OpenHAB
/
openhab-docs
mirror of https://github.com/openhab/openhab-docs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
openhab-docs/v2.1/installation/security.html

1336 lines
73 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!--<link rel="shortcut icon" href="https://www.openhab.org/favicon.png"></link>-->
<title>Securing Communication and Access - openHAB 2 - Empowering the Smart Home</title>
<!-- CSS -->
<link type="text/css" rel="stylesheet" href="/v2.1/css/materialize.css" media="screen,projection" />
<link type="text/css" rel="stylesheet" href="/v2.1/css/pygments-jekyll-style.css" />
<link type="text/css" rel="stylesheet" href="/v2.1/css/styles.css" />
<link type="text/css" rel="stylesheet" href="/v2.1/css/openhab.css" />
<link type="text/css" rel="stylesheet" href="/v2.1/css/collapsible.css" />
<!-- Font -->
<link type="text/css" rel="stylesheet" href="https://fonts.googleapis.com/icon?family=Material+Icons" />
<link type="text/css" rel="stylesheet" href="https://fonts.googleapis.com/css?family=Lato:300,400,700" />
<link rel="canonical" href="http://docs.openhab.org/installation/security.html" />
<script type="text/javascript">var gaProperty = 'UA-47717934-3';var disableStr = 'ga-disable-' + gaProperty;if (document.cookie.indexOf(disableStr + '=true') > -1) {window[disableStr] = true;}</script>
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-47717934-3', 'auto');
ga('set', 'anonymizeIp', true);
ga('send', 'pageview');
</script>
</head>
<body class="documentation">
<div id="header" class="navbar-fixed">
<nav role="navigation">
<div class="container">
<div class="nav-wrapper">
<a href="/v2.1/index.html"><img id="logo" src="/images/logo.png" /></a>
<a href="#" data-activates="nav-mobile" class="button-collapse"><i class="material-icons">menu</i></a>
<ul class="right hide-on-med-and-down">
<li><a href="/tutorials/index.html">Tutorials</a></li>
<li><a href="/v2.1/introduction.html">User Manual</a></li>
<li><a href="/developers/index.html">Developer Guide</a></li>
<li><a target="_blank" href="https://community.openhab.org">Community Forum</a></li>
<li><a target="_blank" href="https://github.com/openhab">GitHub</a></li>
<li class="search"><i class="material-icons">search</i></li>
<li class="search">
<form method="GET" id="searchform" class="search-form" action="/search">
<input id="query" name="q" type="text" class="search-form-input" placeholder="search" />
</form>
</li>
</ul>
<ul id="nav-mobile" class="side-nav">
<li><a href="/v2.1/index.html">Home</a></li>
<li><a href="/tutorials/index.html">Tutorials</a></li>
<li><a href="/v2.1/introduction.html">User Manual</a></li>
<li><a href="/developers/index.html">Developer Guide</a></li>
<li><a target="_blank" href="https://community.openhab.org">Community Forum</a></li>
<li><a target="_blank" href="https://github.com/openhab">GitHub</a></li>
<li class="search">
<form method="GET" id="searchformmob" class="search-form" action="/search">
<input id="querymob" name="q" type="text" class="search-form-input" placeholder="search" />
</form>
</li>
</ul>
</div>
</div>
</nav>
</div>
<section id="documentation" class="text content-wrapper">
<div class="container">
<div class="side-nav-wrapper">
<ul class="nav">
<li><a href="/v2.1/introduction.html">Introduction</a></li>
<li><a href="/v2.1/concepts/index.html">Concepts</a>
<ul>
<li><a href="/v2.1/concepts/index.html">Overview</a></li>
<hr />
<li><a href="/v2.1/concepts/things.html">Things</a></li>
<li><a href="/v2.1/concepts/items.html">Items</a></li>
<li><a href="/v2.1/concepts/discovery.html">Inbox &amp; Discovery</a></li>
<li><a href="/v2.1/concepts/audio.html">Audio &amp; Voice</a></li>
</ul>
</li>
<li><a href="/v2.1/installation/index.html">Installation</a>
<ul>
<li><a href="/v2.1/installation/index.html">Overview</a></li>
<hr />
<li><a href="/v2.1/installation/linux.html">Linux</a></li>
<li><a href="/v2.1/installation/windows.html">Windows</a></li>
<li><a href="/v2.1/installation/macosx.html">Mac OS X</a></li>
<hr />
<li><a href="/v2.1/installation/openhabian.html">openHABian</a></li>
<li><a href="/v2.1/installation/docker.html">Docker</a></li>
<hr />
<li><a href="/v2.1/installation/rasppi.html">Raspberry Pi</a></li>
<li><a href="/v2.1/installation/pine.html">Pine A64</a></li>
<li><a href="/v2.1/installation/synology.html">Synology DiskStation</a></li>
<li><a href="/v2.1/installation/qnap.html">QNAP NAS</a></li>
<hr />
<li><a href="/v2.1/installation/designer.html">SmartHome Designer</a></li>
<li><a href="/v2.1/installation/security.html">Security &amp; Remote Access</a></li>
<li><a href="http://www.myopenhab.org">myopenHAB</a></li>
</ul>
</li>
<li><a href="/v2.1/configuration/index.html">Configuration</a>
<ul>
<li><a href="/v2.1/configuration/index.html">Overview</a></li>
<hr />
<li><a href="/v2.1/configuration/things.html">Things</a></li>
<li><a href="/v2.1/configuration/items.html">Items</a></li>
<li><a href="/v2.1/configuration/sitemaps.html">Sitemaps</a></li>
<li><a href="/v2.1/configuration/transform.html">Transformations</a></li>
<li><a href="/v2.1/configuration/persistence.html">Persistence</a></li>
<li><a href="/v2.1/configuration/rules-dsl.html">Rules</a></li>
<li><a href="/v2.1/configuration/services.html">Services</a></li>
<hr />
<li><a href="/v2.1/configuration/packages.html">Initial Setup Packages</a></li>
<li><a href="/v2.1/configuration/paperui.html">Paper UI</a></li>
<li><a href="/v2.1/configuration/habmin.html">HABmin</a></li>
<li><a href="/v2.1/configuration/rules-ng.html">Rules (Experimental)</a></li>
<hr />
<li><a href="/v2.1/configuration/multimedia.html">Audio &amp; Voice</a></li>
</ul>
</li>
<li><a href="/v2.1/addons/index.html">Add-ons</a>
<ul>
<li><a href="/v2.1/addons/index.html">Overview</a></li>
<hr />
<li><a href="/v2.1/addons/bindings.html">Bindings</a>
<ul>
<li><a href="/v2.1/addons/bindings.html">Overview</a></li>
<hr />
<li><a href="/v2.1/addons/bindings/airquality/readme.html">Air Quality</a></li>
<li><a href="/v2.1/addons/bindings/akm8681/readme.html">AKM868</a></li>
<li><a href="/v2.1/addons/bindings/alarmdecoder1/readme.html">Alarm Decoder</a></li>
<li><a href="/v2.1/addons/bindings/allplay/readme.html">AllPlay</a></li>
<li><a href="/v2.1/addons/bindings/amazondashbutton/readme.html">Amazon Dash Button</a></li>
<li><a href="/v2.1/addons/bindings/anel1/readme.html">Anel NET-PwrCtrl</a></li>
<li><a href="/v2.1/addons/bindings/asterisk1/readme.html">Asterisk</a></li>
<li><a href="/v2.1/addons/bindings/astro/readme.html">Astro</a></li>
<li><a href="/v2.1/addons/bindings/astro1/readme.html">Astro</a></li>
<li><a href="/v2.1/addons/bindings/atlona/readme.html">Atlona</a></li>
<li><a href="/v2.1/addons/bindings/autelis/readme.html">Autelis Pool Control</a></li>
<li><a href="/v2.1/addons/bindings/autelis1/readme.html">Autelis</a></li>
<li><a href="/v2.1/addons/bindings/avmfritz/readme.html">AVM FRITZ!</a></li>
<li><a href="/v2.1/addons/bindings/benqprojector1/readme.html">BenQ Projector</a></li>
<li><a href="/v2.1/addons/bindings/bigassfan/readme.html">BigAssFan</a></li>
<li><a href="/v2.1/addons/bindings/bluetooth1/readme.html">Bluetooth</a></li>
<li><a href="/v2.1/addons/bindings/boschindego/readme.html">Bosch Indego</a></li>
<li><a href="/v2.1/addons/bindings/bticino1/readme.html">Bticino</a></li>
<li><a href="/v2.1/addons/bindings/caldav-command1/readme.html">CalDAV Command</a></li>
<li><a href="/v2.1/addons/bindings/caldav-personal1/readme.html">CalDAV Personal</a></li>
<li><a href="/v2.1/addons/bindings/chromecast/readme.html">Chromecast</a></li>
<li><a href="/v2.1/addons/bindings/comfoair1/readme.html">ComfoAir</a></li>
<li><a href="/v2.1/addons/bindings/configadmin1/readme.html">ConfigAdmin</a></li>
<li><a href="/v2.1/addons/bindings/coolmasternet/readme.html">CoolMasterNet</a></li>
<li><a href="/v2.1/addons/bindings/cups1/readme.html">CUPS</a></li>
<li><a href="/v2.1/addons/bindings/daikin1/readme.html">Daikin</a></li>
<li><a href="/v2.1/addons/bindings/davis1/readme.html">Davis</a></li>
<li><a href="/v2.1/addons/bindings/ddwrt1/readme.html">DD-WRT</a></li>
<li><a href="/v2.1/addons/bindings/denon1/readme.html">Denon</a></li>
<li><a href="/v2.1/addons/bindings/digitalstrom/readme.html">digitalSTROM</a></li>
<li><a href="/v2.1/addons/bindings/digitalstrom1/readme.html">digitalSTROM</a></li>
<li><a href="/v2.1/addons/bindings/diyonxbee1/readme.html">DIYOnXBee</a></li>
<li><a href="/v2.1/addons/bindings/dlinksmarthome/readme.html">D-Link Smart Home</a></li>
<li><a href="/v2.1/addons/bindings/dmx1/readme.html">DMX</a></li>
<li><a href="/v2.1/addons/bindings/dscalarm/readme.html">DSC Alarm</a></li>
<li><a href="/v2.1/addons/bindings/dscalarm1/readme.html">DSC PowerSeries Alarm System</a></li>
<li><a href="/v2.1/addons/bindings/dsmr1/readme.html">DSMR</a></li>
<li><a href="/v2.1/addons/bindings/ebus1/readme.html">eBUS</a></li>
<li><a href="/v2.1/addons/bindings/ecobee1/readme.html">Ecobee</a></li>
<li><a href="/v2.1/addons/bindings/ecotouch1/readme.html">EcoTouch</a></li>
<li><a href="/v2.1/addons/bindings/ekey1/readme.html">ekey</a></li>
<li><a href="/v2.1/addons/bindings/energenie1/readme.html">Energenie</a></li>
<li><a href="/v2.1/addons/bindings/enocean1/readme.html">EnOcean</a></li>
<li><a href="/v2.1/addons/bindings/enphaseenergy1/readme.html">Enphase Energy</a></li>
<li><a href="/v2.1/addons/bindings/epsonprojector1/readme.html">Epson Projector</a></li>
<li><a href="/v2.1/addons/bindings/exec/readme.html">Exec</a></li>
<li><a href="/v2.1/addons/bindings/exec1/readme.html">Exec</a></li>
<li><a href="/v2.1/addons/bindings/expire1/readme.html">Expire</a></li>
<li><a href="/v2.1/addons/bindings/fatekplc1/readme.html">Fatek PLC</a></li>
<li><a href="/v2.1/addons/bindings/feed/readme.html">Feed</a></li>
<li><a href="/v2.1/addons/bindings/fht1/readme.html">FHT</a></li>
<li><a href="/v2.1/addons/bindings/folding/readme.html">Folding@home</a></li>
<li><a href="/v2.1/addons/bindings/freebox/readme.html">Freebox</a></li>
<li><a href="/v2.1/addons/bindings/freebox1/readme.html">Freebox</a></li>
<li><a href="/v2.1/addons/bindings/freeswitch1/readme.html">FreeSWITCH</a></li>
<li><a href="/v2.1/addons/bindings/fritzaha1/readme.html">Fritz AHA</a></li>
<li><a href="/v2.1/addons/bindings/fritzbox1/readme.html">Fritz!Box</a></li>
<li><a href="/v2.1/addons/bindings/fritzboxtr0641/readme.html">Fritzbox (using TR064 protocol)</a></li>
<li><a href="/v2.1/addons/bindings/frontiersiliconradio1/readme.html">Frontier Silicon Radio</a></li>
<li><a href="/v2.1/addons/bindings/fs201/readme.html">FS20</a></li>
<li><a href="/v2.1/addons/bindings/fsinternetradio/readme.html">FS Internet Radio</a></li>
<li><a href="/v2.1/addons/bindings/garadget1/readme.html">Garadget</a></li>
<li><a href="/v2.1/addons/bindings/gardena/readme.html">Gardena</a></li>
<li><a href="/v2.1/addons/bindings/gc100ir1/readme.html">Global Cache IR</a></li>
<li><a href="/v2.1/addons/bindings/globalcache/readme.html">GlobalCache</a></li>
<li><a href="/v2.1/addons/bindings/gpio1/readme.html">GPIO</a></li>
<li><a href="/v2.1/addons/bindings/harmonyhub/readme.html">Logitech Harmony Hub</a></li>
<li><a href="/v2.1/addons/bindings/harmonyhub1/readme.html">Harmony Hub</a></li>
<li><a href="/v2.1/addons/bindings/hdanywhere/readme.html">HDanywhere</a></li>
<li><a href="/v2.1/addons/bindings/hdanywhere1/readme.html">HDanywhere</a></li>
<li><a href="/v2.1/addons/bindings/hdpowerview/readme.html">Hunter Douglas PowerView</a></li>
<li><a href="/v2.1/addons/bindings/heatmiser1/readme.html">Heatmiser</a></li>
<li><a href="/v2.1/addons/bindings/hms1/readme.html">HMS</a></li>
<li><a href="/v2.1/addons/bindings/homematic/readme.html">Homematic</a></li>
<li><a href="/v2.1/addons/bindings/homematic1/readme.html">Homematic</a></li>
<li><a href="/v2.1/addons/bindings/horizon1/readme.html">Horizon mediabox</a></li>
<li><a href="/v2.1/addons/bindings/http1/readme.html">HTTP</a></li>
<li><a href="/v2.1/addons/bindings/hue/readme.html">Philips Hue</a></li>
<li><a href="/v2.1/addons/bindings/hue1/readme.html">Hue</a></li>
<li><a href="/v2.1/addons/bindings/iec6205621meter1/readme.html">IEC 62056-21 Meter</a></li>
<li><a href="/v2.1/addons/bindings/ihc1/readme.html">IHC / ELKO</a></li>
<li><a href="/v2.1/addons/bindings/insteonhub1/readme.html">Insteon Hub</a></li>
<li><a href="/v2.1/addons/bindings/insteonplm1/readme.html">Insteon PLM</a></li>
<li><a href="/v2.1/addons/bindings/intertechno1/readme.html">Intertechno</a></li>
<li><a href="/v2.1/addons/bindings/ipp/readme.html">IPP</a></li>
<li><a href="/v2.1/addons/bindings/ipx8001/readme.html">IPX800</a></li>
<li><a href="/v2.1/addons/bindings/irtrans1/readme.html">IRTrans</a></li>
<li><a href="/v2.1/addons/bindings/isy1/readme.html">Description</a></li>
<li><a href="/v2.1/addons/bindings/jointspace1/readme.html">jointSPACE</a></li>
<li><a href="/v2.1/addons/bindings/k80551/readme.html">Velleman k8055 USB IO Board</a></li>
<li><a href="/v2.1/addons/bindings/keba/readme.html">Keba</a></li>
<li><a href="/v2.1/addons/bindings/km2001/readme.html">KM200</a></li>
<li><a href="/v2.1/addons/bindings/knx1/readme.html">KNX</a></li>
<li><a href="/v2.1/addons/bindings/kodi/readme.html">Kodi</a></li>
<li><a href="/v2.1/addons/bindings/kostalinverter/readme.html">Kostal Inverter</a></li>
<li><a href="/v2.1/addons/bindings/koubachi1/readme.html">Koubachi</a></li>
<li><a href="/v2.1/addons/bindings/lcn1/readme.html">LCN</a></li>
<li><a href="/v2.1/addons/bindings/lgtv1/readme.html">LG TV</a></li>
<li><a href="/v2.1/addons/bindings/lgtvserial/readme.html">LG TV control using serial protocol</a></li>
<li><a href="/v2.1/addons/bindings/lifx/readme.html">LIFX</a></li>
<li><a href="/v2.1/addons/bindings/lightwaverf1/readme.html">LightwaveRF</a></li>
<li><a href="/v2.1/addons/bindings/lutron/readme.html">Lutron</a></li>
<li><a href="/v2.1/addons/bindings/mailcontrol1/readme.html">MailControl</a></li>
<li><a href="/v2.1/addons/bindings/max/readme.html">MAX!</a></li>
<li><a href="/v2.1/addons/bindings/maxcube1/readme.html">MAX!Cube</a></li>
<li><a href="/v2.1/addons/bindings/maxcul1/readme.html">MAX!CUL</a></li>
<li><a href="/v2.1/addons/bindings/mcp230171/readme.html">MCP23017</a></li>
<li><a href="/v2.1/addons/bindings/mcp34241/readme.html">MCP3424</a></li>
<li><a href="/v2.1/addons/bindings/meteostick/readme.html">Meteostick</a></li>
<li><a href="/v2.1/addons/bindings/miele/readme.html">Miele@home</a></li>
<li><a href="/v2.1/addons/bindings/mihome/readme.html">Xiaomi Mi Smart Home</a></li>
<li><a href="/v2.1/addons/bindings/milight/readme.html">Milight/Easybulb/Limitless</a></li>
<li><a href="/v2.1/addons/bindings/milight1/readme.html">Milight</a></li>
<li><a href="/v2.1/addons/bindings/minecraft/readme.html">Minecraft</a></li>
<li><a href="/v2.1/addons/bindings/mios1/readme.html">MiOS Bridge</a></li>
<li><a href="/v2.1/addons/bindings/mochadx101/readme.html">Mochad X10</a></li>
<li><a href="/v2.1/addons/bindings/modbus1/readme.html">Modbus</a></li>
<li><a href="/v2.1/addons/bindings/mpd1/readme.html">MPD</a></li>
<li><a href="/v2.1/addons/bindings/mqtt1/readme.html">MQTT</a></li>
<li><a href="/v2.1/addons/bindings/mqttitude1/readme.html">OwnTracks (formerly MQTTitude)</a></li>
<li><a href="/v2.1/addons/bindings/myq1/readme.html">Chamberlain MyQ</a></li>
<li><a href="/v2.1/addons/bindings/mystromecopower1/readme.html">Mystrom Eco Power</a></li>
<li><a href="/v2.1/addons/bindings/neohub1/readme.html">NeoHub</a></li>
<li><a href="/v2.1/addons/bindings/nest1/readme.html">Nest</a></li>
<li><a href="/v2.1/addons/bindings/netatmo/readme.html">Netatmo</a></li>
<li><a href="/v2.1/addons/bindings/netatmo1/readme.html">Netatmo</a></li>
<li><a href="/v2.1/addons/bindings/network/readme.html">Network</a></li>
<li><a href="/v2.1/addons/bindings/networkhealth1/readme.html">Network Health</a></li>
<li><a href="/v2.1/addons/bindings/networkupstools1/readme.html">Network UPS Tools</a></li>
<li><a href="/v2.1/addons/bindings/nibeheatpump1/readme.html">Nibe Heatpump</a></li>
<li><a href="/v2.1/addons/bindings/nikobus1/readme.html">Nikobus</a></li>
<li><a href="/v2.1/addons/bindings/nikohomecontrol/readme.html">Niko Home Control</a></li>
<li><a href="/v2.1/addons/bindings/novelanheatpump1/readme.html">Novelan/Luxtronic Heat Pump</a></li>
<li><a href="/v2.1/addons/bindings/ntp/readme.html">NTP</a></li>
<li><a href="/v2.1/addons/bindings/ntp1/readme.html">Network Time Protocol (NTP)</a></li>
<li><a href="/v2.1/addons/bindings/oceanic/readme.html">Oceanic</a></li>
<li><a href="/v2.1/addons/bindings/omnilink1/readme.html">HAI/Leviton Omni and Lumina</a></li>
<li><a href="/v2.1/addons/bindings/onebusaway/readme.html">OneBusAway</a></li>
<li><a href="/v2.1/addons/bindings/onewire1/readme.html">OneWire</a></li>
<li><a href="/v2.1/addons/bindings/onkyo/readme.html">Onkyo</a></li>
<li><a href="/v2.1/addons/bindings/onkyo1/readme.html">Onkyo AV Receiver</a></li>
<li><a href="/v2.1/addons/bindings/openenergymonitor1/readme.html">Open Energy Monitor</a></li>
<li><a href="/v2.1/addons/bindings/openpaths1/readme.html">OpenPaths</a></li>
<li><a href="/v2.1/addons/bindings/opensprinkler/readme.html">OpenSprinkler</a></li>
<li><a href="/v2.1/addons/bindings/opensprinkler1/readme.html">OpenSprinkler</a></li>
<li><a href="/v2.1/addons/bindings/orvibo/readme.html">Orvibo</a></li>
<li><a href="/v2.1/addons/bindings/owserver1/readme.html">OWServer</a></li>
<li><a href="/v2.1/addons/bindings/panasonictv1/readme.html">Panasonic TV</a></li>
<li><a href="/v2.1/addons/bindings/panstamp1/readme.html">panStamp</a></li>
<li><a href="/v2.1/addons/bindings/piface1/readme.html">Piface</a></li>
<li><a href="/v2.1/addons/bindings/pilight1/readme.html">pilight</a></li>
<li><a href="/v2.1/addons/bindings/pioneeravr/readme.html">PioneerAVR Configuration</a></li>
<li><a href="/v2.1/addons/bindings/pioneeravr1/readme.html">Pioneer AV Receiver (1.x)</a></li>
<li><a href="/v2.1/addons/bindings/plcbus1/readme.html">PLCBus</a></li>
<li><a href="/v2.1/addons/bindings/plclogo1/readme.html">PLCLogo</a></li>
<li><a href="/v2.1/addons/bindings/plex1/readme.html">Plex</a></li>
<li><a href="/v2.1/addons/bindings/plugwise1/readme.html">Plugwise</a></li>
<li><a href="/v2.1/addons/bindings/powerdoglocalapi1/readme.html">PowerDog Local API</a></li>
<li><a href="/v2.1/addons/bindings/powermax1/readme.html">Visonic Powermax</a></li>
<li><a href="/v2.1/addons/bindings/primare1/readme.html">Primare</a></li>
<li><a href="/v2.1/addons/bindings/pulseaudio/readme.html">Pulseaudio</a></li>
<li><a href="/v2.1/addons/bindings/pulseaudio1/readme.html">Pulseaudio</a></li>
<li><a href="/v2.1/addons/bindings/rfxcom/readme.html">RFXCOM</a></li>
<li><a href="/v2.1/addons/bindings/rfxcom1/readme.html">RFXCOM</a></li>
<li><a href="/v2.1/addons/bindings/rme/readme.html">RME</a></li>
<li><a href="/v2.1/addons/bindings/rpircswitch1/readme.html">Raspberry Pi RC Switch</a></li>
<li><a href="/v2.1/addons/bindings/russound/readme.html">Russound</a></li>
<li><a href="/v2.1/addons/bindings/rwesmarthome1/readme.html">RWE SmartHome</a></li>
<li><a href="/v2.1/addons/bindings/sagercaster1/readme.html">Sager Weathercaster</a></li>
<li><a href="/v2.1/addons/bindings/sallegra1/readme.html">Sallegra</a></li>
<li><a href="/v2.1/addons/bindings/samsungac1/readme.html">Samsung Air Conditioner</a></li>
<li><a href="/v2.1/addons/bindings/samsungtv/readme.html">Samsung TV</a></li>
<li><a href="/v2.1/addons/bindings/samsungtv1/readme.html">Samsung TV</a></li>
<li><a href="/v2.1/addons/bindings/sapp1/readme.html">Picnet Sapp</a></li>
<li><a href="/v2.1/addons/bindings/satel1/readme.html">Satel Integra Alarm System</a></li>
<li><a href="/v2.1/addons/bindings/sensebox/readme.html">senseBox</a></li>
<li><a href="/v2.1/addons/bindings/serial1/readme.html">Serial</a></li>
<li><a href="/v2.1/addons/bindings/silvercrestwifisocket/readme.html">Silvercrest Wifi Plug</a></li>
<li><a href="/v2.1/addons/bindings/sleepiq/readme.html">SleepIQ</a></li>
<li><a href="/v2.1/addons/bindings/smaenergymeter/readme.html">SMA Energy Meter</a></li>
<li><a href="/v2.1/addons/bindings/smarthomatic1/readme.html">Smarthomatic</a></li>
<li><a href="/v2.1/addons/bindings/snmp1/readme.html">SNMP</a></li>
<li><a href="/v2.1/addons/bindings/sonance1/readme.html">Sonance</a></li>
<li><a href="/v2.1/addons/bindings/sonos/readme.html">Sonos</a></li>
<li><a href="/v2.1/addons/bindings/sonos1/readme.html">Sonos</a></li>
<li><a href="/v2.1/addons/bindings/souliss1/readme.html">Souliss</a></li>
<li><a href="/v2.1/addons/bindings/squeezebox/readme.html">Logitech Squeezebox</a></li>
<li><a href="/v2.1/addons/bindings/squeezebox1/readme.html">Squeezebox</a></li>
<li><a href="/v2.1/addons/bindings/stiebelheatpump1/readme.html">Stiebel Eltron LWZ</a></li>
<li><a href="/v2.1/addons/bindings/swegonventilation1/readme.html">Swegon Ventilation</a></li>
<li><a href="/v2.1/addons/bindings/synopanalyzer/readme.html">Synop Analyzer</a></li>
<li><a href="/v2.1/addons/bindings/systeminfo/readme.html">Systeminfo</a></li>
<li><a href="/v2.1/addons/bindings/systeminfo1/readme.html">System Information</a></li>
<li><a href="/v2.1/addons/bindings/tacmi1/readme.html">TACmi</a></li>
<li><a href="/v2.1/addons/bindings/tankerkoenig/readme.html">Tankerkönig</a></li>
<li><a href="/v2.1/addons/bindings/tcp1/readme.html">TCP & UDP</a></li>
<li><a href="/v2.1/addons/bindings/tellstick/readme.html">Tellstick</a></li>
<li><a href="/v2.1/addons/bindings/tellstick1/readme.html">Tellstick</a></li>
<li><a href="/v2.1/addons/bindings/tesla/readme.html">Tesla</a></li>
<li><a href="/v2.1/addons/bindings/tinkerforge1/readme.html">TinkerForge</a></li>
<li><a href="/v2.1/addons/bindings/tivo1/readme.html">TiVo</a></li>
<li><a href="/v2.1/addons/bindings/toon/readme.html">Toon</a></li>
<li><a href="/v2.1/addons/bindings/tradfri/readme.html">Trådfri</a></li>
<li><a href="/v2.1/addons/bindings/ucprelayboard1/readme.html">UCProjects.eu Relay Board</a></li>
<li><a href="/v2.1/addons/bindings/upb1/readme.html">UPB</a></li>
<li><a href="/v2.1/addons/bindings/urtsi/readme.html">Somfy URTSI II</a></li>
<li><a href="/v2.1/addons/bindings/urtsi1/readme.html">Somfy URTSI II</a></li>
<li><a href="/v2.1/addons/bindings/vdr1/readme.html">Video Disk Recorder (VDR)</a></li>
<li><a href="/v2.1/addons/bindings/vitotronic/readme.html">Vitotronic</a></li>
<li><a href="/v2.1/addons/bindings/wago1/readme.html">WAGO</a></li>
<li><a href="/v2.1/addons/bindings/weather1/readme.html">Weather</a></li>
<li><a href="/v2.1/addons/bindings/wemo/readme.html">Belkin Wemo</a></li>
<li><a href="/v2.1/addons/bindings/wemo1/readme.html">Wemo</a></li>
<li><a href="/v2.1/addons/bindings/wifiled/readme.html">WiFi LED</a></li>
<li><a href="/v2.1/addons/bindings/windcentrale/readme.html">Windcentrale</a></li>
<li><a href="/v2.1/addons/bindings/withings1/readme.html">Withings</a></li>
<li><a href="/v2.1/addons/bindings/wol1/readme.html">Wake-on-LAN</a></li>
<li><a href="/v2.1/addons/bindings/wr32231/readme.html">WR3223 ventilation controller</a></li>
<li><a href="/v2.1/addons/bindings/xbmc1/readme.html">XBMC binding (for KODI) (1.x)</a></li>
<li><a href="/v2.1/addons/bindings/xpl1/readme.html">xPL</a></li>
<li><a href="/v2.1/addons/bindings/yahooweather/readme.html">YahooWeather</a></li>
<li><a href="/v2.1/addons/bindings/yamahareceiver/readme.html">Yamahareceiver</a></li>
<li><a href="/v2.1/addons/bindings/yamahareceiver1/readme.html">Yamaha Receiver (1.x)</a></li>
<li><a href="/v2.1/addons/bindings/zibase1/readme.html">Zibase</a></li>
<li><a href="/v2.1/addons/bindings/zigbee/readme.html">ZigBee</a></li>
<li><a href="/v2.1/addons/bindings/zoneminder/readme.html">Zoneminder</a></li>
<li><a href="/v2.1/addons/bindings/zwave/readme.html">ZWave</a></li>
<li><a href="/v2.1/addons/bindings/zwave1/readme.html">Z-Wave</a></li>
<li><a href="/v2.1/addons/bindings/zway/readme.html">Z-Way</a></li>
</ul>
</li>
<li><a href="/v2.1/addons/uis.html">User Interfaces</a>
<ul>
<li><a href="/v2.1/addons/uis.html">Overview</a></li>
<hr />
<li><a href="/v2.1/addons/uis/basic/readme.html">Basic UI</a></li>
<li><a href="/v2.1/addons/uis/classic/readme.html">Classic UI</a></li>
<li><a href="/v2.1/addons/uis/habmin/readme.html">HABmin</a></li>
<li><a href="/v2.1/addons/uis/habpanel/readme.html">HABPanel</a></li>
<li><a href="/v2.1/addons/uis/paper/readme.html">Paper UI</a></li>
<hr />
<li><a href="/v2.1/addons/uis/apps/android.html">Android openHAB App</a></li>
<li><a href="/v2.1/addons/uis/apps/ios.html">iOS openHAB App</a></li>
<li><a href="/v2.1/addons/uis/apps/windows.html">Windows 10 openHAB App</a></li>
<hr />
<li><a href="/v2.1/addons/iconsets/classic/readme.html">Iconset (classic)</a></li>
</ul>
</li>
<li><a href="/v2.1/addons/persistence.html">Persistence</a>
<ul>
<li><a href="/v2.1/addons/persistence.html">Overview</a></li>
<hr />
<li><a href="/v2.1/addons/persistence/caldav/readme.html">CalDAV</a></li>
<li><a href="/v2.1/addons/persistence/cosm/readme.html">Xively (formerly Cosm)</a></li>
<li><a href="/v2.1/addons/persistence/db4o/readme.html">db4o</a></li>
<li><a href="/v2.1/addons/persistence/dynamodb/readme.html">Amazon DynamoDB</a></li>
<li><a href="/v2.1/addons/persistence/exec/readme.html">Exec</a></li>
<li><a href="/v2.1/addons/persistence/influxdb/readme.html">InfluxDB (0.9 and newer)</a></li>
<li><a href="/v2.1/addons/persistence/influxdb08/readme.html">InfluxDB (up to 0.8.x)</a></li>
<li><a href="/v2.1/addons/persistence/jdbc/readme.html">JDBC</a></li>
<li><a href="/v2.1/addons/persistence/jpa/readme.html">Java Persistence API (JPA)</a></li>
<li><a href="/v2.1/addons/persistence/mapdb/readme.html">mapdb</a></li>
<li><a href="/v2.1/addons/persistence/mongodb/readme.html">MongoDB</a></li>
<li><a href="/v2.1/addons/persistence/mqtt/readme.html">MQTT</a></li>
<li><a href="/v2.1/addons/persistence/mysql/readme.html">MySQL</a></li>
<li><a href="/v2.1/addons/persistence/rrd4j/readme.html">rrd4j</a></li>
<li><a href="/v2.1/addons/persistence/sense/readme.html">Sen.Se</a></li>
<li><a href="/v2.1/addons/persistence/sitewhere/readme.html">SiteWhere</a></li>
</ul>
</li>
<li><a href="/v2.1/addons/actions.html">Actions</a>
<ul>
<li><a href="/v2.1/addons/actions.html">Overview</a></li>
<hr />
<li><a href="/v2.1/addons/actions/astro/readme.html">Astro</a></li>
<li><a href="/v2.1/addons/actions/ciscospark/readme.html">Cisco Spark</a></li>
<li><a href="/v2.1/addons/actions/dscalarm/readme.html">DSC Alarm</a></li>
<li><a href="/v2.1/addons/actions/ecobee/readme.html">Ecobee</a></li>
<li><a href="/v2.1/addons/actions/harmonyhub/readme.html">Logitech Harmony Hub</a></li>
<li><a href="/v2.1/addons/actions/homematic/readme.html">Homematic</a></li>
<li><a href="/v2.1/addons/actions/mail/readme.html">Mail</a></li>
<li><a href="/v2.1/addons/actions/mios/readme.html">MiOS</a></li>
<li><a href="/v2.1/addons/actions/mqtt/readme.html">MQTT</a></li>
<li><a href="/v2.1/addons/actions/nma/readme.html">NotifyMyAndroid</a></li>
<li><a href="/v2.1/addons/actions/openwebif/readme.html">OpenWebIf</a></li>
<li><a href="/v2.1/addons/actions/pebble/readme.html">Pebble</a></li>
<li><a href="/v2.1/addons/actions/prowl/readme.html">Prowl</a></li>
<li><a href="/v2.1/addons/actions/pushover/readme.html">Pushover</a></li>
<li><a href="/v2.1/addons/actions/pushsafer/readme.html">Pushsafer</a></li>
<li><a href="/v2.1/addons/actions/satel/readme.html">Satel</a></li>
<li><a href="/v2.1/addons/actions/squeezebox/readme.html">Squeezebox</a></li>
<li><a href="/v2.1/addons/actions/telegram/readme.html">Telegram</a></li>
<li><a href="/v2.1/addons/actions/tinkerforge/readme.html">TinkerForge</a></li>
<li><a href="/v2.1/addons/actions/twitter/readme.html">Twitter</a></li>
<li><a href="/v2.1/addons/actions/weather/readme.html">Weather</a></li>
<li><a href="/v2.1/addons/actions/xbmc/readme.html">XBMC</a></li>
<li><a href="/v2.1/addons/actions/xmpp/readme.html">XMPP</a></li>
<li><a href="/v2.1/addons/actions/xpl/readme.html">xPL</a></li>
</ul>
</li>
<li><a href="/v2.1/addons/transformations.html">Transformations</a>
<ul>
<li><a href="/v2.1/addons/transformations.html">Overview</a></li>
<hr />
<li><a href="/v2.1/addons/transformations/exec/readme.html">Exec</a></li>
<li><a href="/v2.1/addons/transformations/javascript/readme.html">JavaScript</a></li>
<li><a href="/v2.1/addons/transformations/jsonpath/readme.html">JsonPath</a></li>
<li><a href="/v2.1/addons/transformations/map/readme.html">Map</a></li>
<li><a href="/v2.1/addons/transformations/regex/readme.html">RegEx</a></li>
<li><a href="/v2.1/addons/transformations/scale/readme.html">Scale</a></li>
<li><a href="/v2.1/addons/transformations/xpath/readme.html">XPath</a></li>
<li><a href="/v2.1/addons/transformations/xslt/readme.html">XSLT</a></li>
</ul>
</li>
<li><a href="/v2.1/addons/voice.html">Voice Services</a>
<ul>
<li><a href="/v2.1/addons/voice.html">Overview</a></li>
<hr />
<li><a href="/v2.1/addons/voice/mactts/readme.html">MacOS Text-to-Speech</a></li>
<li><a href="/v2.1/addons/voice/marytts/readme.html">Mary Text-to-Speech</a></li>
<li><a href="/v2.1/addons/voice/voicerss/readme.html">VoiceRSS Text-to-Speech</a></li>
</ul>
</li>
<hr />
<li><a href="/v2.1/addons/io.html">3rd Party Integration</a>
<ul>
<li><a href="/v2.1/addons/io.html">Overview</a></li>
<hr />
<li><a href="/v2.1/addons/io/dropbox/readme.html">Dropbox Synchronization</a></li>
<li><a href="/v2.1/addons/io/gcal/readme.html">Google Calendar Scheduler</a></li>
<li><a href="/v2.1/addons/io/homekit/readme.html">HomeKit Add-on</a></li>
<li><a href="/v2.1/addons/io/hueemulation/readme.html">openHAB Hue Emulation</a></li>
<li><a href="/v2.1/addons/io/imperihome/readme.html">ImperiHome integration service</a></li>
<li><a href="/v2.1/addons/io/openhabcloud/readme.html">openHAB Cloud Connector</a></li>
<hr />
<li><a href="/v2.1/configuration/restdocs.html">REST API</a></li>
<li><a href="http://www.myopenhab.org/" target="_blank">IFTTT</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="/v2.1/administration/index.html">Advanced Functionality</a>
<ul>
<li><a href="/v2.1/administration/index.html">Overview</a></li>
<hr />
<li><a href="/v2.1/administration/console.html">Console</a></li>
<li><a href="/v2.1/administration/runtime.html">Runtime Commands</a></li>
<li><a href="/v2.1/administration/bundles.html">Bundle Management</a></li>
<li><a href="/v2.1/administration/logging.html">Logging</a></li>
<hr />
<li><a href="/v2.1/administration/jsondb.html">JsonDB Storage</a></li>
</ul>
</li>
<li><a href="/v2.1/appendix/help.html">Community Guidance</a>
<ul>
<li><a href="/v2.1/appendix/help.html">Finding Help &amp; FAQs</a></li>
<li><a href="/v2.1/appendix/contributing.html">Contributing</a></li>
</ul>
</li>
</ul>
</div>
<div id="versioning" class="row valign-wrapper">
<div class="col s12 right-align">
<ul id="dropdown-versioning" class="dropdown-content">
<li><a href="/v2.1/../installation/security.html">latest version</a></li>
<li><a href="/v2.1/../v2.2/installation/security.html">v2.2</a></li>
<li><a href="/v2.1/installation/security.html">v2.1<i class="tiny material-icons right">lens</i></a></li>
</ul>
<a class="btn dropdown-button grey lighten-1" href="#!" data-activates="dropdown-versioning" title="Select which version of this openHAB documentation article you want to read.">
Switch Article Version<i class="material-icons right">arrow_drop_down</i>
</a>
</div>
</div>
<div class="content">
<h1 id="securing-access-to-openhab">Securing access to openHAB</h1>
<p>openHAB has mainly two ways to be accessed:</p>
<ol>
<li>Through the command line console, which is done through ssh and thus always authenticated and encrypted. You will find all details about this in the <a href="/administration/console">Console documentation</a>.</li>
<li>Through HTTP(S), which we will look at in the following.</li>
</ol>
<ul id="markdown-toc">
<li><a href="#encrypted-communication" id="markdown-toc-encrypted-communication">Encrypted Communication</a> <ul>
<li><a href="#webserver-ports" id="markdown-toc-webserver-ports">Webserver Ports</a></li>
<li><a href="#ssl-certificates" id="markdown-toc-ssl-certificates">SSL Certificates</a></li>
</ul>
</li>
<li><a href="#authentication-and-access-control" id="markdown-toc-authentication-and-access-control">Authentication and Access Control</a></li>
<li><a href="#options-for-secure-remote-access" id="markdown-toc-options-for-secure-remote-access">Options for Secure Remote Access</a> <ul>
<li><a href="#vpn-connection" id="markdown-toc-vpn-connection">VPN Connection</a></li>
<li><a href="#myopenhab-cloud-service" id="markdown-toc-myopenhab-cloud-service">myopenHAB Cloud Service</a></li>
<li><a href="#nginx-reverse-proxy" id="markdown-toc-nginx-reverse-proxy">Running openHAB Behind a Reverse Proxy</a></li>
</ul>
</li>
</ul>
<h2 id="encrypted-communication">Encrypted Communication</h2>
<h3 id="webserver-ports">Webserver Ports</h3>
<p>openHAB has a built-in webserver, which listens on port 8080 for HTTP and 8443 for HTTPS requests.
In general, it is advised to use HTTPS communication over HTTP.</p>
<p>The default ports 8080 and 8443 can be changed by setting the environment variables <code class="highlighter-rouge">OPENHAB_HTTP_PORT</code> resp. <code class="highlighter-rouge">OPENHAB_HTTPS_PORT</code>.
In an apt installation, you would best do this in the file <code class="highlighter-rouge">/etc/defaults/openhab2</code>.</p>
<h3 id="ssl-certificates">SSL Certificates</h3>
<p>On the very first start, openHAB generates a personal (self-signed, 256-bit ECC) SSL certificate and stores it in the Jetty keystore (in <code class="highlighter-rouge">${USER_DATA}etc/keystore</code>).
This process makes sure that every installation has an individual certificate, so that nobody else can falsely mimic your server.
Note that on slow hardware, this certificate generation can take up to several minutes, so be patient on a first start - it is all for your own security.</p>
<h2 id="authentication-and-access-control">Authentication and Access Control</h2>
<p>openHAB does not (yet) support restricting access through HTTP(S) for certain users - there is no authentication in place, nor is there a limitation of functionality or information that different users can access.</p>
<p><strong>It is therefore vitally important that you MUST NOT directly expose your openHAB instance to the Internet (e.g. by opening a port in your firewall)!</strong></p>
<p>If you want to limit access to only certain network interfaces, you can do so in the file <code class="highlighter-rouge">$OPENHAB_USERDATA/etc/org.ops4j.pax.web.cfg</code> by editing the <code class="highlighter-rouge">org.ops4j.pax.web.listening.addresses</code> parameter.
Setting it to</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>org.ops4j.pax.web.listening.addresses = 127.0.0.1
</code></pre></div></div>
<p>will e.g. only allow requests through the local loopback interface.</p>
<h2 id="options-for-secure-remote-access">Options for Secure Remote Access</h2>
<p>Clearly, having remote access to your openHAB instance is something most users would not want to miss.
There are different options to do so.</p>
<h3 id="vpn-connection">VPN Connection</h3>
<p>The most secure option is probably to create a VPN connection to your home network.
Doing so will allow you to access your openHAB instance in the same way as if you were at home.
There are many different solutions for VPN, so we cannot give any specific advice here, what to use and how to set in up.</p>
<h3 id="myopenhab-cloud-service">myopenHAB Cloud Service</h3>
<p>You can use an <a href="https://github.com/openhab/openhab-cloud/blob/master/README.md">openHAB Cloud</a> instance to which openHAB creates a tunnel connection and which forwards all requests through this tunnel.
openHAB will see these incoming requests as originating from the local loopback interface.</p>
<p>The simplest way to get hold of such an openHAB Cloud is to register an account at <a href="http://www.myopenhab.org/">myopenHAB.org</a>, which is operated by the <a href="https://www.openhabfoundation.org/">openHAB Foundation</a>.</p>
<h3 id="nginx-reverse-proxy">Running openHAB Behind a Reverse Proxy</h3>
<p>A reverse proxy simply directs client requests to the appropriate server.
This means you can proxy connections to <em>http://mydomain_or_myip</em> to your openHAB runtime.
You just have to <strong>replace <em>mydomain_or_myip</em></strong> with either an <strong>internal or external IP</strong> (e.g. xx.xx.xx.xx) or a <strong>domain</strong> if you own one that links to the external IP of openHAB (e.g. openhab.mydomain.tld).</p>
<p>Running openHAB behind a reverse proxy allows you to access your openHAB runtime via port 80 (HTTP) and 443 (HTTPS).
It also provides you a simple way of <strong>protecting your server</strong> with authentication and secure certificates.</p>
<p>The good news is that <a href="openhabian">openHABian</a> already offers the possibility to activate a preconfigured NGINX reverse proxy, which includes setting up authentication and a valid <a href="https://letsencrypt.org">Lets Encrypt</a> certificate.</p>
<p><strong>Table of Content:</strong></p>
<ul>
<li><a href="#nginx-setup">Setting up NGINX</a>
<ul>
<li><a href="#nginx-setup-install">Installation</a></li>
<li><a href="#nginx-setup-config">Basic Configuration</a></li>
</ul>
</li>
<li><a href="#nginx-auth">Authentication with NGINX</a>
<ul>
<li><a href="#nginx-auth-user">Creating the First User</a></li>
<li><a href="#nginx-auth-file">Referencing the File in the NGINX Configuration</a></li>
<li><a href="#nginx-auth-users">Adding or Removing users</a></li>
</ul>
</li>
<li><a href="#nginx-satisfy">Making Exceptions for Specific IP addresses</a></li>
<li><a href="#nginx-domain">Setting up a Domain</a></li>
<li><a href="#nginx-https">Enabling HTTPS</a></li>
<li><a href="#nginx-openssl">Using OpenSSL to Generate Self-Signed Certificates</a>
<ul>
<li><a href="#nginx-openssl-add">Adding the Certificates to Your Proxy Server</a></li>
</ul>
</li>
<li><a href="#nginx-letsencrypt">Using Lets Encrypt to Generate Trusted Certificates</a>
<ul>
<li><a href="#nginx-letsencrypt-generation">Setting up the NGINX Proxy Server to Handle the Certificate Generation Procedure</a></li>
<li><a href="#nginx-letsencrypt-certbot">Using Certbot</a></li>
<li><a href="#nginx-letsencrypt-add">Adding the Certificates to Your Proxy Server</a></li>
</ul>
</li>
<li><a href="#nginx-https-listen">Setting Your NGINX Server to Listen to the HTTPS Port</a></li>
<li><a href="#nginx-httpredirect">Redirecting HTTP Traffic to HTTPS</a></li>
<li><a href="#nginx-summary">Putting it All Together</a></li>
<li><a href="#nginx-https-security">Additional HTTPS Security</a></li>
<li><a href="#nginx-further-reading">Further Reading</a></li>
</ul>
<h4 id="nginx-setup">Setting up NGINX</h4>
<p>These are the steps required to use <a href="https://nginx.org"><strong>NGINX</strong></a>, a lightweight HTTP server, although you can use <strong>Apache HTTP</strong> server or any other HTTP server which supports reverse proxying.</p>
<h5 id="nginx-setup-install">Installation</h5>
<p>NGINX runs as a service in most Linux distributions, installation should be as simple as:</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt-get update <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt-get install nginx
</code></pre></div></div>
<p>Once installed, you can test to see if the service is running correctly by going to <em>http://mydomain_or_myip</em>, you should see the default “Welcome to nginx” page.
If you dont, you may need to check your firewall or ports and check if port 80 (and 443 for HTTPS later) is not blocked and that services can use it.</p>
<h5 id="nginx-setup-config">Basic Configuration</h5>
<p>NGINX configures the server when it starts up based on configuration files.
The location of the default setup is <code class="highlighter-rouge">/etc/nginx/sites-enabled/default</code>. To allow NGINX to proxy openHAB, you need to change this file (make a backup of it in a different folder first).</p>
<p>The recommended configuration below assumes that you run the reverse proxy on the same machine as your openHAB runtime.
If this doesnt fit for you, you just have to replace <code class="highlighter-rouge">proxy_pass http://localhost:8080/</code> by your openHAB runtime hostname (such as <em>http://youropenhabhostname:8080/</em>).</p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">server</span> <span class="p">{</span>
<span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span>
<span class="kn">server_name</span> <span class="s">mydomain_or_myip</span><span class="p">;</span>
<span class="kn">location</span> <span class="n">/</span> <span class="p">{</span>
<span class="kn">proxy_pass</span> <span class="s">http://localhost:8080/</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$http_host</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-Proto</span> <span class="nv">$scheme</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>
<p>It is also recommended to name the file to something relevant to what its doing, if you already have a default file in place, then you can rename it via:</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>mv /etc/nginx/sites-enabled/default /etc/nginx/sites-enabled/openhab
</code></pre></div></div>
<p>Otherwise, create a new file. <strong>Every file in the <code class="highlighter-rouge">sites-enabled</code> folder gets processed by NGINX, so make sure you only have one per site.</strong></p>
<p>After saving over the file but <strong>before you commit</strong> the changes to our server, you should <strong>test</strong> to see if our changes contain any errors; this is done with the command:</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>nginx <span class="nt">-t</span>
</code></pre></div></div>
<p>If you see that the test is successful, you can restart the NGINX service with…</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>service nginx restart
</code></pre></div></div>
<p>…and then go to <em>http://mydomain_or_myip</em> to see your openHAB server.</p>
<h4 id="nginx-auth">Authentication with NGINX</h4>
<p>For further security, you may wish to ask for a <strong>username and password</strong> before users have access to openHAB.
This is fairly simple in NGINX once you have the reverse proxy setup, you just need to provide the server with a basic authentication user file.</p>
<p><strong>Note:</strong> There is currently an issue with Proxy Authentication and HABmin when using some browsers.
If you require HABmin, consider connecting locally or using Safari for now.</p>
<h5 id="nginx-auth-user">Creating the First User</h5>
<p>You will be using <em>htpasswd</em> to generate a username/password file, this utility can be found in the apache2-utils package:</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt-get install apache2-utils
</code></pre></div></div>
<p>To generate a file that NGINX can use you use the following command, dont forget to change <em>username</em> to something meaningful!</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>htpasswd <span class="nt">-c</span> /etc/nginx/.htpasswd username
</code></pre></div></div>
<p>You will receive a prompt to create a password for this username, once finished the file will be created.
Youre then free to reference the file to NGINX.</p>
<h5 id="nginx-auth-file">Referencing the File in the NGINX Configuration</h5>
<p>Now the configuration file (<code class="highlighter-rouge">/etc/nginx/sites-enabled/openhab</code>) needs to be edited to use this password.
Open the configuration file and <strong>add</strong> the following lines underneath the proxy_* settings:</p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">auth_basic</span> <span class="s">"Username</span> <span class="s">and</span> <span class="s">Password</span> <span class="s">Required"</span><span class="p">;</span>
<span class="k">auth_basic_user_file</span> <span class="n">/etc/nginx/.htpasswd</span><span class="p">;</span>
</code></pre></div></div>
<p>Once done, <strong>test and restart your NGINX service</strong> and authentication should now be enabled on your server!</p>
<h5 id="nginx-auth-users">Adding or Removing users</h5>
<p>To add new users to your site, you must use following command, <strong>do not</strong> use the <code class="highlighter-rouge">-c</code> modifier again as this will remove all previously created users:</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>htpasswd /etc/nginx/.htpasswd username
</code></pre></div></div>
<p>and to delete an existing user:</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>htpasswd <span class="nt">-D</span> /etc/nginx/.htpasswd username
</code></pre></div></div>
<p>Once again, any changes you make to these files <strong>must be followed with restarting the NGINX service</strong> otherwise no changes will be made.</p>
<h4 id="nginx-satisfy">Making Exceptions for Specific IP addresses</h4>
<p>It is often desirable to allow specific IPs (e.g. the local network) to access openHAB without needing to prompt for a password or to block everyone else entirely.
In these cases NGINX can use the <code class="highlighter-rouge">satisfy any</code> directive followed by <code class="highlighter-rouge">allow</code> and <code class="highlighter-rouge">deny</code> lines to make these exceptions.
These lines are placed in the <code class="highlighter-rouge">location{}</code> block. For example, by adding the lines:</p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">satisfy</span> <span class="s">any</span><span class="p">;</span>
<span class="k">allow</span> <span class="mi">192</span><span class="s">.168.0.1/24</span><span class="p">;</span>
<span class="k">allow</span> <span class="mi">127</span><span class="s">.0.0.1</span><span class="p">;</span>
<span class="k">deny</span> <span class="s">all</span><span class="p">;</span>
</code></pre></div></div>
<p>NGINX will allow anyone within the 192.168.0.1/24 range <strong>and</strong> the localhost to connect without a password.
If you have setup a password following the previous section, then the rest will be prompted for a password for access.</p>
<h4 id="nginx-domain">Setting up a Domain</h4>
<p>To generate a trusted certificate, you need to own a domain. To acquire your own domain, you can use one of the following methods:</p>
<table>
<thead>
<tr>
<th style="text-align: left">Method</th>
<th style="text-align: left">Example Links</th>
<th style="text-align: left">Note</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">Purchasing a domain name</td>
<td style="text-align: left"><a href="http://www.godaddy.com">GoDaddy</a>, <a href="http://www.namecheap.com">Namecheap</a>, <a href="http://www.enom.com">Enom</a>, <a href="http://www.register.com">Register</a></td>
<td style="text-align: left">You should have an IP adress that doesnt change (i.e. fixed), or changes rarely, and then update the DNS <em>A record</em> so that your domain/subdomain to point towards your IP.</td>
</tr>
<tr>
<td style="text-align: left">Obtaining a free domain</td>
<td style="text-align: left"><a href="http://www.freenom.com">FreeNom</a></td>
<td style="text-align: left">Setup is the same as above.</td>
</tr>
<tr>
<td style="text-align: left">Using a “Dynamic DNS” sevice</td>
<td style="text-align: left"><a href="http://www.noip.com">No-IP</a>, <a href="http://www.dyn.com/dns">Dyn</a></td>
<td style="text-align: left">Uses a client to automatically update your IP to a domain of you choice, some Dynamic DNS services offer a free domain too.</td>
</tr>
</tbody>
</table>
<h4 id="nginx-https">Enabling HTTPS</h4>
<p>Encrypting the communication between client and the server is important because it protects against eavesdropping and possible forgery.
The following options are available depending if you have a valid domain:</p>
<p>If you have a <strong>valid domain and can change the DNS</strong> to point towards your IP, follow the <a href="#using-lets-encrypt-to-generate-trusted-certificates">instructions for Lets Encrypt</a>
If you need to use an internal or external IP to connect to openHAB, follow the <a href="#using-openssl-to-generate-self-signed-certificates">instructions for OpenSSL</a></p>
<h4 id="nginx-openssl">Using OpenSSL to Generate Self-Signed Certificates</h4>
<p>OpenSSL is also packaged for most Linux distributions, installing it should be as simple as:</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt-get install openssl
</code></pre></div></div>
<p>Once complete, you need to create a directory where our certificates can be placed:</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>mkdir <span class="nt">-p</span> /etc/ssl/certs
</code></pre></div></div>
<p>Now OpenSSL can be told to generate a 2048 bit long RSA key and a certificate that is valid for a year:</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>openssl req <span class="nt">-x509</span> <span class="nt">-nodes</span> <span class="nt">-days</span> 365 <span class="nt">-newkey</span> rsa:2048 <span class="nt">-keyout</span> /etc/ssl/openhab.key <span class="nt">-out</span> /etc/ssl/openhab.crt
</code></pre></div></div>
<p>You will be prompted for some information which you will need to fill out for the certificate, when it asks for a <strong>Common Name</strong>, you may enter your IP Address:
Common Name (e.g. server FQDN or YOUR name) []: xx.xx.xx.xx</p>
<h5 id="nginx-openssl-add">Adding the Certificates to Your Proxy Server</h5>
<p>The certificate and key should have been placed in <code class="highlighter-rouge">/etc/ssl/</code>. NGINX needs to be told where these files are and then enable the reverse proxy to direct HTTPS traffic. In the NGINX configuration, place the following underneath your server_name variable:</p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">ssl_certificate</span> <span class="n">/etc/ssl/openhab.crt</span><span class="p">;</span>
<span class="k">ssl_certificate_key</span> <span class="n">/etc/ssl/openhab.key</span><span class="p">;</span>
</code></pre></div></div>
<h4 id="nginx-letsencrypt">Using Lets Encrypt to Generate Trusted Certificates</h4>
<p><strong>Skip this step if you have no domain name or have already followed the instructions for OpenSSL</strong></p>
<p>Lets Encrypt is a service that allows anyone with a valid domain to automatically generate a trusted certificate, these certificates are usually accepted by a browser without any warnings.</p>
<h5 id="nginx-letsencrypt-generation">Setting up the NGINX Proxy Server to Handle the Certificate Generation Procedure</h5>
<p>Lets Encrypt needs to validate that the server has control of the domain, the most simple way of doing this is using a <strong>webroot plugin</strong> to place a file on the server, and then access it using a specific url: <em>/.well-known/acme-challenge</em>.
Since the proxy only forwards traffic to the openHAB server, the server needs to be told to handle requests at this address differently.</p>
<p>First, <strong>create a directory</strong> that Certbot can be given access to:</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>mkdir <span class="nt">-p</span> /var/www/mydomain
</code></pre></div></div>
<p>Next add the new location parameter to your NGINX config, this should be <strong>placed above the last brace</strong> in the server setting:</p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">location</span> <span class="n">/.well-known/acme-challenge/</span> <span class="p">{</span>
<span class="kn">root</span> <span class="n">/var/www/mydomain</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<h5 id="nginx-letsencrypt-certbot">Using Certbot</h5>
<p>Certbot is a tool which simplifies the process of obtaining secure certificates.
The tool may not be packaged for some Linux distributions so installation instructions may vary, check out <a href="https://certbot.eff.org/">their website</a> and follow the instructions <strong>using the webroot mode</strong>.
Dont forget to change the example domain to your own! An example of a valid certbot command (in this case for Debian Jessie) would be:</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>certbot certonly <span class="nt">--webroot</span> <span class="nt">-w</span> /var/www/mydomain <span class="nt">-d</span> mydomain
</code></pre></div></div>
<h5 id="nginx-letsencrypt-add">Adding the Certificates to Your Proxy Server</h5>
<p>The certificate and key should have been placed in <code class="highlighter-rouge">/etc/letsencrypt/live/mydomain_or_myip</code>.
NGINX needs to be told where these files are and then enable the reverse proxy to direct HTTPS traffic, using Strict Transport Security to prevent man-in-the-middle attacks.
In the NGINX configuration, place the following underneath your server_name variable:</p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">ssl_certificate</span> <span class="n">/etc/letsencrypt/live/mydomain_or_myip/fullchain.pem</span><span class="p">;</span>
<span class="k">ssl_certificate_key</span> <span class="n">/etc/letsencrypt/live/mydomain_or_myip/privkey.pem</span><span class="p">;</span>
<span class="k">add_header</span> <span class="s">Strict-Transport-Security</span> <span class="s">"max-age=31536000"</span><span class="p">;</span>
</code></pre></div></div>
<h4 id="nginx-https-listen">Setting Your NGINX Server to Listen to the HTTPS Port</h4>
<p>Regardless of the option you choose, make sure you change the port to listen in on HTTPS traffic.</p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">listen</span> <span class="mi">443</span> <span class="s">ssl</span><span class="p">;</span>
</code></pre></div></div>
<p>After restarting NGINX service, you will be using a valid HTTPS certificate.
You can check by going to https://mydomain_or_myip and confirming with your browser that you have a valid certificate.
<strong>These certificates expire within a few months</strong> so it is important to run the updater in a cron expression (and also restart NGINX) as explained in the Certbot setup instructions.
If you want to keep hold of a HTTP server for some reason, just add <code class="highlighter-rouge">listen 80;</code> and remove the Strict-Transport-Security line.</p>
<h4 id="nginx-httpredirect">Redirecting HTTP Traffic to HTTPS</h4>
<p>You may want to redirect all HTTP traffic to HTTPS, you can do this by adding the following to the NGINX configuration.
This will essentially replace the HTTP url with the HTTPS version!</p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">server</span> <span class="p">{</span>
<span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span>
<span class="kn">server_name</span> <span class="s">mydomain_or_myip</span><span class="p">;</span>
<span class="kn">return</span> <span class="mi">301</span> <span class="s">https://</span><span class="nv">$server_name$request_uri</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<h4 id="nginx-summary">Putting it All Together</h4>
<p>After following all the steps on this page, you <em>should</em> have a NGINX server configuration (<code class="highlighter-rouge">/etc/nginx/sites-enabled/openhab</code>) that looks like this:</p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">server</span> <span class="p">{</span>
<span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span>
<span class="kn">server_name</span> <span class="s">mydomain_or_myip</span><span class="p">;</span>
<span class="kn">return</span> <span class="mi">301</span> <span class="s">https://</span><span class="nv">$server_name$request_uri</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">server</span> <span class="p">{</span>
<span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span><span class="p">;</span>
<span class="kn">server_name</span> <span class="s">mydomain_or_myip</span><span class="p">;</span>
<span class="kn">ssl_certificate</span> <span class="n">/etc/letsencrypt/live/mydomain/fullchain.pem</span><span class="p">;</span> <span class="c1"># or /etc/ssl/openhab.crt
</span> <span class="kn">ssl_certificate_key</span> <span class="n">/etc/letsencrypt/live/mydomain/privkey.pem</span><span class="p">;</span> <span class="c1"># or /etc/ssl/openhab.key
</span> <span class="kn">add_header</span> <span class="s">Strict-Transport-Security</span> <span class="s">"max-age=31536000"</span><span class="p">;</span> <span class="c1"># Remove if using self-signed and are having trouble.
</span>
<span class="kn">location</span> <span class="n">/</span> <span class="p">{</span>
<span class="kn">proxy_pass</span> <span class="s">http://localhost:8080/</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$http_host</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-Proto</span> <span class="nv">$scheme</span><span class="p">;</span>
<span class="kn">satisfy</span> <span class="s">any</span><span class="p">;</span>
<span class="kn">allow</span> <span class="mi">192</span><span class="s">.168.0.1/24</span><span class="p">;</span>
<span class="kn">allow</span> <span class="mi">127</span><span class="s">.0.0.1</span><span class="p">;</span>
<span class="kn">deny</span> <span class="s">all</span><span class="p">;</span>
<span class="kn">auth_basic</span> <span class="s">"Username</span> <span class="s">and</span> <span class="s">Password</span> <span class="s">Required"</span><span class="p">;</span>
<span class="kn">auth_basic_user_file</span> <span class="n">/etc/nginx/.htpasswd</span><span class="p">;</span>
<span class="p">}</span>
<span class="c1">#### When using Let's Encrypt Only ####
</span> <span class="kn">location</span> <span class="n">/.well-known/acme-challenge/</span> <span class="p">{</span>
<span class="kn">root</span> <span class="n">/var/www/mydomain</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div></div>
<h4 id="nginx-https-security">Additional HTTPS Security</h4>
<p>To test your security settings <a href="https://www.ssllabs.com/ssltest/">SSL Labs</a> provides a tool for testing your domain against ideal settings (Make sure you check “Do not show the results on the boards” if you dont want your domain seen).</p>
<p>This optional section is for those who would like to strengthen the HTTPS security on openHAB, it can be applied regardless of which HTTPS method you used <a href="#enabling-https">above</a>, <strong>but you need to follow at least one of them first</strong>.</p>
<p>First, we need to generate a stronger key exchange, to do this we can generate an additional key with OpenSSL <strong>Note: this will take a few minutes to complete:</strong></p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mkdir <span class="nt">-p</span> /etc/nginx/ssl
openssl dhparam <span class="nt">-out</span> /etc/nginx/ssl/dhparam.pem 4096
</code></pre></div></div>
<p>Now we can configure NGINX to use this key, as well as telling the client to use specific cyphers and SSL settings, just add the following under your <code class="highlighter-rouge">ssl_certificate **</code> settings but above <code class="highlighter-rouge">location *</code>.
All of these settings are customisable, but make sure you <a href="http://nginx.org/en/docs/http/configuring_https_servers.html">read up on</a> what these do first before changing them:</p>
<div class="language-nginx highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">ssl_protocols</span> <span class="s">TLSv1</span> <span class="s">TLSv1.1</span> <span class="s">TLSv1.2</span><span class="p">;</span>
<span class="k">ssl_prefer_server_ciphers</span> <span class="no">on</span><span class="p">;</span>
<span class="k">ssl_dhparam</span> <span class="n">/etc/nginx/ssl/dhparam.pem</span><span class="p">;</span>
<span class="k">ssl_ciphers</span> <span class="s">ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH</span><span class="p">;</span>
<span class="k">ssl_session_timeout</span> <span class="s">1d</span><span class="p">;</span>
<span class="k">ssl_session_cache</span> <span class="s">shared:SSL:10m</span><span class="p">;</span>
<span class="k">keepalive_timeout</span> <span class="mi">70</span><span class="p">;</span>
</code></pre></div></div>
<p>Feel free to test the new configuration again on <a href="https://www.ssllabs.com/ssltest/">SSL Labs</a>.
If youre achieving A or A+ here, then your client-openHAB communication is very secure.</p>
<h4 id="nginx-further-reading">Further Reading</h4>
<p>The setup above is a suggestion for high compatibility with an A+ rating at the time of writing, however flaws in these settings (particularly the cyphers) may become known overtime.
The following articles may be useful when understanding and changing these settings.</p>
<ul>
<li><a href="https://bettercrypto.org/">Better Crypto</a></li>
<li><a href="https://www.ssllabs.com/projects/best-practices/">SSL Labs - Best Practices</a></li>
<li><a href="https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/">Hynek Schlawack - Hardening Your Web Servers SSL Ciphers</a></li>
</ul>
</div>
</div>
</section>
<footer>
<div class="container">
<div class="row">
<div class="col s12 m7">
Copyright &copy; 2017 by the <a href="https://github.com/openhab">openHAB Community</a> and the <a href="http://www.openhabfoundation.org/">openHAB&nbsp;Foundation&nbsp;e.V.</a>
</div>
<div class="col s12 m5">
<ul class="list-inline right-align">
<li><a href="/imprint.html">Imprint</a></li>
<li><a href="/privacy.html">Privacy Policy</a></li>
<li><a href="http://www.openhab.org">openHAB Website</a></li>
</ul>
</div>
</div>
</div>
</footer>
<script src="/v2.1/js/jquery.min.js"></script>
<script src="/v2.1/js/jquery.scrollme.min.js"></script>
<script src="/v2.1/js/jquery.sticky.js"></script>
<script src="/v2.1/js/materialize.min.js"></script>
<script src="/v2.1/js/init.js"></script>
<script>
$(document).ready(function () {
$('#oh2-checkbox').change(function () {
if (this.checked) $('.since-2x').show('slow');
else $('.source-oh2').hide('slow');
});
$('#oh1-checkbox').change(function () {
if (this.checked) $('.since-1x').show('slow');
else $('.source-oh1').hide('slow');
});
$('#legacy-checkbox').change(function () {
if (this.checked) $('.install-legacy').show('slow');
else $('.install-legacy').hide('slow');
});
$('#manual-checkbox').change(function () {
if (this.checked) $('.install-manual').show('slow');
else $('.install-manual').hide('slow');
});
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink