Access OctoPrint over the Internet

A lot of you want to use OctoPrint outside of their local network (i.e. from the Internet, by using a smartphone connected to the cellular network for example).

Fortunately, this is possible. I’ll explain you how to do that. But please, read these few cautions first:

  1. You have to configure the router on which one your OctoPrint server is connected
  2. Printoid can’t do anything to automatize this configuration (you have to follow this tutorial)
  3. Making OctoPrint accessible over Internet is not recommended at all if you have not installed at least a proxy acting as a reverse proxy on your Raspberry Pi (the installation is detailed in this tutorial)

When you have completed the following tutorial, here are two diagrams to present you how Printoid (or any browser / other third party application) will connect to your server:

DIAGRAM 1: Printoid is connecting locally to your server (using its LAN IP address)

 

DIAGRAM 2: Printoid is connecting remotely to your server (using its WAN IP address and a public port)

 

1/ First step, find your WAN IP (public IP address)

You can’t use the local IP address of your Raspberry Pi from the outside of your local network (for example 192.168.1.XX or 10.0.2.XX).

You shall use the public IP address of your router over the Internet to access your Raspberry Pi.

Here is a link that will show you this information: http://wanip.info/. Of course, you have to click on this link only when you are connected to your local network (so on the same router as your Raspberry). Otherwise you’ll get the local IP of your network operator hardware, but not yours.

This IP adress is called WAN IP in all the Printoid’s settings.

 

2/ Second step, install a reverse proxy

For the security of your Raspberry, and in general of all your local network, I advice you to install a proxy acting as a reverse proxy on your Raspberry Pi, and configure it to enable at least the basic authentication (per-user authentication).

The basic authentication from the reverse proxy is different than the user authentication in your OctoPrint web interface. This one will protect each request sent to OctoPrint with a mandatory authentication (user + password) otherwise the connection will be aborted.

You can for example install haproxy on your Raspberry Pi, with the command sudo apt-get install haproxy.

Haproxy will let your enabling the connection using per-user authentication, but it will also make both of your OctoPrint server and video streaming accessible on the same port 80 (please see the diagram 2 at the top of this page)

WARNING: If you have installed OctoPi instead of Raspbian+OctoPrint, then haproxy is already pre-installed and its configuration is preloaded. Do not override the configuration file with the following if you just want to enable the basic authentication (per-user authentication). Simply complete your file with the following lines colored in green.

Once installed, you have to edit the file /etc/haproxy/haproxy.cfg with the following code:

global
        maxconn 4096
        user haproxy
        group haproxy
        daemon
        log 127.0.0.1 local0 debug

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        retries 3
        option redispatch
        option http-server-close
        option forwardfor
        maxconn 2000
        timeout connect 5s
        timeout client  15min
        timeout server  15min

frontend public
        bind :::80 v4v6
        use_backend webcam if { path_beg /webcam/ }
        default_backend octoprint

backend octoprint
        reqrep ^([^\ :]*)\ /(.*)     \1\ /\2
        option forwardfor
        server octoprint1 127.0.0.1:5000
        acl AuthOkay http_auth(L1)
        http-request auth realm octoprint if !AuthOkay

backend webcam
        reqrep ^([^\ :]*)\ /webcam/(.*)     \1\ /\2
        server webcam1  127.0.0.1:8080

userlist L1
        group G1
        user USERNAME insecure-password PASSWORD groups G1

Don’t forget to replace USERNAME and PASSWORD by the values of your choice. You can, if you want, insert as many users as you want, in as many groups as you want. An advanced configuration let you define different access privileges per user (or per group)

The user & password values will be requested by Printoid, in the OctoPrint profile setup (click on the ‘extended settings’ button at the bottom of the list)

 

3/ Third step, forward a public port to the local port on your router

Once you know your WAN IP and the access to your server is at least protected by basic auth, you can make your OctoPrint & MJPEG server instances accessible over the Internet.

I could not be more precise in the following informations since this configuration only depends on your router model.

  1. Find how to access to the web interface of your router. In general, most of the manufacturers let this interface accessible from the IP 192.168.1.1
  2. Log-in in the interface (most of time you should use admin/admin or admin/first chars of the default WPA key by default)
  3. Find the local IP of your Raspberry Pi in the connected devices and define it as a static IP (static DHCP lease)
  4. Then, find the “port forwarding” setup page (this is also called NAT/PAT on some routers, most of time in the ‘advanced’ settings)
  5. In this screen, add a new port forward option:
_____Method_____ _____IP (local)_____ _____Port (local)_____ _____Port (distant)_____
   TCP/UDP (both)    Your RPi LAN IP 80    YOUR_CHOOSEN_PORT

Explanations: you want to make accessible your Raspberry from the ‘outside’ of your network (so, over the Internet). That’s why you need to forward the address RPI_LAN_IP:80 to the address ROUTER_WAN_IP:YOUR_CHOOSEN_PORT.

Important: your Raspberry LAN IP should be a static IP. This is mandatory because if the local IP of your Raspberry Pi changes, your port forwarding rule will be broken.

Please note that YOUR_CHOOSEN_PORT can be the value of your choice. But please, respect the following:

  • Don’t forward the port 80 to 80 (yes it is tempting, but really really not a good practice!)
  • Don’t forward to an already used port (such as 53, already used for the DNS service)
  • 0, 1, 2, 3… are not correct port values
  • So, please select a value between 1000 and 4999 (your birth year for example)

In the diagram 2 at the top of this page, you can see that:

  • The external port value 1990 was chosen
  • The OctoPrint server is still accessible locally from the port 5000 (in addition to the port 80)
  • The MJPEG server (video streaming ) is still accessible locally from the port 8080 (in addition to the port 80)
  • To summarize, both of the OctoPrint & MJPEG server are accessible locally from the port 80, but also externally from the port 1990.

4/ Last step, enter these settings in Printoid

screenshot_20170227-113001

Enter in “Distant IP or DNS (WAN)” the WAN IP (Step 1) and in “(port)” the PORT you’ve forwarded to (Step 3)

Enable the “basic auth.” toggle button, and enter in “Username” your USERNAME and in “Password” your PASSWORD. (Step 2)

You can of course work with both LAN and WAN parameters. Printoid will smartly & automatically switch between them when needed.

5/ Optional step, making the distant access protected by the basic authentication only

Please note that this step is:

  • Optional
  • For the advanced users only
  • For those who have installed plugins that don’t support the basic authentication in LAN

The main goal of this part is to request the authentication only when OctoPrint is reached over the Internet, and not when reached locally.

I will not copy the whole haproxy.cfg file again, so you only have to apply the changes in green.

frontend public
        bind :::80 v4v6
        use_backend webcam if { path_beg /webcam/ }
        use_backend octoprint_unsecure if { hdr_beg(host) -i 192.168 }
        default_backend octoprint
        
backend octoprint
        reqrep ^([^\ :]*)\ /(.*)     \1\ /\2
        option forwardfor
        server octoprint1 127.0.0.1:5000
        acl AuthOkay http_auth(L1)
        http-request auth realm octoprint if !AuthOkay

backend webcam
        reqrep ^([^\ :]*)\ /webcam/(.*)     \1\ /\2
        server webcam1  127.0.0.1:8080

backend octoprint_unsecure 
        reqrep ^([^\ :]*)\ /(.*) \1\ /\2
        option forwardfor
        server octoprint1 127.0.0.1:5000
        acl needs_scheme req.hdr_cnt(X-Scheme) eq 0
        reqadd X-Scheme:\ https if needs_scheme { ssl_fc }
        reqadd X-Scheme:\ http if needs_scheme !{ ssl_fc }

userlist L1
        group G1
        user USERNAME insecure-password PASSWORD groups G1

 


(Tutorials written with the help of the Foosel’s github. Special thanks to Teo for the 5th step!)

Advertisements