Open EliasGabrielsson opened 2 years ago
Hi @EliasGabrielsson,
I tried to reproduce your issue, but couldn't. I just tried by running bundle:stop org.openhab.core.io.rest.auth
on the console and injecting an basic auth header - works just fine. How actually did you disable authentication?
This is an issue as the "basic auth header" are kept in the request after being used by haproxy.
Also, is this a known issue? I would expect haproxy to not forward auth if auth is enabled 🤔.
Hi Hubsif! Sorry for being late to respond and thank you for looking into this.
✅ When I disabled bundle:stop org.openhab.core.io.rest.auth
I didn't get a redirect to loginpromt anymore.
Solved my issue, good!
❕However I still find i strange that I would be redirected to the "rest" API if I just call the web root.
ie. when a) bundle:stop org.openhab.core.io.rest.auth
= enabled, b) Auth header is attached and c) root URL of openhab is called I expect to just land in on the "landingpage/homescreen" with unauthorized access (similar to just visit the page).
Possibly could openhab log me in if the credantial matches one account.
Is this pattern by design?
Could you elaborate on your setup esp. the network interactions that occur?
Hi again 👋
Giving this another go, still having issues when using latest stable 3.3.0.
My setup is using opnsense (firewall distro) running HAproxy infront of openhab to enable SSL encapsulation and authentication. HAProxy is using HTTP basic auth which works flawless but somehow breaks havoc later on when the request is passed to openhab. (Disabling bundle:stop org.openhab.core.io.rest.auth
kind of works as a workaround until you actually need the rest-api.)
My guess is that somehow the auth-header is kept in the call (after HAProxy) and automatically triggers openhab to show the loginpromt.
I built a simple configuration using HAProxy attached below to reproduce the error in opnsense.
What would be the next step, should I do some specific logging on the openhab side? I need some direction how to provide a better bug-report.
Kind Regards
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 1
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
userlist list_634b0cde944b30.81205990
# Origin: public.domain.se
user test insecure-password password
# NOTE: UserlistAddUsers called with empty group data
# autogenerated entries for stats
# Frontend: public-facing-side ()
frontend public-facing-side
bind WAN-IP:443 name WAN-IP:443 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/634b0e00949c72.20428522.certlist
mode http
option http-keep-alive
# tuning options
timeout client 30s
# logging options
# ACL: condition-public
acl acl_634b0e47580900.62526726 hdr(host) -i public.domain.se
# ACTION: rule-use-public
use_backend public.domain.se if acl_634b0e47580900.62526726
# Backend: public.domain.se ()
backend public.domain.se
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
acl auth_ok http_auth(list_634b0cde944b30.81205990)
http-request auth if !auth_ok
http-reuse safe
server openhab.internal.gabson.se openhab.internal.gabson.se:443 ssl alpn h2,http/1.1 verify none
Has this been identified and resolved? The pop actually comes from app.vue
The problem
When sending a request which includes a basic authentication header the UI will be stuck at a login promt even if openHAB doesn't require authentication. It looks like the browser automatically got redirected to "https://openhab.site.com/rest/" when an "basic auth" header was provided in the request.
This invalidates the usecase of using openHAB behind the reverse proxy "haproxy" configured with basic authentication. This is an issue as the "basic auth header" are kept in the request after being used by haproxy.
Expected behavior
If openHAB are not configured with basic authentication the login promt are not to be shown.
Steps to reproduce
Your environment