openHAB has mainly two ways to be accessed:
- Through the command line console, which is done through SSH and thus always authenticated and encrypted.
- Through HTTP(S).
Console access is the method to be used for system administration, including such tasks as version updating of the software. It is accomplished differently if the system is normally run from the command line versus if the system is installed as a Windows service.
Http access is accomplished as the normal means of interaction and it varies from three points of view:
- Http (browser) access from the same machine on which the openHAB server is running.
- Http (browser) access from the local network in which the server machine is participant, assuming openHAB has been installed on a LAN forming a home network.
- Http (browser) access through the internet.
When installed openHAB creates a self-generated SSL certificate which is installed in the Jetty keystore. This mechanism allows the Jetty web server to service both HTTP and HTTPS web traffic. Externally these are viewed as HTTP and HTTPS differences in the URLs viewed in the browser address bar. Internally they are differentiated by port assignments. When access from the same machine the server is running on the server is accessed as localhost or using the loopback IP address 127.0.0.1.
Using default port numbers:
- http://localhost:8080 initiates an unsecured connection.
- https://localhost:8443 initiates a secured connection.
The difference being that traffic between the browser and the openHAB server is passed in clear text over an unsecured connection, and it is encrypted when passed over a secured connection. The specific port numbers used can be changed if they conflict with assignments made for other services as discussed in the Securing access to openHAB web article. In general HTTPS communications is advised.
- For localhost communication, case 1 above, the security exposure presented is session monitoring from any potential malware installed on the server.
- For LAN access, case 2 above, the security exposure is session monitoring from malware able to intercept the LAN traffic.
- For a hardwired LAN, this is any malware able to “plug-in” to the wired network via an available RJ-45 plug.
- For a WiFi LAN, this is any malware able to “see” the WiFi signal.
- For WAN access, case 3 above, the security exposure is session monitoring from malware anywhere on the internet.
LAN Access Blocking
If desired direct LAN access to the openHAB server can be blocked by use of the OPENHAB_HTTP_ADDRESS environment variable and setting it to the loopback address 127.0.0.1. This blocks access by direct IP reference such as is required to access from another machine on the LAN. This still allows for access from the WAN by other protected means, but blocks direct access to the machine by IP address. This is not installed on the 148Avenida prototype because we want to be able to perform direct access from within the LAN to the openHAB server without needing to establish VPN or other secure connections from each machine where access is desired under scenarios where our local ISP is out of service. A major problem in the design of most IoT solutions is the need to bounce message traffic from an IoT device through an internet based host system in order to communicate between two devices where both devices exist on the same LAN. When the ISP is out of service, the devices can not communicate, which defeats most of the promise of establishing a LAN in the first place, and is especially problematic in areas subject to power outages.
WAN Access Management
WAN access provides the ability to access the openHAB server for purposes of inspection or device control from outside the home, including the ability to interact using smartphones when away from home. This is accomplished with the openHAB Cloud component.
openHAB Cloud is a companion cloud service and backend for the openHAB open-source home automation software. The openHAB Cloud backend provides secure remote access and enables openHAB users to remotely monitor, control and steer their homes through the internet, collect device statistics of their openHABs, receive notifications on their mobile devices or collect and visualize data etc. The main core features of openHAB Cloud are an user-management frontend, secure remote access, remote proxy-access, device registry & management, messaging services and data management & persistence. The openHAB Cloud also serves as core backend integration point for cloud-based features (e.g. IFTTT) and provides an OAuth2 application enablement.
The openHAB Cloud has packages which can be installed on an Nginx server or in a Docker container on AWS as private gateways. There is also a public utility version hosted by openHAB which can be used. The public utility version at myopenHAB.org is what we currently use for 148Avenida.
- 148Avenida Configuration
- Security Configuration