How to secure your Octoprint installation

The community of makers using 3D printers is growing. So does the community of Octoprint users. Of course these users want to access their printers interface from remote.

The ISC was mentioning lots of insecure Octoprint installation in one of their posts. 

In return there was another blog post at Octoprint.org telling about more or less secure practices to gain remote access to Octoprint installations. Here is my take on this.

The mentioned blog post tell about how insecure it is to just open a port for forwarding on your router. Do never forget: once you enable the port forwarding, your Octoprint installation is visible to the world, and bad guys could possibly hijack your installation, and turn your heatbed and nozzle to „5 million degrees“, burn your house, and more. So it might be a good idea to add some security to our installation.

Octopi, the Raspberry PI image running Octoprint, is quite popular, and it comes along using so called haproxy. We can use this.

Let’s start – some preflight checks

For our example we use the following example values, which you will have to adapt to meet your installation. Also, we do not talk about how to enable port forwarding in your router, consult your routers manual for this.

Your home network is 192.168.1.0/24 (netmask 255.255.255.0). The IP of your Octoprint is 192.168.1.100. The username of your Octoprint is „Pete“, and Pete uses password „mysecret“.

Once you turned on your port forwarding you can access your Octoprint from remote. Pete can login using his credentials and has full control over Octoprint and his printer. All we want to do are 2 things: we want to add another level of security by asking Pete for another username/password combination, and we want to do this only if Pete accesses Octoprint from outside our home network – just because we are lazy.

Configuring the stuff – and adding security

So we ssh to our Octopi by doing

ssh pi@192.168.1.100 

and using the password of our „pi“-user. You have set this once you installed your Octopi.

We need a program called mkpasswd which is part of the whois package, so we do:

sudo apt-get install whois 

Let’s think about another username password combination, which MUST be different from our Octoprint username and password – security matters. Our decision goes for username „octoremote“ and password „mysupersecret“ – again: these are example values you have to change for your own use.

We generate a password hash out of „mysupersecret“:

mkpasswd -m sha-512

At the prompt we type in our password „mysupersecret“. We receive a hash like

$6$y.qyDh .. dm40

Save this hash for later. Now we edit the configuration of our haproxy.

sudo nano /etc/haproxy.cfg 

will open the editor.

We add a new chapter after the block called defaults, before the block frontend public

userlist UsersOcto
user octoremote password $6$y.qyDh .. dm40

In the frontend public section we add

acl IpWhiteListed src 192.168.1.0/24
acl AuthOkOcto http_auth(UsersOcto)
http-request auth realm Papas if !IpWhiteListed !AuthOkOcto

What have we done? We added an userlist called UsersOcto and added an user octoremote including the created password hash. And we added a so called access control list (acl), containing our own home networks ip-range, and named this acl IpWhiteListed. On top we added another acl doing the authentication against our UsersOcto userlist. And finally, we told haproxy to check first if the user matches our acl IpWhiteListed. If not, we ask haproxy to check against our userlist UsersOcto.

sudo service haproxy restart

will restart the haproxy and enable the settings.

This means, we achieved our goal. If you access Octoprint from your home network, you can use it as you got used to it. If you access Octoprint from remote, you will be asked for username and password.

Summary

This is a huge advantage in terms of security. We built another fence between the bad guys and your printer.

Of course this can be improved. You could run another dedicated Raspberry PI for haproxy, which would split your security installation from your Octoprint, as example. You could turn your SSL on, using a certificate and encryption. However, we have a more secure solution than just run the world accessible Octoprint due our port forwarding, and we do not need anything different than our browser for accessing our printer.

The articles linked on top mention cloud based solutions, or VPNs. I am not a big fan of such solutions. Cloud means, you trust another one – the guy who runs the cloud. Believe me, there is no secure „cloud solution“ out there you could use for free or at least low costs. And running a VPN means, you have to add much complexity, and you will need a VPN client on your device.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

PS PHPCaptcha WP
PS PHPCaptcha for Wordpress