[SOLVED] public DZ through ssh tunnel and reverse https apache: widget not updated

[jpaul]

Hi,

I have a local Domoticz server, with a ssh tunnel to a public server. This public server has an apache https proxy enabled.
DZ is well displayed through the remote url, and I can switch my devices on and off.
When I click on a widget to switch a light on, the light is well toggle on, but the widget icon is not refreshed.
When I try to open https://<public_url>/service-worker.js I've a "401 Unauthorized error"

Here is my config:

• domoticz stable version 2024.7 in my LAN, IP 192.168.1.1, listening on port 8080

• on this 192.168.1.1 dz server, autossh is configured to connect to my public server (a.b.c.d) and to establish an ssh tunnel from local port 8080 to remote port 8888:

  Code: Select all

  /usr/bin/autossh -M 0
   -o "ServerAliveInterval=30" -o "ServerAliveCountMax=3" -o "ExitOnForwardFailure=yes" -N
   -R 8888:127.0.0.1:8080
   [email protected]

• on the public server, an https apache proxy is enabled with a basic auth

  Code: Select all

          SSLProxyEngine on
          ProxyVia on
          ProxyPreserveHost On
          ProxyRequests off
          ProxyPass / http://127.0.0.1:8888/
          ProxyPassReverse / http://127.0.0.1:8888/
          ProxyTimeout 5400
          Timeout 5400
          
          RequestHeader set Authorization "Basic XXXXX"
          <Proxy *>
             Order deny,allow
             Allow from all
             Authtype Basic
             Authname "Password Required"
             AuthUserFile /etc/apache2/dohtpasswd
             Require valid-user
          </Proxy>
  
  
  

• in dz setup, I set "Trusted proxy" to: a.b.c.d;127.0.0.1;127.*;192.168.1.1

What I'm missing ? Can you help me ?

Thanks

[waltervl]

Is security setting Allow Basic-Auth authentication over plain HTTP (API only) switch on?

You also should have a login needed here when accessing from outside
What IP is mentioned in the log in the denied access session?
Check also this page for the websockets entries in Apache config: https://wiki.domoticz.com/WebServer_Proxy

[jpaul]

Hi,

"Allow Basic-Auth authentication over plain HTTP " is on.
I can't debug the web requests: DZ server crashes with the options "-loglevel all -debuglevel webserver".

I had to add these "upgrade" option in apache:

Code: Select all

ProxyPass / http://127.0.0.1:8888/ upgrade=websocket
ProxyPassReverse / http://127.0.0.1:8888/ upgrade=websocket

But he issue is definitely with the apache basic-auth:
When I set in apache: RequestHeader set Authorization "Basic XXX"
then the requests on wss://public_address/json return a 401Unauthorized error.
and I think this generates this log in DZ:

Code: Select all

Basic Authorization ignored as this is not a call to the API![
domoticz: [web:8080] isPage 0 isAction 0 isUpgrade 1 needsAuthentication 1 isAuthenticated 0 ()

Now if I change apache to RequestHeader unset Authorization, everything works as expected, but I loose the basic auth behavior and I must use the DZ login page to set a login/password

[jpaul]

Got it ! It's solved, I added this in apache:

Code: Select all

RequestHeader set X-Forwarded-For  "127.0.0.1"

to sum up, my apache config is

Code: Select all

SSLEngine on
SSLCertificateFile      /etc/letsencrypt/live/vvvv/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vvvv/privkey.pem

SSLProxyEngine on
ProxyPreserveHost On

ProxyPass / http://127.0.0.1:8888/ upgrade=websocket
ProxyPassReverse / http://127.0.0.1:8888/ upgrade=websocket
ProxyTimeout 5400
Timeout 5400

RequestHeader set Authorization "Basic XXXXXXXXXX"
RequestHeader set X-Forwarded-For  "127.0.0.1"

<Proxy *>
  Order deny,allow
  Allow from all
  Authtype Basic
  Authname "Password Required"         
  AuthUserFile /etc/apache2/dohtpasswd
  Require valid-user
</Proxy>