Duet3D Logo Duet3D
    • Tags
    • Documentation
    • Order
    • Register
    • Login

    dwc: https and password protection

    Scheduled Pinned Locked Moved Unsolved
    Duet Web Control
    6
    19
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • spllgundefined
      spllg
      last edited by

      hello,

      as duet's dwc is reachable from my internal lan i feel it's necessary to protect it because anyone (including guests) who knows the machine name or ip-addr can control my printer which is undesirable. for this reason i have 2 questions:

      1. how can i activate https for dwc?
      2. how can i password protect dwc?

      thanks for your answers.

      1 Reply Last reply Reply Quote 0
      • chrishammundefined
        chrishamm administrators
        last edited by Phaedrux

        HTTPS is only supported on the Duet 3 + RaspberryPi and involves extra configuration steps. However authentification isn't yet supported on that platform (there may be a work-around using Kestrel but I haven't checked that yet).

        For regular Duets, see M551. Add this code to config.g and you'll need a password in order to connect to your machine.

        Duet software engineer

        spllgundefined 1 Reply Last reply Reply Quote 0
        • spllgundefined
          spllg @chrishamm
          last edited by

          @chrishamm thanks for your fast answer. i have a duet 3 + pi. would it be possible to place the web interface behind an authenting reverse proxy (e.g. apache possibly running n another server)? this config could also handle https en-/decryption using the certificate placed in apache's standard directory.

          1 Reply Last reply Reply Quote 0
          • chrishammundefined
            chrishamm administrators
            last edited by

            Yes, that should be possible - see https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-apache?view=aspnetcore-3.1 The configuration file of the DSF web server is at /opt/dsf/conf/http.conf

            Duet software engineer

            spllgundefined 2 Replies Last reply Reply Quote 0
            • spllgundefined
              spllg @chrishamm
              last edited by

              @chrishamm i'll try this later this week.

              fyi: i tried to access the rpi dwc via a proxy. this does not work because

              • response to a click on console is "Failed to connect to <dwc-domain>
                Request failed with status code 404"

              • impossible to enter g-codes - input field is greyed.

              • machine specific.endstops: "No data available"

              and possibly others

              1 Reply Last reply Reply Quote 0
              • spllgundefined
                spllg @chrishamm
                last edited by

                @chrishamm said in dwc: https and password protection:

                there is no file /opt/dsf/conf/http.conf on my rpi - not even a http.conf anywhere.

                1 Reply Last reply Reply Quote 0
                • chrishammundefined
                  chrishamm administrators
                  last edited by

                  Sorry, I meant /opt/dsf/conf/http.json

                  Duet software engineer

                  spllgundefined 1 Reply Last reply Reply Quote 0
                  • spllgundefined
                    spllg @chrishamm
                    last edited by

                    @chrishamm said in dwc: https and password protection:

                    /opt/dsf/conf/http.json

                    thanks (though i do not plan to customize this file.)

                    spllgundefined 1 Reply Last reply Reply Quote 0
                    • spllgundefined
                      spllg @spllg
                      last edited by

                      @spllg had a look at https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-apache?view=aspnetcore-3.1 but microsoft world is very unknown to me. so i think i will give octoprint a try (after i have reconfigured duet3 in standalone mode).

                      1 Reply Last reply Reply Quote 0
                      • piperswundefined
                        pipersw
                        last edited by

                        I use a vpn server in my fai box, no need dor https and works well with Duet2wifi.
                        Why you don't want to use a VPN server in your LAN ?

                        spllgundefined 1 Reply Last reply Reply Quote 0
                        • spllgundefined
                          spllg @pipersw
                          last edited by

                          @pipersw i could but this complicates things.

                          piperswundefined 1 Reply Last reply Reply Quote 0
                          • piperswundefined
                            pipersw @spllg
                            last edited by

                            @spllg said in dwc: https and password protection:

                            @pipersw i could but this complicates things.

                            Less complicated than do a reverse proxy with https on raspberry pi.

                            Just a certificate to generate and download on phone, and install VPN server and client software. In Free FAI box (french FAI) the VPN server is integrated, and in NAS Synology too.

                            spllgundefined 1 Reply Last reply Reply Quote 0
                            • spllgundefined
                              spllg @pipersw
                              last edited by

                              @pipersw i do not want to discuss this but i feel a reverse proxy is far more flexible.

                              1 Reply Last reply Reply Quote 0
                              • Danalundefined
                                Danal
                                last edited by

                                Is there a hostile party sniffing packet payloads on your internal network?

                                • If so, transport encryption (e.g. HTTPS) is a good defense.
                                • If you are instead trying to protect from casual misuse, a password is a good starting point.

                                Having said all of that, the underlying question is fairly common; perhaps the community can come up with an easy-to-install-configure proxy style solution. (I'm mostly pointing at myself, here, but if anyone else is going to work on this, let us all know).

                                Delta / Kossel printer fanatic

                                1 Reply Last reply Reply Quote 0
                                • A Former User?
                                  A Former User
                                  last edited by

                                  This might not be super polished GUI, but the functions and examples should cover most things.
                                  https://github.com/linuxserver/docker-letsencrypt

                                  (with wildcard certficates and dns challenge you don't even need to have a public web server to use lets encrypt with a custom domain with non public subdomains)

                                  1 Reply Last reply Reply Quote 0
                                  • spllgundefined
                                    spllg
                                    last edited by

                                    i have a working apache and configured a reverse proxy for dwc. accessing the url results in

                                    "Failed to connect to <proxy-name>" <cr><nl>Network error"

                                    the proxy-access-log says:

                                    nn.nn.nn.nn - - [13/Feb/2020:14:50:31 +0100] "GET / HTTP/1.1" 200 687
                                    nn.nn.nn.nn - - [13/Feb/2020:14:50:31 +0100] "GET /css/app.eb4376bc.css HTTP/1.1" 200 95851
                                    nn.nn.nn.nn - - [13/Feb/2020:14:50:31 +0100] "GET /js/app.8855845c.js HTTP/1.1" 200 607246
                                    nn.nn.nn.nn - - [13/Feb/2020:14:50:33 +0100] "GET /favicon.ico HTTP/1.1" 200 102407
                                    nn.nn.nn.nn - - [13/Feb/2020:14:50:33 +0100] "GET /rr_connect?password=reprap&time=2020-2-13T14%3A50%3A33 HTTP/1.1" 404 154
                                    nn.nn.nn.nn - - [13/Feb/2020:14:51:15 +0100] "GET /machine HTTP/1.1" 400 152
                                    nn.nn.nn.nn - - [13/Feb/2020:14:51:17 +0100] "GET /rr_connect?password=reprap&time=2020-2-13T14%3A51%3A17 HTTP/1.1" 404 155
                                    nn.nn.nn.nn - - [13/Feb/2020:14:52:15 +0100] "GET /machine HTTP/1.1" 400 152
                                    nn.nn.nn.nn - - [13/Feb/2020:14:52:16 +0100] "GET /rr_connect?password=reprap&time=2020-2-13T14%3A52%3A16 HTTP/1.1" 404 155
                                    nn.nn.nn.nn - - [13/Feb/2020:14:53:15 +0100] "GET /machine HTTP/1.1" 400 152
                                    nn.nn.nn.nn - - [13/Feb/2020:14:53:16 +0100] "GET /rr_connect?password=reprap&time=2020-2-13T14%3A53%3A17 HTTP/1.1" 404 155

                                    the first 4 gets succeed whale all the others fail.

                                    1 Reply Last reply Reply Quote 0
                                    • ernstcundefined
                                      ernstc
                                      last edited by

                                      Activating HTTPS is necessary if someone wants to create a Progressive Web App that communicates directly with the printer.

                                      A Former User? 1 Reply Last reply Reply Quote 0
                                      • A Former User?
                                        A Former User @ernstc
                                        last edited by

                                        @ernstc said in dwc: https and password protection:

                                        Activating HTTPS

                                        It'll likely never be just "activating" HTTPS on a duet board, unless in combination with some sort of Raspberry Pi or other more resourceful system to act as a reverse proxy for the Duet. The Duet3 with the Raspberry Pi should be able to do it (and the new Duet2 that are on the drawing board might also support working with a Raspberry Pi (or other SBC with compatible GPIO). But it doesn't make sense to re-invent the wheel and instead just use nginx or similar.

                                        ernstcundefined 1 Reply Last reply Reply Quote 0
                                        • ernstcundefined
                                          ernstc @A Former User
                                          last edited by

                                          @bearer I was just trying to point out that is something needed for some scenario, in any way, even if we are in our own private network. There is no need to "reinvent the wheel".

                                          1 Reply Last reply Reply Quote 1
                                          • JoergS5undefined JoergS5 referenced this topic
                                          • JoergS5undefined JoergS5 referenced this topic
                                          • JoergS5undefined JoergS5 referenced this topic
                                          • First post
                                            Last post
                                          Unless otherwise noted, all forum content is licensed under CC-BY-SA