9001, not https http is not ssl so there would be an ssl error.
For my nginx reverse proxy I proxied 9001 too.
I assume the same holds true with Grafana.
Can you post your nginx conf with 9001 port - just as an example how to add additional port.
shall I add whole patr called ## Reverse Proxy to openHAB with different port in location?
I actually proxy 9001 to 9002 and edited the dashboard, if I recall correctly. Here is the redacted configuration. I also require authentication for the log viewer since I have exposed this over the Internet for remote access.
server {
listen 9002 ssl;
server_name [hostname];
ssl_certificate [path to full cert chain];
ssl_certificate_key [path to private key];
add_header Strict-Transport-Security "max-age=31536000"
;
location / {
proxy_pass http://localhost:9001/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
Thank you - it is working now
1 Like
Hi all,
stupid question… but how can I access to the nginx config file?
In the tutorial it says the file is located at: /etc/nginx/sites-enabled/default
But where is this folder and how can I get access to it?
Thank you very much!
No, it says:
So it says file, not folder.
Of course it all depends on how you have compiled/installed/setup your nginx which we cannot know if you don’t tell us, but the above is the openHABian default.
2 Likes
It is where you stated and is accessible by ssh.
Log into the machine running nginx and cd to that folder.
Thank you all
I have installed OH 2.5.0-1 on a raspberry pi.
I have connected with PUTTY on my machine and was able to type in this command:
cd /etc/nginx/sites-enabled/
-> [20:09:27] openhabian@openhab:/etc/nginx/sites-enabled$
But what now? How can I open the file and edit it?
Sorry… I am an absoulutely newbie to linux
I strongly recommend going through one of the many beginners Linux tutorials or books. You don’t have to be an expert in Linux but you will need the latest basics and you will get more comprehensive support they’re than asking on the forum.
Yes you are right but would someone be so kind? …
I finally got my nginx config working for OH3 that works with the REST API for the phone apps, and sets another path to go directly into basicUI via external idp.
Hi, maybe someone can help me (current openhabian release on a Pi4B, 4GB)
I am currently configuring ssl-protected access from the www, which is working fine so far (via nginx)
Now I am trying to provide access from outside to port 9001 for accessing the log.
https://www_addr:9444 ==> ((nginx)) ==> http://openhab:9001
The log page is displayed in principle, but remains empty. What could be the reason for this?
My nginx site configuration for the log:
server {
listen 9444 ssl;
listen [::]:9444 ssl;
server_name xxxxxxxx
xxxxxxxx.xxx.xxx
xxxxxxxxxxxx.xx
xxx.xxx.xxx.xxx
;
ssl_certificate /etc/ssl/openhab.crt;
ssl_certificate_key /etc/ssl/openhab.key;
# ssl_certificate /etc/letsencrypt/live/[DOMAIN]/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/[DOMAIN]/privkey.pem;
# add_header Strict-Transport-Security "max-age=31536000";
# Cross-Origin Resource Sharing
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow_Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,>
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
proxy_set_header Authorization "";
location / {
proxy_pass http://localhost:9001/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 3600;
auth_basic "bla";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
EDIT:
I just saw these log entry. But what does it mean or how can the problem be solved ?
2022/10/16 18:54:31 [error] 26921#26921: *690 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.xxx.xxx, server: openhab_pi, request: "GET /socket.io/?EIO=4&transport=websocket HTTP/1.1", upstream: "http://[::1]:9001/socket.io/?EIO=4&transport=websocket", host: "192.168.xxx.xxx:9444"
So, I was able to solve my problems and wanted to share the approach with the community.
About my constellation:
I have rented an inexpensive web server, through which I have my own domain and static IPv4 address available. With this I implement the following
- get a valid official certificate via Let’s Encrypt
- convert the IPv4 address to IPv6, as my provider only offers Dual-Stack Lite
The server forwards the requests to the global IPv6 address of my OpenHAB server, on which the nginex server receives the requests. For this purpose, only this one communication port is openend in my router.
(Tip: Initially, I had implemented the access via the standard port 443, which resulted in hundreds, maybe even thousands of contact (hack) attempts in my logs every day. Then I changed to a completely different port quite quickly and since then it has been quiet.)
1. How do I get to the frontail output behind nginx?
I did not realise the access via a second opened port
https://<url>:443 (www) -> http://<url>:8080 (local)
https://<url>:9002 (www) -> http://<url>:9001 (local)
but via an extended path specification (as found here in the forum in some places)
https://<url>:19999 (www) -> http://<url>:8080 (local)
https://<url>:19999/log (www) -> http://<url>:9001 (local)
My working configuration now looks like this:
server {
listen [::]:19999 ssl;
server_name <MYSERVERNAME>;
ssl_certificate /etc/letsencrypt/live/[MYDOMAINNAME]/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/[MYDOMAINNAME]/privkey.pem;
add_header Strict-Transport-Security "max-age=31536000";
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
# Cross-Origin Resource Sharing
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow_Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
proxy_set_header Authorization "";
location / {
proxy_pass http://localhost:8080/;
sub_filter 'http://[MYLOCALIP]:8080' 'https://[MYDOMAINNAME]:19999';
sub_filter_once off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 3600;
auth_basic "Enter pass ?";
auth_basic_user_file /etc/nginx/.htpasswd;
}
# Important : in the file "/etc/systemd/system/frontail.service" the command line has to be changed from
#
# ExecStart=/usr/lib/node_modules/frontail/bin/frontail --disable-usage-stats ...
#
# to
#
# ExecStart=/usr/lib/node_modules/frontail/bin/frontail --url-path /log --disable-usage-stats ...
#
location /log {
proxy_pass http://localhost:9001;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_store off;
# that is important otherwise too many sockets in your log
access_log off;
auth_basic "Enter pass ?";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
It’s also important to change the file “/etc/systemd/system/frontail.service” (see the comment in the config file) and also change the links in “/etc/openhab/services/runtime.cfg” from
http://[MYLOCALIP]:9001
to
http://[MYLOCALIP]:9001/log
That’s it.
2. A second problem was how do I get the timelinepicker to work behind nginx.
In my sitemap the entries looked like that:
Webview label="Zeitplan" icon="line" url="http://[MYLOCALIP]:8080/static/time-line-picker/index.html?ip=[MYLOCALIP]:8080&transferItem=IFO2R_TLP_TransferItem&yAxisLabel=1,2,3,4,5,6,7&lang=de&states=Aus,Nacht,Tag,Heizen&colorset=2&deactivation=true" height=15
I changed it to
Webview label="Zeitplan" icon="line" url="http://[MYLOCALIP]:8080/static/time-line-picker/index.html?ip=http://[MYLOCALIP]:8080&transferItem=IFO2R_TLP_TransferItem&yAxisLabel=1,2,3,4,5,6,7&lang=de&states=Aus,Nacht,Tag,Heizen&colorset=2&deactivation=true" height=15
and also changed the timelinepicker file “…/openHAB-conf/html/time-line-picker/js/switchPointSet.js”. For this search the line
this.ip = 'http://' + openHAB_ip + '/rest/items/';
and change it to
this.ip = openHAB_ip + '/rest/items/';
Then you can tell nginx to replace the outgoing site-data with these lines in the config file:
sub_filter 'http://[MYLOCALIP]:8080' 'https://[MYDOMAINNAME]:19999';
sub_filter_once off;
Now I can access OpenHAB, my sitemap and the log (frontail) via the internet and also my timeline picker GUI works.
Another hint: One stumbling block for me was that my server provider secures the servers with an additional external firewall by default. As long as you are on the standard ports (80/22/443), this is not noticeable. However, as soon as you change to another port and have problems with access, you should check whether your provider has an additional firewall. It took me a few hours to find the cause.
Is there a reason why you did not use myopenHAB instead ?
I would like to try to avoid any dependence on servers that I do not manage myself.
Err, ok, but for that purpose you have rented a web server, plus you depend on your provider’s security framework, both of which you don’t manage either.
Where’s the difference compared to myopenhab ?
It is simply a decision I have made and I am happy with it.