Reorganize and update reverse proxy documentation #2456
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
February 9, 2025 12:14
Create succinct Apache2 reverse proxy settings Placed everything "security" section.
Fixed headings so the toc looks better
✅ Thanks for your pull request to the openHAB documentation! The result can be previewed at the URL below (this comment and the preview will be updated if you add more commits).Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
@openhab/maintainers Who feels capable of reviewing the content of this? @bens95 Thanks for providing the content so far. |
mueller-ma
reviewed
Mar 1, 2025
There was a problem hiding this comment.
Maybe add a link to https://ssl-config.mozilla.org as it contains up-to-date configuration files to Apache and nginx with secure ciphers.
|
|
||
| # Apache Reverse Proxy | ||
|
|
||
| These are the steps required to use [**Apache 2.4**](https://www.apache.org/), a HTTP server, although you can use [**NGINX**](reverse-proxy-nginx) server or any other HTTP server which supports reverse proxying. If you are familiar with Apache/basic reverse proxy config and are only interested in OpenHAB specific caveats/directives skip to [OpenHAB settings](#openhab-specific-settings) |
There was a problem hiding this comment.
Suggested change
| These are the steps required to use [**Apache 2.4**](https://www.apache.org/), a HTTP server, although you can use [**NGINX**](reverse-proxy-nginx) server or any other HTTP server which supports reverse proxying. If you are familiar with Apache/basic reverse proxy config and are only interested in OpenHAB specific caveats/directives skip to [OpenHAB settings](#openhab-specific-settings) | |
| These are the steps required to use [**Apache 2.4**](https://www.apache.org/), a HTTP server, although you can use [**NGINX**](reverse-proxy-nginx) server or any other HTTP server which supports reverse proxying. If you are familiar with Apache/basic reverse proxy config and are only interested in openHAB specific caveats/directives skip to [openHAB settings](#openhab-specific-settings) |
| for Ubuntu/Debian based Linux, or | ||
|
|
||
| ```shell | ||
| sudo yum install httpd |
There was a problem hiding this comment.
dnf replaces yum, so maybe replace it here as well? https://www.linode.com/docs/guides/dnf-package-manager/
| </VirtualHost> | ||
| ``` | ||
|
|
||
| The command `apachectl configtest` can be used to verify any config you write. To enable your new website `a2ensite <config file name>`. Once enabled, you will not have to enable your website again. Configuration can be reloaded with `systemctl reload apache2`. Please make sure to reload and clear browser cookies after every change. |
There was a problem hiding this comment.
I'm not sure if it's a guideline in this repo, but I wouldn't use more than one sentence on one line. That makes reading diffs easier.
|
|
||
| ## Authentication | ||
|
|
||
| Authentication is recommended for additional security. There are many ways to authenticate to a proxy, but basic auth is sufficient **as long as it is over https**. Note the below documentation about [OpenHAB specific auth headers](#authentication-headers). |
There was a problem hiding this comment.
Suggested change
| Authentication is recommended for additional security. There are many ways to authenticate to a proxy, but basic auth is sufficient **as long as it is over https**. Note the below documentation about [OpenHAB specific auth headers](#authentication-headers). | |
| Authentication is recommended for additional security. There are many ways to authenticate to a proxy, but basic auth is sufficient **as long as it is over https**. Note the below documentation about [openHAB specific auth headers](#authentication-headers). |
|
|
||
| ### Basic Auth | ||
|
|
||
| The below directives set the auth type to basic, set the auth name, point to our credentials file, and require a user to be authenticated before allowing them to access OpenHAB |
There was a problem hiding this comment.
Suggested change
| The below directives set the auth type to basic, set the auth name, point to our credentials file, and require a user to be authenticated before allowing them to access OpenHAB | |
| The below directives set the auth type to basic, set the auth name, point to our credentials file, and require a user to be authenticated before allowing them to access openHAB |
|
|
||
| For more details, read the [apache mod_ssl docs](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile) | ||
|
|
||
| ## OpenHAB Specific Settings |
There was a problem hiding this comment.
Suggested change
| ## OpenHAB Specific Settings | |
| ## openHAB Specific Settings |
There was a problem hiding this comment.
I stop commenting other wrong spellings as you get the idea.
|
|
||
| Below is a minimal configuration for a reverse proxy that listens for https requests only, uses basic auth, and proxies to 8080 (default OpenHAB http port). | ||
|
|
||
| ```xml |
There was a problem hiding this comment.
Suggested change
| ```xml | |
| ```xml | |
| <VirtualHost *:80> | |
| RewriteEngine On | |
| RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/ | |
| RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L] | |
| </VirtualHost> |
That redirects http to https which is more user-friendly as some browser still use http first.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the beginning of my attempts to improve/modernize reverse proxy documentation. The reverse proxy docs are very verbose, and did not include information for apache configs. I split them up in this manner for two reasons:
I also question whether some of the content in these docs belongs on an OpenHAB wiki at all. While the documentation is good, it is overly detailed. Things like purchasing a domain, letsencrypt cert generation, webserver installation, etc are better documented on their own wikis/elsewhere. If I were starting from scratch, these pages would be one article with:
However I would feel bad removing all of the work that has already been done. Thoughts?