Note for openHAB 4: "org.ops4j.pax.web.listening.addresses" no longer seems to work. Instead, you need to use "-Djetty.host" & "-Dorg.ops4j.pax.web.listening.addresses". These should be environment variables when running interactively (untested) but when running as a service on Windows they must be added to openHAB-wrapper.conf as additional lines "wrapper.java.additional.##" (## = next available number) e.g. "wrapper.java.additional.19=-Djetty.host=192.168.1.10". You must do this before installing the Windows service, so if upgrading you may need to remove and re-add the service using openHAB-service.bat.
Hey, first of all I just found your channel and u offer here massive amount of knowledge, thubs up for that. I have question. If u allready installed HAproxy, couldn't you use it to filter incomming api calls?
HAProxy could be used in place of the KEMP LoadMaster here; but in the previous video I showed how to use KEMP to provide multi-factor authentication and web application firewall protection as well as reverse-proxying, so this video is building on that infrastructure. HAProxy by itself will not protect the myopenHAB cloud service's API calls because of the tunnelling used that makes the connections bypass HAProxy and pop out on localhost inside the openHAB server. You could use the same technique shown in the video to redirect the connections to HAProxy instead of KEMP, though. Note: This video was recorded and tested with OH3. OH4 is out now and as the method I'm using to secure the cloud connector isn't officially supported it likely needs some adjustment to work with OH4.
I had some issues, but it seems to be working now. For any1 who want to apply it to OH4: Instead of changing config in /var/lib/openhab/etc/org.ops4j.pax.web.cfg, you need to set address in /etc/default/openhab - uncomment line and change 0.0.0.0 to your ip OPENHAB_HTTP_ADDRESS=192.168.1.111 I found that u can apply filters to redirected traffic in haproxy, so u dont need to use another firewall. My config looks like this frontend api_frontend bind 127.0.0.1:8080 mode http option httplog acl is_rest_items path_beg /rest/items acl is_specific_path path_beg /specific_path http-request deny unless is_rest_items or is_specific_path default_backend api_backend backend api_backend mode http balance roundrobin option forwardfor server api_server1 192.168.1.111:8080 check @protechshow Is this sollution correct from security perspective? it is first time I am using haproxy
The logic looks correct and the syntax looks about right from memory, too. I'm assuming HAProxy is installed on the same box as openHAB so you have it bound directly to the openHAB port rather than port forwarding? The only thing I'd note about it is that if you allow any path beginning "/rest/items" then you allow access to all items. If you want to limit myopenHAB to specific items (e.g. just those exposed for use with Google) then you may need to allow path initially this to perform a sync (OK Google, sync my devices), but one you've sync'd them you could comment out that line and specify just the individual item URLs. That way if your myopenHAB account was compromised it would only have access to those specific items.
openHAB supported significantly more of my devices at the time (HA supports most now, but it lagged behind each time), it has more flexible deployment options that better suit my existing environment, and Java seemed like it would be better for me than Python to develop custom integrations as I have a little more experience with it and I can develop straight from Windows without the need for VMs or WSL which makes it easier to do across different devices. Haven't heard of the trouser one.
Thanks Andrew. Noob question, but can these home automation systems work offline (when your internet is playing up) including with Alexa? I currently only have some LIFX bulbs which I just use with the LIFX app and connected to Alexa, but when my Internet is down (which happened all too frequently - Virgin shitters) it doesn't work. Alexa doesn't process the voice call and even if you tey to turn the light on directly with the LIFX app, it doesn't work - very annoying. Would setting up a home automation system solve this?
openHAB and Home Assistant are self-hosted so they will continue to work without an internet connection. I much prefer this approach to using a cloud-reliant home automation service that could stop working, lose connection, or get shut down (this happens all too often). This doesn't mean all of your devices will continue to work offline, though; as some may be themselves reliant on a cloud service to operate. Alexa for example requires a connection to Amazon to function. I'm not familiar with how LIFX works. My own lights do not require a cloud service in order to operate so if the internet goes down I can still control them with openHAB, but Google/Alexa can't because it's really just a microphone that connects to the cloud. openHAB does have its own voice control options that could probably work offline, but I don't use them as I've already got a few Google gizmos dotted about that are more convenient than having to use an app.
Home Assistant getting toxic community and developers ignoring security concerns by banning people on official forum for mentioning it. There is also plenty of unsafe integrations in hacks not to mentions integreations like google and so on. That is not "safe" home anymore. Anothter thing is that HA is getting into politics like recently banning russian developers? This is ridicoulous. IM using HA but soon i will transfer to OH probably.
Note for openHAB 4: "org.ops4j.pax.web.listening.addresses" no longer seems to work. Instead, you need to use "-Djetty.host" & "-Dorg.ops4j.pax.web.listening.addresses".
These should be environment variables when running interactively (untested) but when running as a service on Windows they must be added to openHAB-wrapper.conf as additional lines "wrapper.java.additional.##" (## = next available number) e.g. "wrapper.java.additional.19=-Djetty.host=192.168.1.10". You must do this before installing the Windows service, so if upgrading you may need to remove and re-add the service using openHAB-service.bat.
Hey, first of all I just found your channel and u offer here massive amount of knowledge, thubs up for that. I have question.
If u allready installed HAproxy, couldn't you use it to filter incomming api calls?
HAProxy could be used in place of the KEMP LoadMaster here; but in the previous video I showed how to use KEMP to provide multi-factor authentication and web application firewall protection as well as reverse-proxying, so this video is building on that infrastructure. HAProxy by itself will not protect the myopenHAB cloud service's API calls because of the tunnelling used that makes the connections bypass HAProxy and pop out on localhost inside the openHAB server. You could use the same technique shown in the video to redirect the connections to HAProxy instead of KEMP, though.
Note: This video was recorded and tested with OH3. OH4 is out now and as the method I'm using to secure the cloud connector isn't officially supported it likely needs some adjustment to work with OH4.
I had some issues, but it seems to be working now.
For any1 who want to apply it to OH4:
Instead of changing config in /var/lib/openhab/etc/org.ops4j.pax.web.cfg, you need to set address in /etc/default/openhab - uncomment line and change 0.0.0.0 to your ip
OPENHAB_HTTP_ADDRESS=192.168.1.111
I found that u can apply filters to redirected traffic in haproxy, so u dont need to use another firewall. My config looks like this
frontend api_frontend
bind 127.0.0.1:8080
mode http
option httplog
acl is_rest_items path_beg /rest/items
acl is_specific_path path_beg /specific_path
http-request deny unless is_rest_items or is_specific_path
default_backend api_backend
backend api_backend
mode http
balance roundrobin
option forwardfor
server api_server1 192.168.1.111:8080 check
@protechshow
Is this sollution correct from security perspective? it is first time I am using haproxy
The logic looks correct and the syntax looks about right from memory, too. I'm assuming HAProxy is installed on the same box as openHAB so you have it bound directly to the openHAB port rather than port forwarding?
The only thing I'd note about it is that if you allow any path beginning "/rest/items" then you allow access to all items. If you want to limit myopenHAB to specific items (e.g. just those exposed for use with Google) then you may need to allow path initially this to perform a sync (OK Google, sync my devices), but one you've sync'd them you could comment out that line and specify just the individual item URLs. That way if your myopenHAB account was compromised it would only have access to those specific items.
Thanks for new content -slowly OH becoming more tempting option. Many thanks for education and mentioning security concerns.
You're welcome!
Maybe you covered this is a previous video but why did you choose OpenHab over Home Assistant or House of Trouser?
openHAB supported significantly more of my devices at the time (HA supports most now, but it lagged behind each time), it has more flexible deployment options that better suit my existing environment, and Java seemed like it would be better for me than Python to develop custom integrations as I have a little more experience with it and I can develop straight from Windows without the need for VMs or WSL which makes it easier to do across different devices. Haven't heard of the trouser one.
Thanks Andrew. Noob question, but can these home automation systems work offline (when your internet is playing up) including with Alexa?
I currently only have some LIFX bulbs which I just use with the LIFX app and connected to Alexa, but when my Internet is down (which happened all too frequently - Virgin shitters) it doesn't work. Alexa doesn't process the voice call and even if you tey to turn the light on directly with the LIFX app, it doesn't work - very annoying.
Would setting up a home automation system solve this?
openHAB and Home Assistant are self-hosted so they will continue to work without an internet connection. I much prefer this approach to using a cloud-reliant home automation service that could stop working, lose connection, or get shut down (this happens all too often). This doesn't mean all of your devices will continue to work offline, though; as some may be themselves reliant on a cloud service to operate. Alexa for example requires a connection to Amazon to function. I'm not familiar with how LIFX works. My own lights do not require a cloud service in order to operate so if the internet goes down I can still control them with openHAB, but Google/Alexa can't because it's really just a microphone that connects to the cloud. openHAB does have its own voice control options that could probably work offline, but I don't use them as I've already got a few Google gizmos dotted about that are more convenient than having to use an app.
@@ProTechShow btw, what lights do you use?
Home Assistant getting toxic community and developers ignoring security concerns by banning people on official forum for mentioning it. There is also plenty of unsafe integrations in hacks not to mentions integreations like google and so on. That is not "safe" home anymore. Anothter thing is that HA is getting into politics like recently banning russian developers? This is ridicoulous. IM using HA but soon i will transfer to OH probably.