Skip to content

fix: add X-OPENHAB-AUTH-HEADER cookie to prevent login conflict with …#802

Open
riccardo-casazza wants to merge 1 commit into
linuxserver:masterfrom
riccardo-casazza:patch-1
Open

fix: add X-OPENHAB-AUTH-HEADER cookie to prevent login conflict with …#802
riccardo-casazza wants to merge 1 commit into
linuxserver:masterfrom
riccardo-casazza:patch-1

Conversation

@riccardo-casazza
Copy link
Copy Markdown

@riccardo-casazza riccardo-casazza commented May 28, 2026

linuxserver.io

  • I have read the contributing guideline and understand that I have made the correct modifications

Description

Add X-OPENHAB-AUTH-HEADER cookie to the openHAB nginx reverse proxy
configuration. When nginx basic auth is enabled, both nginx and openHAB 3+
compete for the HTTP Authorization header — nginx sets it to Basic ...
while openHAB sets it to Bearer ... after login. This causes openHAB
authentication to fail silently when accessed through the proxy.

The fix instructs the openHAB UI to use the alternative X-OPENHAB-TOKEN
header for its own token instead of Authorization, allowing both
authentication layers to coexist without conflict.

add_header Set-Cookie "X-OPENHAB-AUTH-HEADER=true;path=/;Secure";

Benefits of this PR and context

Without this fix, users who enable nginx basic auth on top of openHAB 3+
experience a broken login flow: the openHAB login page appears to accept
credentials but immediately fails, requiring the user to dismiss the nginx
auth popup and re-authenticate through openHAB's own login screen. This
is a known issue affecting all openHAB 3+ installations behind a nginx
reverse proxy with basic auth enabled.

This one-line addition makes the sample configuration work correctly
out of the box for openHAB 3+ without affecting openHAB 2.x compatibility.

How Has This Been Tested?

Tested on a personal homelab running:

  • LinuxServer SWAG container (nginx)
  • openHAB 3+ running on a Raspberry Pi, proxied via the SWAG subdomain
    configuration
  • nginx basic auth enabled via .htpasswd

Verified that after adding the cookie header:

  • The nginx basic auth popup works correctly on first access
  • The openHAB login page authenticates successfully without conflict
  • Both authenticated sessions coexist without interfering with each other
  • Removing the cookie and reloading reproduces the original broken behavior

Source / References

@riccardo-casazza
fix: add X-OPENHAB-AUTH-HEADER cookie to prevent login conflict with …
8fcb5e0 
…openHAB 3+

When using nginx basic auth in front of openHAB 3+, two authentication
layers end up competing for the same HTTP Authorization header: nginx
sets it to "Basic ..." and openHAB sets it to "Bearer ..." after login.
This causes the openHAB login to fail when basic auth is enabled on the
reverse proxy.

Adding the X-OPENHAB-AUTH-HEADER cookie instructs the openHAB UI to use
the X-OPENHAB-TOKEN header instead of Authorization for its own token,
resolving the conflict and allowing both nginx basic auth and openHAB
authentication to coexist correctly.

Reference: https://community.openhab.org/t/oh3-with-nginx-reverse-proxy-and-authentication/106528
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Issue & PR Tracker
Status: PRs

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@riccardo-casazza @LinuxServer-CI