From 8fcb5e07026c194fece25610e4554086d319d118 Mon Sep 17 00:00:00 2001
From: Riccardo Casazza <riccardo.casazza@gmail.com>
Date: Thu, 28 May 2026 09:34:51 +0200
Subject: [PATCH] fix: add X-OPENHAB-AUTH-HEADER cookie to prevent login
 conflict with openHAB 3+

When using nginx basic auth in front of openHAB 3+, two authentication
layers end up competing for the same HTTP Authorization header: nginx
sets it to "Basic ..." and openHAB sets it to "Bearer ..." after login.
This causes the openHAB login to fail when basic auth is enabled on the
reverse proxy.

Adding the X-OPENHAB-AUTH-HEADER cookie instructs the openHAB UI to use
the X-OPENHAB-TOKEN header instead of Authorization for its own token,
resolving the conflict and allowing both nginx basic auth and openHAB
authentication to coexist correctly.

Reference: https://community.openhab.org/t/oh3-with-nginx-reverse-proxy-and-authentication/106528
---
 openhab.subdomain.conf.sample | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/openhab.subdomain.conf.sample b/openhab.subdomain.conf.sample
index bb8b11e1..5c66fd48 100644
--- a/openhab.subdomain.conf.sample
+++ b/openhab.subdomain.conf.sample
@@ -30,6 +30,8 @@ server {
         # enable the next two lines for http auth
         #auth_basic "Restricted";
         #auth_basic_user_file /config/nginx/.htpasswd;
+        #add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
+        #proxy_set_header Authorization "";
 
         # enable for ldap auth (requires ldap-server.conf in the server block)
         #include /config/nginx/ldap-location.conf;