OpenHAB behind reverse proxy

[Marcolino]

Hi,

to reach openHAB from a pubblic address, I have to publish it behind a reverse proxy.

URL will became: http://www.dns.org/openhab/openhab.app?sitemap=demo

I tried, page was loaded with items, but Icon is not loaded and command dows not work.

Do you have a idea on why do not work behind a reverse proxy?

Thanks

[Robert Bausdorf]

Hi,

mostly common the context paths differ between the proxy and server URL's.

Suppose your internal URL is http://your-openhab-box:8080/openhab.app?sitemap=demo then the first request to your poxy URL as above is done correctly and your browser thinks about an URI path of /openhab/...

But Proxies normally do not rewrite the html code (especially relative Links !) in a requests respose to the client browser. For subsequent requests - for Example getting Stylesheets or images (=icons) - the bowser sends a request to 

http://www.dns.org/openhab/images/... but your internal box serves them as http://your-openhab-box:8080/images/... and not http://your-openhab-box:8080/openhab/images/...

Mostly the easiest way is to change the context Path on your OpenHAB instance not to be the ROOT context but /openhab as you have set it on your proxy. 

regards

Robert

[Marcolino]

Hi Robert,

thank for your great and clear explanation.

I were sure that issue is there, and you just confim it.

What I don't know, is how change context Path of openhab webserver. Can you give me some help?

Kindly Regards

Marco

[Robert Bausdorf]

Hi Marco,

I'm not quite shure how to do this in Jetty configuration which OpenHAB ist using - Jetty docs may help here but these changes will be overwitten by a new OpenHab version. How about that: If you are able to use an own domain conjunction with a dynamic dns service, you could redirect a subdomain an proxy the root context:

1) Create an own subdomain like openhab.your-domain.com

2) Use dynamic DNS to redirect this subdomain to your dynamic IP (I suppose you're using such thing)

3) Simply proxy to your internal openHAB box

As of today the most web space providers allow you to create a sufficient amount of subdomains in a registered domain of yours and the big players support dynamic DNS with no additional charge.

regards

Robert

[Marcolino]

I Robert,
it seems that this capability will be available in OpenHAB 2.0

https://github.com/openhab/openhab/issues/853

For now opened a new port for HTTP on my router, bypassing Reverse Proxy.

Thanks at all for your suggestions.

Kindly Regards

Marco

[gluf...@gmail.com]

I have similar problem.

I use webview frames in my openhab interface to integrate other subsistems like LogitechMediaServer web interface. I use local IP address in the sitemap but when I connect from the internet the frames are blank. I expected that OpenHAB will redirect/parse/whatever the content and will represent it no matter where I connect from

I can open additional ports on the router but then I will have to use public dyndns url in all sitemaps and my openhab will have problems working if the internet link is down.

Any way to solve this?

[Shawn Mix]

I'd like to add in and revive this thread to see if others are looking for similar. I'd love the ability to use mod_proxy with Apache, or a similar setup with NGINX for reverse proxying. The basic idea is that I do want this accessible externally (yes I have a VPN already) as trying to connect to a VPN first to be able to control the home makes it more difficult than it needs to be. I also have some location based apps on our phones that help for automating when we leave and come home, which needs access to the system to function from outside the home network. My career is in infosec, and while reducing the potential threat surface (OpenHAB accessible outside) is one approach, it doesn't necessarily work for everyone. Using a reverse proxy and controls on my router, I can effectively reduce the threat to security. If people don't understand what they are doing and decide to do it, you can't stop them, and it's not anyone but their own fault. Given many of us know what we are doing, means we can safely and securely deploy this in an externally accessible mechanism. The reality is, using a reverse proxy with authentication, is stronger than the basic auth built into OpenHAB which also requires putting passwords in plain text on the local system. I'm going to add to the Git open item as well on this to help push for this in a 1.x version.

[Fulvio Spelta]

Hi all, me too like a lot the reverse proxy technique. But in order to guarantee secure access from internet the myopenhab service could be a simple and effective way (and doesn't require ddns service).

Anyhow every info about reverse proxy configuration is very useful.

[Martin Klimke]

for German speaking participants, the CT has created a tutorial in "CT Wissen Smart Home" page 88 ff.

Link to: www.ct.de/hb/1404088

This procedure is working nicely with OPENHAB.

Am Donnerstag, 8. Januar 2015 15:56:32 UTC+1 schrieb Darko Križić:

Hi,

I have a single public IP and I run pfSense as my router and firewall. I use Squid as a reverse proxy for accessing OpenHAB (and multiple other internal services) via Internet, especially for the mobile app running on my iPhone. My setup is as follows:

• External IP with DynDNS
• CNAME from my own domain to DynDNS, for each service one unique name, e.g.
• openhab.mydomain.com
• icinga.mydomain.com
• Squid running as Reverse Proxy for HTTPS (not HTTP!) on port 443 on pfSense. I configured Squid to forward all requests to ^https://openhab.mydomain.com/.*$ to http://openhab.home.mydomain.com:8080 (internal name)

This works without any problems. Let me know, if you need more details about Squid configuration.

Regards,

Darko

[Glusec Glufonec]

Martin, the link is not working

Darko I lost full day yesterday with almost no progress with using squid on the same machine as openhab. Will try again. I think that VPN solution might be easier do make this work

--
You received this message because you are subscribed to a topic in the Google Groups "openhab" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/openhab/qu-53kQ5_es/unsubscribe.
To unsubscribe from this group and all its topics, send an email to openhab+u...@googlegroups.com.
To post to this group, send email to ope...@googlegroups.com.
Visit this group at http://groups.google.com/group/openhab.

To view this discussion on the web visit https://groups.google.com/d/msgid/openhab/6140cd81-c593-422e-bc95-e11567489213%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Martin Klimke]

upps: http://www.ct.de/hb1404088

[Darko Križić]