{"id":458,"date":"2016-09-11T21:31:42","date_gmt":"2016-09-12T02:31:42","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=458"},"modified":"2018-05-05T11:59:40","modified_gmt":"2018-05-05T16:59:40","slug":"openhab-through-a-reverse-proxy","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=458","title":{"rendered":"OpenHAB Through A Reverse Proxy"},"content":{"rendered":"

This isn’t something we do, but my Google dashboard says a lot of people are finding my site by searching for OpenHAB and reverse proxy. I do a lot of\u00a0other<\/em> things through Apache’s reverse proxy, so I figured I’d provide a quick config.<\/p>\n

To start, you either need to have the proxy modules statically built into Apache or load them in your httpd.conf file. I load the modules, so am showing the httpd.conf method. I have the WebStream module loaded as well because we reverse proxy an MQTT server for presence – the last line isn’t needed if you don’t reverse proxy WebStream data.<\/p>\n

LoadModule proxy_module modules\/mod_proxy.so\r\nLoadModule proxy_http_module modules\/mod_proxy_http.so\r\nLoadModule proxy_wstunnel_module modules\/mod_proxy_wstunnel.so\r\n<\/pre>\n
If I were<\/em> reverse proxying our OpenHAB site, I would only do so over HTTPS and I’d have authentication on the site (i.e. any random dude on the Internet shouldn’t be able to load the site and turn my lights off without putting some<\/em> effort into it). There are other posts on this site providing instructions for adding Kerberos authentication to a site (to an Active Directory domain). You could also use LDAP to authenticate to any LDAP compliant directory – config is similar to the Kerberos authentication with LDAP authorization. You can do local authentication too – not something I do, but I know it is a thing.<\/p>\n
Once you have the proxy modules loaded, you need to add the site to relay traffic back to OpenHAB. To set up a new web site, you’ll need to set up a new virtual host. Server Name Indication was introduced in Apache 2.2.12 — this allows you to host multiple SSL web sites on a single IP:Port combination. Prior to 2.2.12, the IP:Port combination needed to be unique per virtual host to avoid certificate name mismatch errors. You still can<\/em> use a unique combination, but if you want to use the default HTTP-SSL port, 443, and identify the site through ServerName\/ServerAlias values … Google setting up SNI with Apache.<\/p>\n
Within your VirtualHost definition, you need a few lines to set up the reverse proxy. Then add the “ProxyPass” and “ProxyPassReverse” lines with the URL for your<\/em> OpenHAB at the end<\/p>\n
ProxyRequests Off\r\n<VirtualHost 10.1.2.25:8443>\r\n        ServerName openhabExternalHost.domain.gTLD\r\n        ServerAlias openhab\r\n        SetEnv force-proxy-request-1.0 1\r\n        SetEnv proxy-nokeepalive 1\r\n        SetEnv proxy-initial-not-pooled\r\n        SetEnv proxy-initial-not-pooled 1\r\n\r\n        ProxyPreserveHost On\r\n        ProxyTimeOut 1800\r\n\r\n        ProxyPass \/ https:\/\/openhabInternalHost.domain.gTLD:9443\/\r\n        ProxyPassReverse \/ https:\/\/openhabInternalHost.domain.gTLD:9443\/\r\n\r\n        SSLEngine On\r\n        SSLProxyEngine On\r\n        SSLProxyCheckPeerCN off\r\n        SSLProxyCheckPeerName off\r\n        SSLCertificateFile \/apache\/httpd\/conf\/ssl\/www.rushworth.us.cert\r\n        SSLCertificateKeyFile \/apache\/httpd\/conf\/ssl\/www.rushworth.us.key\r\n        SSLCertificateChainFile \/apache\/httpd\/conf\/ssl\/signingca-v2.crt\r\n<\/VirtualHost><\/pre>\n
Reload Apache and you should be able to access your OpenHAB web site via your reverse proxy. You can add authentication into the reverse proxy configuration too — this would allow you to use the OpenHAB site directly from your internal network but require authentication when coming in from the Internet.<\/p>\n","protected":false},"excerpt":{"rendered":"
This isn’t something we do, but my Google dashboard says a lot of people are finding my site by searching for OpenHAB and reverse proxy. I do a lot of\u00a0other things through Apache’s reverse proxy, so I figured I’d provide a quick config. To start, you either need to have the proxy modules statically built …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[31,44,32],"class_list":["post-458","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-apache","tag-openhab","tag-technology"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/458","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=458"}],"version-history":[{"count":3,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/458\/revisions"}],"predecessor-version":[{"id":3131,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/458\/revisions\/3131"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=458"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}