We have moved at community.getvera.com

Author Topic: nginx http proxy -> 3480  (Read 1619 times)

Offline DesT

  • Sr. Member
  • ****
  • Posts: 364
  • Karma: +5/-1
nginx http proxy -> 3480
« on: October 27, 2016, 07:07:14 am »
akbooer,

Since the beginning of having openluup here, I installed a nginx proxy with a login/password auth to gain access to openluup/altui from outside...  everything works fine since the last update I did as you know for the timer bug also!

The issue i'm having it's nothing is send back. just a white page!   Looks like openLuup/ALTUI refuse to send out traffic using the proxy.
Vera Edge-UI7/Plus-UI7 (2), DSC Partition (5 ) + Zones Sensors(31), Nest thermostat (1) & Protect Fire/CO (3), GE Sw (8 ), GE Dimr (14), FGMS-001 (2), ZW100 (2), RZCS4 (1), AL-DSC11 (1), Aeon HEM 2nd Edition (1), Aeon SSE (5), YRD220-ZW (1), SONOS (6), MyQ Chamberlain (1)
PINE64/openLuup/ALTUI/Rules

Offline akbooer

  • Moderator
  • Master Member
  • *****
  • Posts: 6387
  • Karma: +292/-70
  • "Less is more"
Re: nginx http proxy -> 3480
« Reply #1 on: October 27, 2016, 10:17:43 am »
Sorry, this is way out of my understanding.  It might be an AltUI thing, rather then an openLuup one... have you tested on an actual Vera?
3x Vera Lite-UI5/Edge-UI7, 25x Fibaro, 23x TKB, 9x MiniMote, 2x NorthQ Power, 2x Netatmo, 1x Foscam FI9831P, 9x Philips Hue,
Razberry, MySensors Arduino, HomeWave, AltUI, AltHue, DataYours, Grafana, openLuup, ZWay, ZeroBrane Studio.

Offline DesT

  • Sr. Member
  • ****
  • Posts: 364
  • Karma: +5/-1
Re: nginx http proxy -> 3480
« Reply #2 on: October 27, 2016, 11:43:00 am »
Sorry, this is way out of my understanding.  It might be an AltUI thing, rather then an openLuup one... have you tested on an actual Vera?

To understand correctly.  All the "http" output including also the HTTP server itself... it's coming from ALTUI or openLuup ?
Vera Edge-UI7/Plus-UI7 (2), DSC Partition (5 ) + Zones Sensors(31), Nest thermostat (1) & Protect Fire/CO (3), GE Sw (8 ), GE Dimr (14), FGMS-001 (2), ZW100 (2), RZCS4 (1), AL-DSC11 (1), Aeon HEM 2nd Edition (1), Aeon SSE (5), YRD220-ZW (1), SONOS (6), MyQ Chamberlain (1)
PINE64/openLuup/ALTUI/Rules

Offline akbooer

  • Moderator
  • Master Member
  • *****
  • Posts: 6387
  • Karma: +292/-70
  • "Less is more"
Re: nginx http proxy -> 3480
« Reply #3 on: October 27, 2016, 12:17:23 pm »
The HTTP on port 3480 is part of openLuup.  This is used by AltUI for status and command queries.  When AltUI is talking to an openLuup installation, all communication is done through that port.  This has required some modificationof AltUI by @amg0, since Vera also talks on port 80 for some things, and also on a high-numbered port for others (specifically, so-called HAG requests.)
3x Vera Lite-UI5/Edge-UI7, 25x Fibaro, 23x TKB, 9x MiniMote, 2x NorthQ Power, 2x Netatmo, 1x Foscam FI9831P, 9x Philips Hue,
Razberry, MySensors Arduino, HomeWave, AltUI, AltHue, DataYours, Grafana, openLuup, ZWay, ZeroBrane Studio.

Offline jswim788

  • Hero Member
  • *****
  • Posts: 809
  • Karma: +58/-2
Re: nginx http proxy -> 3480
« Reply #4 on: April 12, 2018, 03:04:33 pm »
DesT, did you ever get this to work?  I'm consider this approach with nginx as a reverse proxy to get access.

Offline DesT

  • Sr. Member
  • ****
  • Posts: 364
  • Karma: +5/-1
Re: nginx http proxy -> 3480
« Reply #5 on: April 12, 2018, 03:55:42 pm »
yeah bro.. using that since a while with a login and password to access it!

works like a charm ;)
Vera Edge-UI7/Plus-UI7 (2), DSC Partition (5 ) + Zones Sensors(31), Nest thermostat (1) & Protect Fire/CO (3), GE Sw (8 ), GE Dimr (14), FGMS-001 (2), ZW100 (2), RZCS4 (1), AL-DSC11 (1), Aeon HEM 2nd Edition (1), Aeon SSE (5), YRD220-ZW (1), SONOS (6), MyQ Chamberlain (1)
PINE64/openLuup/ALTUI/Rules

Offline jswim788

  • Hero Member
  • *****
  • Posts: 809
  • Karma: +58/-2
Re: nginx http proxy -> 3480
« Reply #6 on: April 13, 2018, 12:15:01 pm »
Would you mind posting your nginx configuration information (of course removing any sensitive information)?  You are using https plus the password?  And if you use https, then did you use a self-signed certificate or go with something like Let's Encrypt?  I may start with self-signed, but it gets ugly with browsers, so I will next go ahead and pay for a DDNS name and then use Let's Encrypt.  Lots of questions - hope you don't mind.  Thanks!

Offline DesT

  • Sr. Member
  • ****
  • Posts: 364
  • Karma: +5/-1
Re: nginx http proxy -> 3480
« Reply #7 on: April 13, 2018, 12:52:57 pm »
Yeah no prob....

The config is very easy:

I'm having a little VM that just handle nginx and send the traffic to the openLuup box.

Code: [Select]
    location / {
        auth_basic "Restricted";
        auth_basic_user_file /var/www/html/.htpasswd;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_pass http://VERAIP:3480;
    }

I'm currently not using SSL for the moment but nginx is behind the firewall and i'm running fail2ban also to block those who try the box ;)
Vera Edge-UI7/Plus-UI7 (2), DSC Partition (5 ) + Zones Sensors(31), Nest thermostat (1) & Protect Fire/CO (3), GE Sw (8 ), GE Dimr (14), FGMS-001 (2), ZW100 (2), RZCS4 (1), AL-DSC11 (1), Aeon HEM 2nd Edition (1), Aeon SSE (5), YRD220-ZW (1), SONOS (6), MyQ Chamberlain (1)
PINE64/openLuup/ALTUI/Rules

Offline jswim788

  • Hero Member
  • *****
  • Posts: 809
  • Karma: +58/-2
Re: nginx http proxy -> 3480
« Reply #8 on: April 14, 2018, 12:39:45 am »
thanks - got it to work.  I'm using SSL and the password.  I paid for the domain so I could use Let's Encrypt.  My browser is now happy.  I would prefer to have 2 factor authentication.  I'll have look at that as my next project.

Offline akbooer

  • Moderator
  • Master Member
  • *****
  • Posts: 6387
  • Karma: +292/-70
  • "Less is more"
Re: nginx http proxy -> 3480
« Reply #9 on: April 14, 2018, 03:11:12 am »
This looks really useful, but is way outside my expertise. Would it be possible to get a short description for dummies (like me) to describe the overall approach and get it going? 

I've never used openLuup from outside my LAN (except via HomeWave.)

I could add it as a sticky post.  Thanks if possible.
3x Vera Lite-UI5/Edge-UI7, 25x Fibaro, 23x TKB, 9x MiniMote, 2x NorthQ Power, 2x Netatmo, 1x Foscam FI9831P, 9x Philips Hue,
Razberry, MySensors Arduino, HomeWave, AltUI, AltHue, DataYours, Grafana, openLuup, ZWay, ZeroBrane Studio.

Offline jswim788

  • Hero Member
  • *****
  • Posts: 809
  • Karma: +58/-2
Re: nginx http proxy -> 3480
« Reply #10 on: April 14, 2018, 11:36:52 pm »
I used this tutorial, it's very good: https://community.openhab.org/t/using-nginx-reverse-proxy-authentication-and-https/14542

Note that I am a bit uncomfortable with this as then you have a port open to the Internet at all times.  Need to keep everything up to date as far as security.  It's also only as good as the password.  Currently I have Google Wifi so I can turn the port forwarding off and on remotely as desired.  I will be taking a look at fail2ban that DesT mentioned.

Offline akbooer

  • Moderator
  • Master Member
  • *****
  • Posts: 6387
  • Karma: +292/-70
  • "Less is more"
Re: nginx http proxy -> 3480
« Reply #11 on: April 14, 2018, 11:48:03 pm »
Health warning noted!  Let us all know how you get on with fail2ban too.

Many thanks.
3x Vera Lite-UI5/Edge-UI7, 25x Fibaro, 23x TKB, 9x MiniMote, 2x NorthQ Power, 2x Netatmo, 1x Foscam FI9831P, 9x Philips Hue,
Razberry, MySensors Arduino, HomeWave, AltUI, AltHue, DataYours, Grafana, openLuup, ZWay, ZeroBrane Studio.

Offline jswim788

  • Hero Member
  • *****
  • Posts: 809
  • Karma: +58/-2
Re: nginx http proxy -> 3480
« Reply #12 on: May 03, 2018, 08:11:09 pm »
A little further in this vein, I'm mulling over adding the oauth2_proxy (https://github.com/bitly/oauth2_proxy).  Then I don't have to muck around with my own separate password file.  And then it appears that it wouldn't be too hard to have an Alexa skill that would "talk" to openLuup through the nginx reverse proxy with this authentication.  And finally that would let me get rid of the somewhat less than reliable ha-bridge.

Anyone been done this path?  Any advice?  Thanks...

Offline jswim788

  • Hero Member
  • *****
  • Posts: 809
  • Karma: +58/-2
Re: nginx http proxy -> 3480
« Reply #13 on: May 11, 2018, 03:25:58 pm »
I have the oauth2_proxy running.  It is easy to use the Google service for the authentication.  There is a systemd service file to wrap around the oauth2_proxy process which works reasonably well.  It is a bit chatty in the syslog - every request is logged.  I may take a look at trying to tone that down a bit.

I did have one issue with nginx: I have openLuup come up after a delay since it is waiting for the Z-way server to come up fully.  Default nginx doesn't like this as it comes up earlier and thinks the openLuup is dead - and then will redirect.  As far as I can tell from the documentation it should have fixed itself once openLuup came up, but it didn't appear to work for me.  I'm going to try to disable the health checks (basically max_fails and possibly fail_timeout) to see if that will work around this.  Or figure out how to delay nginx startup until openLuup is up.

Now that this is up, I may tinker with modifying the openHAB Alexa skill (https://github.com/openhab/openhab-alexa) to one that talks to openLuup.

Offline DesT

  • Sr. Member
  • ****
  • Posts: 364
  • Karma: +5/-1
Re: nginx http proxy -> 3480
« Reply #14 on: May 11, 2018, 03:30:17 pm »
jswin788,

Can you post some screenshot of what looks like the "authentication" prompt ?
Vera Edge-UI7/Plus-UI7 (2), DSC Partition (5 ) + Zones Sensors(31), Nest thermostat (1) & Protect Fire/CO (3), GE Sw (8 ), GE Dimr (14), FGMS-001 (2), ZW100 (2), RZCS4 (1), AL-DSC11 (1), Aeon HEM 2nd Edition (1), Aeon SSE (5), YRD220-ZW (1), SONOS (6), MyQ Chamberlain (1)
PINE64/openLuup/ALTUI/Rules