A Dreamer's Lair

Add basic user/password authentication to an openHAB 2 docker container running on a Synology NAS (with DSM 6.1)

While the old openHAB 1.x version has some form of simple authentication protection (user/password), to try to keep out unwanted visitors turning on your lights and whatnot, unfortunately openHAB version 2 does not (yet?).

On the openHAB site there are some examples on how to add this using for example a reverse proxy. Perhaps the information on openHAB makes good sense to the linux oriented out there, but since I am a windows man myself, for me it did not.

I tried to install stuff like Traefik and nginx in a container on my Synology NAS and play with it. But however I tried, they did not even work at all to begin with, let alone in combination with my openHAB 2 docker container.

Luckily my Synology NAS is running DSM 6.1 which has built-in nginx for DSM to use. But it is also perfectly suited to be used as a reverse proxy for any docker container you are running, including openHAB 🙂

You can add extra configuration to nginx which DSM is using to configure whatever you want.

In this case I wanted to add some user/password authentication to the openHAB container to prevent unwanted access. So when for example I browse to http://openhab.adreamerslair.nl, it should ask for a user/password and forward the call to the openHAB container.

Of course the first part for this to work is routing the subdomain openhab.adreamerslair.nl to my home IP-address. Then my home router should forward any calls to port 80 to the Synology NAS. For the sake of this post, I assume this has already been taken care of.

On the Synology NAS running DSM6.1, you can add custom nginx configuration files to the following folder

/usr/local/etc/nginx/sites/sites-enabled

I created a file called openhab.conf in this folder with the following contents (as borrowed from the openHAB site)

server { 
   listen 80;
   server_name openhab.adreamerslair.nl;
   location / {
      auth_basic "Login";
      auth_basic_user_file /volume1/dockerdata/.htpasswd;
      proxy_pass http://localhost:8080;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
   }
}

It essentially does the following

  • let nginx listen on incoming traffic on port 80 (remember we configured our router to forward port 80 to our NAS)
  • check if the request is coming from openhab.adreamerslair.nl
  • when this is the case, use basic authentication for access
  • and then forward the call to http://localhost:8080 (which is the url for my local openHAB docker container)

    which is exactly what we want! If the request is not sent to port 80 and the specific domain then the request is ignored and handled elsewhere in nginx.

    Which users/password are used in the authentication are defined with

    auth_basic_user_file /volume1/dockerdata/.htpasswd

    Make sure you have a .htpasswd file somewhere on your NAS and define the path to it here. The .htpasswd file can be created using the htpasswd tool in linux. But if you are, like me, a windows guy (or girl) you can use for example this online tool Use it to generate the authentication string and paste it in the .htpasswd file (one user per line!).

    Now you just have to restart nginx on the NAS

  • Login to your NAS using SSH
  • Type sudo -i to go to root
  • Type synoservicecfg –restart nginx

    And there we have it. Basic user/password authentication on our openHAB2 🙂

  • How to add the correct Timezone to OpenHAB2 running in a docker container on a Synology NAS

    Recently I decided to take the plunge in upgrading my running OpenHAB version 1.x system to the latest version 2.1. I also wanted to take this opportunity to let OpenHAB run in a Docker container since the Synology NAS I bought a while back supports Docker.

    I won’t go into the details of upgrading OpenHAB release 1.x to 2.1 in this post, since the OpenHAB site itself has enough documentation on that subject.

    However I found out that there are some difficulties in using OpenHAB2 running in a Docker container on a Synology NAS. On the Docker page of OpenHAB it seems easy enough to create an OpenHAB container using the given statement:

    
    docker run \
            --name openhab \
            --net=host \
            -v /etc/localtime:/etc/localtime:ro \
            -v /etc/timezone:/etc/timezone:ro \
            -v /opt/openhab/conf:/openhab/conf \
            -v /opt/openhab/userdata:/openhab/userdata \
            -v /opt/openhab/addons:/openhab/addons\
            -d \
            --user=<uid> \
            --restart=always \
            openhab/openhab:<version>-<architecture>
    
    

    The first difficulty, with my limited knowledge of Synology/Linux, was creating a user for OpenHAB and passing it on to the container (with –user=) in the above example. Then I discovered that when I did pass this user the container couldn’t be created because there was need for some SU access. So I skipped the user altogether which makes it easier to use anyway. Downside is that the container runs on elevated security.

    I did not solve that problem, but since I also don’t have the need for any UPNP autodiscovery in OpenHAB2 (since all communication in my domotica system goes through the use of MQTT messages), I could omit –net=host.

    Now I have a container which is secure enough for me.

    The next problem, and the subject of this post, was that my OpenHAB2 container was running in the Zulu ‘Timezone’ so time was two hours ‘off’. This is not very pleasant when you have rules which are time based (e.g. sunset etc). I searched a hole in the ground for a solution and tried all sorts of things, but I finally found the answer on a website (unfortunately forgot which one) and wanted it to share for those who are also trying to use OpenHAB2 in a Docker container on a Synology NAS.

    The Timezone should be correct because you use -v /etc/localtime:/etc/localtime:ro and -v /etc/timezone:/etc/timezone:ro but it wasn’t. There is also the possibility of setting the timezone in OpenHAB itself using an NTP thing. But that also didn’t work.

    Finally I found out that one has to use an extra JAVA_OPT environment variable passed to the container. And that did work!

    So what I eventually did to make things work was:

    -Create a folder on my NAS to hold the OpenHAB data let’s say with the name ‘folder’
    -Create the necessary subfolders, in this case addons, conf and userdata

    And then lastly I could create and start the container through the following command line (in Synology SSH shell)

    
    sudo docker run \
            --name openhab \
            --tty \
            -p 8080:8080 \
            -v /etc/localtime:/etc/localtime:ro \
            -v /etc/TZ:/etc/timezone:ro \
            -v /volume1/folder/addons:/openhab/addons \
            -v /volume1/folder/conf:/openhab/conf \
            -v /volume1/folder/userdata:/openhab/userdata \
            -e EXTRA_JAVA_OPTS="-Duser.timezone=Europe/Amsterdam" \
            -d \
            --restart=always \
            openhab/openhab:2.1.0-amd64
    
    

    The trick here is to use

            -e EXTRA_JAVA_OPTS="-Duser.timezone=Europe/Amsterdam" \
    

    to pass the wanted Timezone to OpenHAB. Now the container runs smoothly and with the correct time 🙂