Hello
I installed openHAB 3 on a RaspPi several months ago, set it up to use nginx as a reverse proxy with authentication, used the beta version of the openHAB Android app as well… everything worked fine for quite some time.
Then oh 3.3 came out, I updated, didn’t use OH website and app for some time, and when I tried again (in fact, my wife tried…) it didn’t work: 401 in the app, and when I tried the website, the small centered login form appears and after inserting my credentials, it appears again - quite some nice loop
Now, first I checked each and every config file I am aware of, then I used a more systematic approach: I use etckeeper (so /etc is in git) and I also create daily OH backups. I also did a downgrade to OH 3.2 today but it just doesn’t work, same re-appearing login form and I always get the same warning in the OH log file:
[WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Basic authentication with username/password is not allowed
for OH 3.2 and
[WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request from 127.0.0.1: Basic authentication with username/password is not allowed
[WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request from [0:0:0:0:0:0:0:1]: Basic authentication with username/password is not allowed
for OH 3.3.
So now I’m quite stuck and out of ideas what could cause this problem.
Any ideas or pointers on how I can find out the root cause of this behaviour?
BTW: what’s also a bit strange is that I didn’t activate API Security → “Allow Basic Authentication” at all, but it used to work in the past… If I do activate it, the warning is not written to the OH log file and the login form doesn’t appear at all; in the app I get a 404 instead of a 401…
nginx’s sites-available/openhab.conf:
location / {
proxy_pass http://localhost:8080/;
proxy_set_header Host $http_host/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header Authorization "";
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
proxy_read_timeout 3600;
# satisfy any;
# allow 192.168.0.0/24;
# allow 127.0.0.1;
# deny all;
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/passwords/openhab;
}
and its sites-available/default:
server {
server_name <XXXXX>;
# SSL configuration
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/ssl/certs/XXXX.crt;
ssl_certificate_key /etc/ssl/private/XXXX.pem;
root /var/www/html;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# Cross-Origin Resource Sharing
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow_Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
proxy_set_header Authorization "";
include /etc/nginx/sites-available/XXX1.conf;
include /etc/nginx/sites-available/XXX2.conf;
include /etc/nginx/sites-available/openhab.conf;
include /etc/nginx/sites-available/XXX3.conf;
}
(Edits: just added more of nginx’s config files)