Categories
Cool Geek

Octoprint and Reverse Proxies

I have two active 3D printers, each hooked up to their own Raspberry Pi 3 running Octoprint. I like to manage them from my iPhone when I’m about. I don’t want to expose my IoT devices to the Internet without some precautions.

Here’s how my Internet connected house is setup.

Simple network diagram

The diagram was created and edited in https://www.draw.io/ Free online tools FTW.

My FIOS router on the left listens on port 80 and 443 and forwards that traffic to my Ubuntu Linux Server. On that server I run Apache2 with mod_proxy enabled. 

I run ddclient to update a DNS name with my floating IP address. I use virtual hosts on the Ubuntu Linux Server to receive all external http/https requests. All http requests on port 80 get 301’ed to https on the same host. 

First setup https on the virtual host as you normally do. Before trying to reverse proxy, have a default index.html file and make sure that works. I use Let’s Encrypt for the TLS certificate as it’s free and easy to setup.

Here’s reverse proxy configrution. 10.1.1.17 is the internal IP address of my first Octopi. Make sure the DNS name is working first before trying to test anything.

ProxyPreserveHost On
ProxyPass "/"  "http://10.1.1.17/"
ProxyPassReverse "/"  "http://10.1.1.17/"

ServerName pi1.valid-dns-name.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/vhosts/pi1.valid-dns-name.com

<Directory /var/www/vhosts/pi1.valid-dns-name.com>
        # Options Indexes FollowSymLinks MultiViews
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
        Options -Indexes
        AllowOverride All
        Order allow,deny
        allow from all
</Directory>
<Location />
        AuthType Basic
        AuthName "Wrapper Auth"
        AuthBasicProvider file
        AuthUserFile "/var/www/external.htpasswd"
        Require valid-user
</Location>

That <Location /> section on the bottom? That’s important. That’s the section that says “You need a password to access this URL” and protects the Octopi setup from passerby’s on the Internet.

What I tell you three times is true.

  1. Do not expose any IoT devices on the Internet without encryption and passwords.
  2. Do not expose any IoT devices on the Internet without encryption and passwords.
  3. Do not expose any IoT devices on the Internet without encryption and passwords.

It’s just a bad idea. The wonderful Gina Häußge who writes and drives the Octoprint software knows this and has an excellent guest post on her blog about that access. This post is how I accomplished the Reverse Proxy method.

The password is created using the htpasswd command.

$ sudo su - www-data -s /bin/bash -c "htpasswd -c /var/www/external.htpasswd bob"
New password:
Re-type new password:
Adding password for user bob
$

I sudo as the www-data user so that the ownership of that file will be set as I want it. This creates a file with bob and his hashed password in it. The AuthUserFile directive will use that. If you have a valid user ID and password, you get in. If not you don’t get access.

The configuration gets copied for a new Pi. Just change the IP and ServerName and you can re-use this for other Octopi installations. By having an encrypted password protected access to your Octoprint setups, you can monitor and control your 3D printers from anywhere you have Internet access.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.