problem with basic auth to upstream domoticz server Topic is solved

Please use template to report bugs and problems. Post here your questions when not sure where else to post
Only for bugs in the Domoticz application! other problems go in different subforums!

Moderators: leecollings, remb0

Forum rules
Before posting here, make sure you are on the latest Beta or Stable version.
If you have problems related to the web gui, clear your browser cache + appcache first.

Use the following template when posting here:

Version: xxxx
Platform: xxxx
Plugin/Hardware: xxxx
Description:
.....

If you are having problems with scripts/blockly, always post the script (in a spoiler or code tag) or screenshots of your blockly

If you are replying, please do not quote images/code from the first post

Please mark your topic as Solved when the problem is solved.
Post Reply
edgarhildering
Posts: 31
Joined: Thursday 11 June 2015 22:36
Target OS: Raspberry Pi / ODroid
Domoticz version: 2023.2
Contact:

problem with basic auth to upstream domoticz server

Post by edgarhildering »

If you have problems related to the web gui, clear your browser cache + appcache first -> done!

Use the following template when posting here:

Version: 2024.4 (latest stable version)
Build Hash: 731719420
Compile Date: 2024-01-30 09:16:34
dzVents Version: 3.1.8
Python Version: 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0]
Active User: [email protected]

Platform: Raspberry Pi 4 Model B Rev 1.5 2GB
Plugin/Hardware: n/a
Description:

I configured an nginx reverse proxy to make my sites available through a domain. The domain is secured with basic authentiction. For 3 upstream servers all is well, but for my domoticz upstream server I get stuck.

Looking in the access log I can see that all the communication is going ok up until the point that we reach the statement below. After that all responses get a 401 Unauthorized (from the accesslog nginx):
192.168.2.254 - [email protected] [02/Feb/2024:14:51:14 +0100] "GET /domoticz/json.htm?type=command&param=getdevices&filter=all&used=true&favorite=1&order=[Order]&plan=0 HTTP/1.1" 401 91 "https://hildering.ddns.net/domoticz/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
This results in the domoticz screen 'communication lost'.

I suspect some script is causing this. Running https://hildering.ddns.net/domoticz/jso ... getversion the output is correct and the accesslog show a 200:
192.168.2.254 - [email protected] [02/Feb/2024:15:15:56 +0100] "GET /domoticz/json.htm?type=command&param=getversion HTTP/1.1" 200 46 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
Anyone to help me with this problem? Willing to supply all necessary data.

--Edgar
Screenshot from 2024-02-02 15-27-13.png
Screenshot from 2024-02-02 15-27-13.png (112.22 KiB) Viewed 425 times
RaspberryPi running Domoticz 2023.2
PIRs + lightswitches
thermometers + heating control
hygrometers + dehumifiers
TUYA switches
User avatar
waltervl
Posts: 5148
Joined: Monday 28 January 2019 18:48
Target OS: Linux
Domoticz version: 2024.7
Location: NL
Contact:

Re: problem with basic auth to upstream domoticz server

Post by waltervl »

Did you use this page to setup your nginx? https://www.domoticz.com/wiki/WebServer_Proxy
Domoticz running on Udoo X86 (on Ubuntu)
Devices/plugins: ZigbeeforDomoticz (with Xiaomi, Ikea, Tuya devices), Nefit Easy, Midea Airco, Omnik Solar, Goodwe Solar
edgarhildering
Posts: 31
Joined: Thursday 11 June 2015 22:36
Target OS: Raspberry Pi / ODroid
Domoticz version: 2023.2
Contact:

Re: problem with basic auth to upstream domoticz server

Post by edgarhildering »

A friend of mine also pointed me in that direction. I'll have a look...
---
bad luck, did not work, same errors. From the web_server doc:
This is exactly what I do... I have copied the nginx settings into the location part. No luck (even after creating and setting the $connection_upgrade variable)
this looks familiar:

Code: Select all

  location /domoticz {
    rewrite ^/domoticz/?(.*) /$1 break;
    proxy_http_version 1.1;
    proxy_read_timeout 90;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Connection $connection_upgrade;
    add_header X-Frame-Options SAMEORIGIN;
    proxy_set_header  Authorization $http_authorization;
    proxy_pass http://192.168.0.210:8080/;
  }
my setting in domoticz:
  • one username/password; same as basic authentication
  • Allow Basic-Auth authentication over plain HTTP (API only) = ON
  • trusted networks: 127.0.0.*; 192.168.*.*; localhost
I really have no clue... :oops:
RaspberryPi running Domoticz 2023.2
PIRs + lightswitches
thermometers + heating control
hygrometers + dehumifiers
TUYA switches
edgarhildering
Posts: 31
Joined: Thursday 11 June 2015 22:36
Target OS: Raspberry Pi / ODroid
Domoticz version: 2023.2
Contact:

Re: problem with basic auth to upstream domoticz server

Post by edgarhildering »

If it can't be done the way it should be done, then it should be done the way it can be done... ;)

So I have chosen not to use the authentication of NGINX reverse proxy for security for domoticz, but the authentication that domoticz itself offers.
It means that in NGINX the authentication is enabled for all upstream servers, except for domoticz. In domoticz I have limited the trusted domains to only my local network. So, if you connect to domoticz via the public address, you must therefore always log in. And that was one of the non-functional requirements!
NGINX becomes very symple...

Code: Select all

  
  location /domoticz/ {
    auth_basic off;
    proxy_pass http://192.168.0.201:8080/;
  }
In domoticz:
  • API protection = OFF
  • just ONE trusted domain
All servers run like clockwork (as it should be)

--Edgar
RaspberryPi running Domoticz 2023.2
PIRs + lightswitches
thermometers + heating control
hygrometers + dehumifiers
TUYA switches
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest