#redirect http -> https server { listen 80; listen [::]:80; server_name openhab.mydomain.com home.mydomain.com; location /.well-known/acme-challenge/ { alias /var/www/openhab.mydomain.com/.well-known/acme-challenge/; } return 301 https://$server_name$request_uri; } #socket.io connections (from OH) NEED ip_hash routing, all other connections will be cookie or round robin upstream socketapp { ip_hash; #server 127.0.0.1:3000; server 192.168.0.15:3000; #server 127.0.0.1:3001; #server 192.168.0.15:3001; } #Connections that need to be proxied, need same entries as "socketapp" upstream proxyapp { #server 127.0.0.1:3000; server 192.168.0.15:3000; #server 127.0.0.1:3001; #server 192.168.0.15:3001; } #all other connections to serve openHAB-Cloud requests (not proxied) upstream webapp { #server 127.0.0.1:3002; server 192.168.0.15:3001; #server 127.0.0.1:3003; #server 192.168.0.15.:3003; } #Full proxy for home.yourhost.com server { listen 443 ssl; server_name home.mydomain.com; charset utf-8; ssl_certificate /etc/letsencrypt/home.mydomain.com/cert.pem; ssl_certificate_key /etc/letsencrypt/home.mydomain.com/key.pem; ssl_protocols TLSv1.2; # TLSv1 TLSv1.1 ssl_prefer_server_ciphers on; #ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"; # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 192.168.0.1 ipv6=off valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; # /* WS added 02.12.2021 hope to suppress second password window after authentication */ # see https://community.openhab.org/t/not-able-to-access-openhab-ui-outside-of-local-network-using-reverse-proxy/129493/7 add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1; access_log /var/log/nginx/home.mydomain.com-access.log; error_log /var/log/nginx/home.mydomain.com-error.log; client_max_body_size 300m; root /var/www/html; index index.html index.htm; location ~ /.well-known { allow all; } #proxy redirects #if the proxy specified in our cookie is down, we will pick a new one location @proxy_down { proxy_pass http://proxyapp; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto https; proxy_intercept_errors on; recursive_error_pages on; error_page 307 = @handle_proxy; } #The cloud-director process will send back a 307 with the location of the #server to proxy to which this will follow and proxy the original request location @handle_proxy { set $proxy_server '$upstream_http_location'; proxy_pass $proxy_server$is_args$args; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto https; proxy_intercept_errors on; recursive_error_pages on; error_page 307 = @handle_proxy; } location / { set $upstream_server proxyapp; #if we have a cookie, try using this server #also, ifIsEvil https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ #for why we use this as little as possible if ($http_cookie ~ "CloudServer=(\S+)\%3A(\d+).*") { set $upstream_host $1; set $upstream_port $2; set $upstream_server "${upstream_host}:${upstream_port}"; } proxy_pass http://$upstream_server; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto https; proxy_intercept_errors on; recursive_error_pages on; error_page 307 = @handle_proxy; #if this server is down we need to try a new upstream error_page 500 501 502 503 504 = @proxy_down; } } # Main myopenhab.org requests server { listen 443 ssl; server_name openhab.mydomain.com; charset utf-8; ssl_certificate /etc/letsencrypt/openhab.mydomain.com/cert.pem; ssl_certificate_key /etc/letsencrypt/openhab.mydomain.com/key.pem; ssl_protocols TLSv1.2; # TLSv1 TLSv1.1 ssl_prefer_server_ciphers on; #ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"; # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 192.168.0.1 ipv6=off valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; access_log /var/log/nginx/openhab.mydomain.com-access.log; error_log /var/log/nginx/openhab.mydomain.com-error.log; client_max_body_size 300m; root /var/www/html; index index.html index.htm; location ~ /.well-known { allow all; } #local file locations location /css { alias /home/openhab-cloud/public/css; } location /js { alias /home/openhab-cloud/public/js; } location /img { alias /home/openhab-cloud/public/img; } location /bootstrap { alias /home/openhab-cloud/public/bootstrap; } location /font-icons { alias /home/openhab-cloud/public/font-icons; } location /fonts { alias /home/openhab-cloud/public/fonts; } location /js-plugin { alias /home/openhab-cloud/public/js-plugin; } location /staff/js-plugin { alias /home/openhab-cloud/public/js-plugin; } location /downloads { alias /home/openhab-cloud/public/downloads; } #OH Socket.io Connections (from OH) location /socket.io { proxy_pass http://socketapp; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto https; } #proxy redirects #if the proxy specified in our cookie is down, we will pick a new one location @proxy_down { proxy_pass http://proxyapp; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto https; proxy_intercept_errors on; recursive_error_pages on; error_page 307 = @handle_proxy; } #The cloud-director process will send back a 307 with the location of the #server to proxy to which this will follow and proxy the original request location @handle_proxy { set $proxy_server '$upstream_http_location'; proxy_pass $proxy_server$is_args$args; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto https; proxy_intercept_errors on; recursive_error_pages on; error_page 307 = @handle_proxy; } #Proxied Connections (from clients) location ~ ^/(rest|images|static|rrdchart.png|chart|openhab.app|WebApp|CMD|cometVisu|proxy|greent|jquery|classicui|ui|basicui|paperui|doc|start|icon|habmin|remote|habpanel|ifttt/v1/actions/command){ set $upstream_server proxyapp; #if we have a cookie, try using this server #also, ifIsEvil https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ #for why we use this as little as possible if ($http_cookie ~ "CloudServer=(\S+)\%3A(\d+).*") { set $upstream_host $1; set $upstream_port $2; set $upstream_server "${upstream_host}:${upstream_port}"; } proxy_pass http://$upstream_server; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto https; proxy_intercept_errors on; recursive_error_pages on; error_page 307 = @handle_proxy; #if this server is down we need to try a new upstream error_page 500 501 502 503 504 = @proxy_down; } #All other non proxy connections location / { proxy_pass http://webapp; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto https; } }