roles/homeassistant: Proxy ZwaveJS2Mqtt Web UI

ZwaveJS2Mqtt includes a very powerful web-based UI for configuring and
controlling the Z-Wave network.  This functionality is no longer
available within Home Assistant itself, so being able to access the
ZwaveJS2Mqtt UI is crucial to operating the network.

I wanted to make the UI available at */zwave/*, which requires using
*mod_rewrite* to conditionally proxy requests based on the `Connection`
HTTP header, since the UI passes both HTTP and WebSocket requests to the
same paths.  *mod_rewrite* configuration is not inherited from the main
server configuration to virtual hosts, so the
`RewriteRule`/`RewriteCond` directives have to be specified within the
`<VirtualHost>` block.  This means that the Home Assistant proxy
configuration has to be within its own virtual host, and the
Zwavejs2Mqtt configuration has to be there as well.

group_vars/home-assistant.yml

@@ -8,3 +8,5 @@ mosquitto_listeners:
 - port: 1883
   address: ::1
 mosquitto_password_file: /etc/mosquitto/passwd
+apache_default_ssl_vhost: false
+homeassistant_server_name: homeassistant.pyrocufflink.blue

homeassistant.yml

@@ -1,6 +1,9 @@
 - hosts: home-assistant
   roles:
-  - apache
+  - role: apache
+    vars:
+      default_apache_ssl_vhost: false
+    tags: apache
   - role: homeassistant
     tags: homeassistant
   - role: mosquitto

roles/homeassistant/defaults/main.yml

@@ -1 +1,6 @@
 homeassistant_image_name: '{{ homeassistant_default_image_name }}'
+homeassistant_ssl_certificate: >-
+  {{ apache_ssl_certificate }}
+homeassistant_ssl_certificate_key: >-
+  {{ apache_ssl_certificate_key }}
+homeassistant_proxy_zwavejs2mqtt: true

roles/homeassistant/tasks/main.yml

@@ -92,9 +92,9 @@
     dest: /etc/httpd/conf.d/homeassistant.conf
     mode: '0644'
   notify:
-  - restart httpd
+  - reload httpd
   tags:
-  - apache
+  - proxy-config
 - name: ensure selinux allows apache to proxy
   seboolean:
     name: httpd_can_network_connect

roles/homeassistant/templates/homeassistant.httpd.conf.j2

@@ -1,19 +1,37 @@
-ProxyPreserveHost On
-ProxyRequests Off
-
-ProxyPass /api/websocket ws://localhost:8123/api/websocket
-ProxyPassReverse /api/websocket ws://localhost:8123/api/websocket
-ProxyPass / http://localhost:8123/
-ProxyPassReverse / http://localhost:8123/
-
 RewriteEngine on
 RewriteCond %{HTTPS} !on
 RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L]
 
-RewriteCond %{HTTP:Upgrade} =websocket [NC]
+<VirtualHost _default_:443>
-RewriteRule /(.*)  ws://localhost:8123/$1 [P,L]
+    ServerName {{ homeassistant_server_name }}
-RewriteCond %{HTTP:Upgrade} !=websocket [NC]
-RewriteRule /(.*)  http://localhost:8123/$1 [P,L]
 
-Header always set \
+    SSLCertificateFile {{ homeassistant_ssl_certificate }}
+    SSLCertificateKeyFile {{ homeassistant_ssl_certificate_key }}
+    SSLCertificateChainFile {{ homeassistant_ssl_certificate }}
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    RewriteEngine on
+{% if homeassistant_proxy_zwavejs2mqtt %}
+
+    RewriteRule ^/zwave$ /zwave/ [R=301,L]
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule /zwave/(.*) ws://localhost:8091/$1 [P,L]
+    RewriteRule /zwave/(.*) http://localhost:8091/$1 [P,L]
+    # ZwaveJS2Mqtt doesn't respect X-External-Path for the logo URL
+    RewriteRule ^/static/logo\.png$ http://localhost:8091$0 [P,L]
+    <Location /zwave>
+        RequestHeader set X-External-Path /zwave
+    </Location>
+    ProxyPassReverse /zwave/ http://localhost:8091/
+{% endif %}
+
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule /(.*)  ws://localhost:8123/$1 [P,L]
+    RewriteRule /(.*)  http://localhost:8123/$1 [P,L]
+    ProxyPassReverse / http://localhost:8123/
+
+    Header always set \
         Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</VirtualHost>