Weird problem with reverse proxy and authentication

openB · August 29, 2022, 8:30am

Hello

I installed openHAB 3 on a RaspPi several months ago, set it up to use nginx as a reverse proxy with authentication, used the beta version of the openHAB Android app as well… everything worked fine for quite some time.

Then oh 3.3 came out, I updated, didn’t use OH website and app for some time, and when I tried again (in fact, my wife tried…) it didn’t work: 401 in the app, and when I tried the website, the small centered login form appears and after inserting my credentials, it appears again - quite some nice loop

Now, first I checked each and every config file I am aware of, then I used a more systematic approach: I use etckeeper (so /etc is in git) and I also create daily OH backups. I also did a downgrade to OH 3.2 today but it just doesn’t work, same re-appearing login form and I always get the same warning in the OH log file:

[WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Basic authentication with username/password is not allowed

for OH 3.2 and

[WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request from 127.0.0.1: Basic authentication with username/password is not allowed
[WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request from [0:0:0:0:0:0:0:1]: Basic authentication with username/password is not allowed

for OH 3.3.

So now I’m quite stuck and out of ideas what could cause this problem.

Any ideas or pointers on how I can find out the root cause of this behaviour?

BTW: what’s also a bit strange is that I didn’t activate API Security → “Allow Basic Authentication” at all, but it used to work in the past… If I do activate it, the warning is not written to the OH log file and the login form doesn’t appear at all; in the app I get a 404 instead of a 401…

nginx’s sites-available/openhab.conf:

    location / {

        proxy_pass                              http://localhost:8080/;
        proxy_set_header Host                   $http_host/;
        proxy_set_header X-Real-IP              $remote_addr;
        proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto      $scheme;

#       proxy_set_header Authorization ""; 


#       proxy_set_header Upgrade                $http_upgrade;
#       proxy_set_header Connection             "Upgrade";

        proxy_read_timeout                      3600;

#       satisfy                                 any;
#        allow                                   192.168.0.0/24;
#        allow                                   127.0.0.1;
#        deny                                    all;
        auth_basic                              "Username and Password Required";
        auth_basic_user_file                    /etc/nginx/passwords/openhab;

    }

and its sites-available/default:

server {

    server_name     <XXXXX>;

    # SSL configuration
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    ssl_certificate         /etc/ssl/certs/XXXX.crt;
    ssl_certificate_key     /etc/ssl/private/XXXX.pem;

    root /var/www/html;


  add_header  Strict-Transport-Security "max-age=31536000; includeSubDomains";

   # Cross-Origin Resource Sharing
   add_header 'Access-Control-Allow-Origin' '*' always;
   add_header 'Access-Control-Allow_Credentials' 'true' always;
   add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
   add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;

   add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
   proxy_set_header Authorization          "";

  include /etc/nginx/sites-available/XXX1.conf;
  include /etc/nginx/sites-available/XXX2.conf;
  include /etc/nginx/sites-available/openhab.conf;
  include /etc/nginx/sites-available/XXX3.conf;
}

(Edits: just added more of nginx’s config files)

openB · August 29, 2022, 8:46am

Additional info: I upgraded OH from 3.2 to 3.3 on Jul 26, my backup is from July 17, so earlier…; there has been an upgrade of nginx the same day, from 1.18.0-6-1 to 1.18.0-6.1+deb11u2, to there shouldn’t be any relevant changes on nginx’s side (I’m running Debian Testing).

Wolfgang_S · August 29, 2022, 5:45pm

what does the nginx server log show ( 404: file not found ) ?
you wrote that the app shows the error. how does a browser behave ?

openB · August 30, 2022, 7:58am

OK, two setups:

Settings 1

In the OH GUI I set API Security to:

Implicit role: true
Allow Basic Authentication: false

Firefox shows this centered login form where I enter username and password, then the login form reappears over and over again.

nginx access.log when loading the page:

"GET / HTTP/1.1" 200 575 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
"GET /css/app.css HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
"GET /js/app.js HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
"GET /images/openhab-logo.svg HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
"GET /rest/ HTTP/1.1" 401 70 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
"GET /rest/ HTTP/1.1" 401 70 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"

and when submitting the login credentials:

"GET /rest/ HTTP/1.1" 401 70 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
"GET /rest/ HTTP/1.1" 401 70 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
"GET /rest/ HTTP/1.1" 401 70 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"

When entering the correct credentials, nginx’s error.log doesn’t show anything, with incorrect credentials, I get:

[error] 370#370: *251 user "admin": password mismatch, client: 192.168.178.24, server: zumfingertanz.local, request: "GET /rest/ HTTP/1.1", host: "zumfingertanz.local"

When just loading the page, openhab.log shows:

[WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Basic authentication with username/password is not allowed
[WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Basic authentication with username/password is not allowed

and after entering the credentials, it shows:

[WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Basic authentication with username/password is not allowed
[WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Basic authentication with username/password is not allowed
[WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Basic authentication with username/password is not allowed

(yes, really, three times the same warning message!)

By opening the Android app, I get 401 in the app and one warning in openhab.log and in nginx access.log I get:

"GET /rest/ HTTP/1.1" 401 70 "-" "Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19"
"GET /rest/ HTTP/1.1" 401 70 "-" "Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19"

Settings 2

In the OH GUI I set API Security to:

Implicit role: true
Allow Basic Authentication: true

Firefox shows just an empty page, its source code:

<!doctype html><html><head><meta charset="utf-8"><meta http-equiv="Content-Security-Policy" content="default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: content: blob:; style-src 'self' 'unsafe-inline';"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,minimum-scale=1,user-scalable=no,minimal-ui,viewport-fit=cover"><meta name="theme-color" content="#e64a19"><meta name="format-detection" content="telephone=no"><meta name="msapplication-tap-highlight" content="no"><title>openHAB</title><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"><link rel="apple-touch-icon" href="/res/icons/apple-touch-icon.png" type="image/png" sizes="180x180" crossorigin="use-credentials"><link rel="icon" href="/res/icons/favicon.svg" type="image/svg+xml" sizes="any" crossorigin="use-credentials"><link rel="icon" href="/res/icons/128x128.png" type="image/png" sizes="128x128" crossorigin="use-credentials"><link rel="manifest" href="/manifest.json" crossorigin="use-credentials"><link href="/css/app.css" rel="stylesheet"></head><body><div id="app"></div><script src="/js/app.js"></script></body></html>

and no login form appears.
Nginx’s access.log:

"GET / HTTP/1.1" 200 575 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
"GET /css/app.css HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
"GET /js/app.js HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
"GET /images/openhab-logo.svg HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
"GET /rest/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"

and its error.log stays empty, also openhab.log.

If I use the app, I get a 404 in the app, nothing in openhab.log and error.log, and access.log shows:

"GET /rest/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19"

openB · August 30, 2022, 8:12am

Interestingly, there are some other services on the same web server, as for instance searx (running fine) and teslamate with grafana, and now it happens, that firefox cannot show the grafana login page correctly: if I try to open HOSTNAME/grafana/login, it shows me some json or - if I choose RAW instead:

{"message":"invalid username or password","traceID":"00000000000000000000000000000000"}

Instead, it should just correctly load the login page of grafana such that I can enter the corresponding credentials. But it seems to mess up with when to use which kind of authentication…

If I try to open the OH page in chromium, I get

the login form
after entering them, an empty page
and if I try to load the grafana page afterwards in the same tab, I get the same error. But if I use a new tab, it’s loading the page correctly.

openB · August 30, 2022, 9:15am

OK, further “research” shows, that

as long I don’t include the lines “auth_basic” and “auth_basic_user_file” in the nginx configuration for openhab, the grafana login page works as expected
but as soon as I include the reverse proxy login config lines, Firefox starts having trouble again

Why is that the case? These lines are part of the location / block, not of the /grafana block… and never changed…

openB · August 30, 2022, 11:17am

It seems the main problem is solved:

I had this in nginx’s openhab.conf:

proxy_set_header Host                   $http_host/;

and I had to correct it to:

proxy_set_header Host                   $http_host;

Strange, because /etc’s git clearly shows that this hasn’t been a problem for a very long time…

Additionally I had to set API Security > Allow Basic Authentication to true.