jpmens/00doc.txt

## 00doc.txt
The only way I've been able to get openHAB behind an nginx proxy is by:


For debugging, I ran curl(1) against nginx:

$ curl  -k 'https://192.168.1.130:9443/rest/sitemaps/jp?type=json'
{"name":"jp","link":"https://192.168.1.130:9443/rest/sitemaps/jp","homepage

The important thing to look out for here, is that ALL URIs returned are actually of scheme 'https'.

I was able to accomplish this by directing the outgoing nginx port to openHAB's TLS port; attempts to direct to openHAB's plain port (8080 by default) result in URLs with 'http' as scheme.

I'm binding openHAB to the loopback interface with a change in jetty.xml (see below); not required.

## jetty-xml.patch
*** etc/jetty.xml.orig	2013-12-18 19:23:37.000000000 +0100
--- etc/jetty.xml	2013-12-14 13:16:49.000000000 +0100
***************
*** 84,89 ****
--- 84,90 ----
  		<Arg>
  			<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
  				<Set name="port"><Property name="jetty.port.ssl" /></Set>
+ 				<Set name="Host">127.0.0.1</Set> <!-- JPM: bind to loopback -->
  				<Set name="maxIdleTime">30000</Set>
  				<Set name="Acceptors">2</Set>
  				<Set name="AcceptQueueSize">100</Set>

## nginx.conf
worker_processes  1;

error_log   error.log debug;

pid        nginx.pid;

# for debugging
daemon off;

events {
    worker_connections  128;
}

http {
	server {
		listen 192.168.1.130:9443;
		server_name 192.168.1.130;

		ssl on;
		ssl_certificate server.crt;
		ssl_certificate_key server.key;
		ssl_session_cache shared:SSL:10m;

		location / {
			# Convert inbound WAN requests for https:// to
			# LAN requests for https://..:8443 for openHAB
			proxy_pass https://127.0.0.1:8443/;
			proxy_set_header Host $host:$server_port;

                        # FIXME: keepalive needs tuning (e.g. HABdroid & openHAB/iOS don't see eachothers switches move)
		}
	}
}

## TODO.txt
1. keepalives
2. logging
3. auth
	The only way I've been able to get openHAB behind an nginx proxy is by:


	For debugging, I ran curl(1) against nginx:

	$ curl -k 'https://192.168.1.130:9443/rest/sitemaps/jp?type=json'
	{"name":"jp","link":"https://192.168.1.130:9443/rest/sitemaps/jp","homepage

	The important thing to look out for here, is that ALL URIs returned are actually of scheme 'https'.

	I was able to accomplish this by directing the outgoing nginx port to openHAB's TLS port; attempts to direct to openHAB's plain port (8080 by default) result in URLs with 'http' as scheme.

	I'm binding openHAB to the loopback interface with a change in jetty.xml (see below); not required.
	*** etc/jetty.xml.orig 2013-12-18 19:23:37.000000000 +0100
	--- etc/jetty.xml 2013-12-14 13:16:49.000000000 +0100
	***************
	* 84,89 **
	--- 84,90 ----
	<Arg>
	<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
	<Set name="port"><Property name="jetty.port.ssl" /></Set>
	+ <Set name="Host">127.0.0.1</Set> <!-- JPM: bind to loopback -->
	<Set name="maxIdleTime">30000</Set>
	<Set name="Acceptors">2</Set>
	<Set name="AcceptQueueSize">100</Set>
	worker_processes 1;

	error_log error.log debug;

	pid nginx.pid;

	# for debugging
	daemon off;

	events {
	worker_connections 128;
	}

	http {
	server {
	listen 192.168.1.130:9443;
	server_name 192.168.1.130;

	ssl on;
	ssl_certificate server.crt;
	ssl_certificate_key server.key;
	ssl_session_cache shared:SSL:10m;

	location / {
	# Convert inbound WAN requests for https:// to
	# LAN requests for https://..:8443 for openHAB
	proxy_pass https://127.0.0.1:8443/;
	proxy_set_header Host $host:$server_port;

	# FIXME: keepalive needs tuning (e.g. HABdroid & openHAB/iOS don't see eachothers switches move)
	}
	}
	}