Access OctoPrint over the Internet

A lot of you want to use OctoPrint outside of their local network (i.e. from the Internet, by using a smartphone connected to the cellular network for example).

Fortunately, this is possible. I’ll explain you how to do that. But please, read these few cautions first:

  1. You have to configure the router on which one your OctoPrint server is connected
  2. Printoid can’t do anything to automatize this configuration (you have to follow this tutorial)
  3. Making OctoPrint accessible over Internet is not recommended at all if you have not installed at least a proxy acting as a reverse proxy on your Raspberry Pi (the installation is detailed in this tutorial)

1. SOME EXPLANATIONS

Here is a diagram to exposes your current situation on your local network:

DIAGRAM 1: Printoid is connecting locally to your server (using its LAN IP address)

I understand that some of you don’t have any skills in network configuration. For you, who wants to make your OctoPrint server reachable over the Internet, here are vulgarized explanations in order to understand why exactly you should configure your router, and why Printoid can’t do that for you.

1. Your device (the Raspberry Pi) is represented by its local IP on your local network. For example 192.168.1.20. This IP identify your device on your local network only. This device has its own ports (for example port 80, port 22, port 21, port 5000…). Each device has the same range of port (device 1 has its own port 80, device 2 has its own port 80…)

2. Your devices are not represented by their local IP over the Internet. Because only, and only your router knows them.

3. Your router is represented over the Internet by its public IP (WAN IP). For example 82.24.543.539

4. Your router also have its own public ports (for example 80, 21, 22…). These ports are not relative at all to your devices (your Raspberry Pi for example) but only relative to your router. So, do not confuse the port 80 local of your Raspberry Pi and the public port 80 of your router.

5. Now, if you want to reach a device (your Raspberry Pi) from the Internet, you must ask for your router the access to this device. Because your router is, for the moment, the only one who knows your device, we want to configure something like that: “Hello router, please, give me an access to the device identified by 192.168.1.20 on its port 80, so I can reach the server which is running on this port on this device!”

6. To do that, you have to configure a port forwarding. You must affect a public port (for example 1990) to the device with the IP 192.168.1.20 (the Raspberry Pi in this example) to its port 80. So, when you request your router by using its public IP and the port 1990 (for example 82.24.543.539:1990) then the router will understand that 1990 is bound to 192.168.1.20:80.

That means:

  • Calling 82.24.543.539:1997 from the internet…
  • …do the same as calling 192.168.1.20:80 from your local network

Note: 1990 is a random port value in this example. You can use another value if you want. This will be explained in the next parts of this tutorial. It’s not important for the moment, please don’t focus on this value like “wow 1990, why 1990, I don’t understand why 1990, I will set 1990, hurry up!”.

Finally, at the end of this tutorial, here will be the situation of your network configuration:

DIAGRAM 2: Printoid is connecting remotely to your server (using its WAN IP address and a public port)

(1990 is a random port value, it can takes any other value – don’t focus on this value)

2. FIND YOUR PUBLIC IP (WAN IP ADDRESS)

You can’t use the local IP address of your Raspberry Pi from the outside of your local network (for example 192.168.1.XX or 10.0.2.XX).

You shall use the public IP address of your router over the Internet to access your Raspberry Pi.

Here is a link that will show you this information: http://wanip.info/. Of course, you have to click on this link only when you are connected to your local network (so on the same router as your Raspberry). Otherwise you’ll get the public IP of your network operator hardware, but not yours.

This IP adress is called WAN IP in all the Printoid’s settings.

 

3. ENABLE THE BASIC AUTHENTICATION

For the security of your Raspberry, and in general of all your local network, I advice you to install a proxy acting as a reverse proxy on your Raspberry Pi, and configure it to enable at least the basic authentication (per-user authentication).

WARNING: If you have installed OctoPi instead of Raspbian+OctoPrint, then haproxy is already pre-installed and its configuration is preloaded. Do not override the configuration file with the following if you just want to enable the basic authentication (per-user authentication). Simply complete your file with the following lines colored in green.

The basic authentication from the reverse proxy is different than the user authentication in your OctoPrint web interface. This one will protect each request sent to OctoPrint with a mandatory authentication (user + password) otherwise the connection will be aborted.

You can install haproxy on your Raspberry Pi, with the command sudo apt-get install haproxy.

Haproxy will let your enabling the connection using per-user authentication, but it will also make both of your OctoPrint server and video streaming accessible on the same port 80 (please see the diagram 2 at the top of this page)

Once installed, you have to edit the file /etc/haproxy/haproxy.cfg:

sudo nano /etc/haproxy/haproxy.cfg

with the following code:

global
        maxconn 4096
        user haproxy
        group haproxy
        daemon
        log 127.0.0.1 local0 debug

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        retries 3
        option redispatch
        option http-server-close
        option forwardfor
        maxconn 2000
        timeout connect 5s
        timeout client  15min
        timeout server  15min

frontend public
        bind :::80 v4v6
        use_backend webcam if { path_beg /webcam/ }
        default_backend octoprint

backend octoprint
        reqrep ^([^\ :]*)\ /(.*)     \1\ /\2
        option forwardfor
        server octoprint1 127.0.0.1:5000
        acl AuthOkay http_auth(L1)
        http-request auth realm octoprint if !AuthOkay

backend webcam
        reqrep ^([^\ :]*)\ /webcam/(.*)     \1\ /\2
        server webcam1  127.0.0.1:8080

userlist L1
        group G1
        user USERNAME insecure-password PASSWORD groups G1

Don’t forget to replace USERNAME and PASSWORD by the values of your choice. You can, if you want, insert as many users as you want, in as many groups as you want. An advanced configuration let you define different access privileges per user (or per group)

The user & password values will be requested by Printoid, in the OctoPrint profile setup (click on the ‘extended settings’ button at the bottom of the list)

 

4. FORWARD PUBLIC PORT ON YOUR ROUTER

Once you know your public IP (WAN) and the access to your server is at least protected by basic authentication, you can make your OctoPrint & mjpeg-streamer server instances accessible over the Internet.

I could not be more precise in the following informations since this configuration only depends on your router model.

The following informations are really important. You NEED to follow them in the given order or it will never work as expected.

  1. Find how to access to the web interface of your router. In general, most of the manufacturers let this interface accessible from the IP 192.168.1.1
  2. Log-in in the interface (most of time you should use admin/admin or admin/first chars of the default WPA key, by default)
  3. Find the local IP of your Raspberry Pi in the connected devices and define it as a static IP (static DHCP lease)
  4. Then, find the “port forwarding” setup page (this is also called NAT/PAT on some routers, most of time in the ‘advanced’ settings)
  5. In this screen, add a new port forward option:
_____Method_____ _____IP (local)_____ _____Port (local)_____ _____Port (public)_____
TCP/UDP (both)    Your Raspberry Pi LAN IP (static) 80 (if you have installed haproxy)

5000 (if you haven’t installed haproxy)

   YOUR_CHOSEN_PORT

Explanations: you want to make accessible your Raspberry from the ‘outside’ of your network (so, over the Internet). That’s why you need to forward the address LAN_IP:80 to the address PUBLIC_IP:YOUR_CHOSEN_PORT (please see the diagram 2 at the top of this tutorial).

Important: your Raspberry LAN IP should be a static IP. This is mandatory because if the local IP of your Raspberry Pi changes, your port forwarding rule will be broken.

Please note that YOUR_CHOSEN_PORT can be the value of your choice. But please, respect the following:

  • Don’t forward the port 80 to 80 (yes it is tempting, but really really not a good practice)
  • Don’t forward to an already used port (such as 53, already used for the DNS service)
  • 0, 1, 2, 3… are not correct port values
  • So, please select a value between 1000 and 10 000 (your birth year for example)
  • Sometimes the user ports range is indicated in the router interface. For example, the “FREE” network provider allows to use ports starting from 10 000 only.

In the diagram 2 at the top of this page, you can see that:

  • The external port value 1990 was chosen (that was my personal choice – you can choose another value)
  • The OctoPrint server is still accessible locally from the port 5000 (in addition to the port 80 if you have installed haproxy)
  • The MJPEG server (video streaming ) is still accessible locally from the port 8080 (in addition to the port 80 if you have installed haproxy)
  • To summarize, both of the OctoPrint & MJPEG server are accessible locally from the port 80 (if you have installed haproxy), but now also externally from the port 1990.

Here is an example:

_____Method_____ _____IP (local)_____ _____Port (local)_____ _____Port (public)_____
TCP/UDP 192.168.1.30 80 1990

Here is another example:

Some routers let you defining ranges for ports to forward. Since we only want to forward one public port to one local port, then please apply the following:

_____Method_____ _____IP (local)_____ _____Port start (local)_____ _____Port end (local)_____ _____Port start (public)_____ _____Port end (public)_____
TCP/UDP 192.168.1.30 80 80 1990 1990

 

5. MAKE ONLY DISTANT ACCESS PROTECTED BY BASIC AUTH (OPTIONAL)

Please note that this step is:

  • Optional. Do not follow this step if you are not concerned.
  • For the advanced users only.
  • Only for those who have installed plugins that don’t support the basic authentication in LAN

The main goal of this part is to request the authentication only when OctoPrint is reached over the Internet, and not when reached locally.

I will not copy the whole haproxy.cfg file again, so you only have to apply the changes in green.

frontend public
        bind :::80 v4v6
        use_backend webcam if { path_beg /webcam/ }
        use_backend octoprint_unsecure if { hdr_beg(host) -i 192.168 }
        default_backend octoprint
        
backend octoprint
        reqrep ^([^\ :]*)\ /(.*)     \1\ /\2
        option forwardfor
        server octoprint1 127.0.0.1:5000
        acl AuthOkay http_auth(L1)
        http-request auth realm octoprint if !AuthOkay

backend webcam
        reqrep ^([^\ :]*)\ /webcam/(.*)     \1\ /\2
        server webcam1  127.0.0.1:8080

backend octoprint_unsecure 
        reqrep ^([^\ :]*)\ /(.*) \1\ /\2
        option forwardfor
        server octoprint1 127.0.0.1:5000
        acl needs_scheme req.hdr_cnt(X-Scheme) eq 0
        reqadd X-Scheme:\ https if needs_scheme { ssl_fc }
        reqadd X-Scheme:\ http if needs_scheme !{ ssl_fc }

userlist L1
        group G1
        user USERNAME insecure-password PASSWORD groups G1

 

6. PROVIDE THE SETTINGS TO PRINTOID

screenshot_20170227-113001

Enter in “Distant IP or DNS (WAN)” the WAN IP (from step 1) and in “(port)” the PORT you’ve forwarded to (from step 3)

Enable the “basic auth.” toggle button, and enter in “Username” your USERNAME and in “Password” your PASSWORD (from step 2)

You can of course work with both LAN and WAN parameters. Printoid will smartly & automatically switch between them when needed.

Important: do not put your public port value in the ‘port’ field of the LAN settings.

Important: The basic authentication settings in Printoid are relative to your haproxy configuration. These crendentials ARE NOT the crendentials to login in the web interface of OctoPrint.

 

7. TO GO FURTHER

7.1 Communication with SSL (HTTPS)

When you open a port on your router and activate the basic authentication, the best practice is to activate the communication using SSL (HTTPS) in order to obfuscate your informations when you communicate with OctoPrint.

Here is a good example that shows how to activate SSL with haproxy.

If you activate the communication over HTTPS, then don’t forget to activate the option in Printoid, in your OctoPrint profile.

7.2 Installation of Fail2Ban

Advanced users can also install Fail2Ban on there Raspberry Pi.

Fail2Ban will automatically blacklist IP address which are trying to connect to your server, but fail to connect (wrong credentials, no credentials provided, etc.) after X times (you can define how many chances you want to provide to the user who’s trying to connect to your server).

This can protect your server against brute force attacks, or simply against not trusted users / prohibited users.

Here is a good tutorial to configure Fail2Ban, that can be applied for OctoPrint too.

I advise you to create a “jail” rule for:

  • OctoPrint
  • SSH (if you’ve made SSH reachable over the Internet on your server)

 

8. VIDEO TUTORIAL

Here are great video tutorials to make OctoPrint reachable over the Internet using port forwarding.

I’m not the author of these videos, special thanks to iThoughts and Joe Mike Terranella for their great work!

 


(Tutorials written with the help of the Foosel’s github. Special thanks to Teo for the 5th step!)

Advertisements