A Dreamer's Lair

Add basic user/password authentication to an openHAB 2 docker container running on a Synology NAS (with DSM 6.1)

While the old openHAB 1.x version has some form of simple authentication protection (user/password), to try to keep out unwanted visitors turning on your lights and whatnot, unfortunately openHAB version 2 does not (yet?).

On the openHAB site there are some examples on how to add this using for example a reverse proxy. Perhaps the information on openHAB makes good sense to the linux oriented out there, but since I am a windows man myself, for me it did not.

I tried to install stuff like Traefik and nginx in a container on my Synology NAS and play with it. But however I tried, they did not even work at all to begin with, let alone in combination with my openHAB 2 docker container.

Luckily my Synology NAS is running DSM 6.1 which has built-in nginx for DSM to use. But it is also perfectly suited to be used as a reverse proxy for any docker container you are running, including openHAB 🙂

You can add extra configuration to nginx which DSM is using to configure whatever you want.

In this case I wanted to add some user/password authentication to the openHAB container to prevent unwanted access. So when for example I browse to http://openhab.adreamerslair.nl, it should ask for a user/password and forward the call to the openHAB container.

Of course the first part for this to work is routing the subdomain openhab.adreamerslair.nl to my home IP-address. Then my home router should forward any calls to port 80 to the Synology NAS. For the sake of this post, I assume this has already been taken care of.

On the Synology NAS running DSM6.1, you can add custom nginx configuration files to the following folder

/usr/local/etc/nginx/sites/sites-enabled

I created a file called openhab.conf in this folder with the following contents (as borrowed from the openHAB site)

server { 
   listen 80;
   server_name openhab.adreamerslair.nl;
   location / {
      auth_basic "Login";
      auth_basic_user_file /volume1/dockerdata/.htpasswd;
      proxy_pass http://localhost:8080;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
   }
}

It essentially does the following

  • let nginx listen on incoming traffic on port 80 (remember we configured our router to forward port 80 to our NAS)
  • check if the request is coming from openhab.adreamerslair.nl
  • when this is the case, use basic authentication for access
  • and then forward the call to http://localhost:8080 (which is the url for my local openHAB docker container)

    which is exactly what we want! If the request is not sent to port 80 and the specific domain then the request is ignored and handled elsewhere in nginx.

    Which users/password are used in the authentication are defined with

    auth_basic_user_file /volume1/dockerdata/.htpasswd

    Make sure you have a .htpasswd file somewhere on your NAS and define the path to it here. The .htpasswd file can be created using the htpasswd tool in linux. But if you are, like me, a windows guy (or girl) you can use for example this online tool Use it to generate the authentication string and paste it in the .htpasswd file (one user per line!).

    Now you just have to restart nginx on the NAS

  • Login to your NAS using SSH
  • Type sudo -i to go to root
  • Type synoservicecfg –restart nginx

    And there we have it. Basic user/password authentication on our openHAB2 🙂