The community of makers using 3D printers is growing. So does the community of Octoprint users. Of course these users want to access their printers interface from remote.
The ISC was mentioning lots of insecure Octoprint installation in one of their posts.
The mentioned blog post tell about how insecure it is to just open a port for forwarding on your router. Do never forget: once you enable the port forwarding, your Octoprint installation is visible to the world, and bad guys could possibly hijack your installation, and turn your heatbed and nozzle to „5 million degrees“, burn your house, and more. So it might be a good idea to add some security to our installation.
Octopi, the Raspberry PI image running Octoprint, is quite popular, and it comes along using so called haproxy. We can use this.
Let’s start – some preflight checks
For our example we use the following example values, which you will have to adapt to meet your installation. Also, we do not talk about how to enable port forwarding in your router, consult your routers manual for this.
Your home network is 192.168.1.0/24 (netmask 255.255.255.0). The IP of your Octoprint is 192.168.1.100. The username of your Octoprint is „Pete“, and Pete uses password „mysecret“.
Once you turned on your port forwarding you can access your Octoprint from remote. Pete can login using his credentials and has full control over Octoprint and his printer. All we want to do are 2 things: we want to add another level of security by asking Pete for another username/password combination, and we want to do this only if Pete accesses Octoprint from outside our home network – just because we are lazy.
Configuring the stuff – and adding security
So we ssh to our Octopi by doing
and using the password of our „pi“-user. You have set this once you installed your Octopi.
We need a program called mkpasswd which is part of the whois package, so we do:
sudo apt-get install whois
Let’s think about another username password combination, which MUST be different from our Octoprint username and password – security matters. Our decision goes for username „octoremote“ and password „mysupersecret“ – again: these are example values you have to change for your own use.
We generate a password hash out of „mysupersecret“:
mkpasswd -m sha-512
At the prompt we type in our password „mysupersecret“. We receive a hash like
$6$y.qyDh .. dm40
Save this hash for later. Now we edit the configuration of our haproxy.
sudo nano /etc/haproxy.cfg
will open the editor.
We add a new chapter after the block called defaults, before the block frontend public
user octoremote password $6$y.qyDh .. dm40
In the frontend public section we add
acl IpWhiteListed src 192.168.1.0/24
acl AuthOkOcto http_auth(UsersOcto)
http-request auth realm Papas if !IpWhiteListed !AuthOkOcto
What have we done? We added an userlist called UsersOcto and added an user octoremote including the created password hash. And we added a so called access control list (acl), containing our own home networks ip-range, and named this acl IpWhiteListed. On top we added another acl doing the authentication against our UsersOcto userlist. And finally, we told haproxy to check first if the user matches our acl IpWhiteListed. If not, we ask haproxy to check against our userlist UsersOcto.
sudo service haproxy restart
will restart the haproxy and enable the settings.
This means, we achieved our goal. If you access Octoprint from your home network, you can use it as you got used to it. If you access Octoprint from remote, you will be asked for username and password.
This is a huge advantage in terms of security. We built another fence between the bad guys and your printer.
Of course this can be improved. You could run another dedicated Raspberry PI for haproxy, which would split your security installation from your Octoprint, as example. You could turn your SSL on, using a certificate and encryption. However, we have a more secure solution than just run the world accessible Octoprint due our port forwarding, and we do not need anything different than our browser for accessing our printer.
The articles linked on top mention cloud based solutions, or VPNs. I am not a big fan of such solutions. Cloud means, you trust another one – the guy who runs the cloud. Believe me, there is no secure „cloud solution“ out there you could use for free or at least low costs. And running a VPN means, you have to add much complexity, and you will need a VPN client on your device.