DuetWifi DWC Encryption using Rasberry Pi Zero W as Proxy Server

Jacotheron

This thread is also for anyone interested in doing this.

The issue: Duet Web Control is not using encrypted communication (HTTPS) and browsers are complaining when entering passwords into sites that are not encrypting communication. At some point, browsers might even refuse to allow entering passwords in any website that is not encrypting their communication.

The Duet board's main controller is based on the Arduino Due, which are a 32-bit processor with a bunch of memory and processing power, but still it is an Arduino and does not (based on what I could find), support hardware floating point operations and similar functions that would speed up encryption; in addition encryption simply takes a lot of extra memory and processor cycles all of which reduces the processor's ability to handle 3D Printing and all of the timings related to it. Therefore I agree with the Duet developers that it simply does not make sense to try to embed encryption into the Duet boards.

So that is where this idea and somewhat tutorial comes in. We can offload the encryption to a Raspberry Pi, which can easily handle it (especially if the Raspberry Pi don't have to do a bunch of extra stuff). I have decided to also run a Pi Cam from mine, to embed into DWC, but that is completely optional.

To make things easy and small, I have decided to use the Raspberry Pi Zero W (small board, with builtin wireless and a camera connector).

How I got to here:

Downloaded the Lite version of the latest Raspbian (Stretch), and flashed it to a microSD card using Etcher (platform independent flash utility, makes things very easy). Just note that this will format the card, so backup any important files. You can also download the full Raspbian image, but that is only useful if you plan to have a display connected to the Pi (it uses a lot more of your card simply to run a GUI)
Now, you will see a "boot" drive in your My Computer (Windows) or similar for other OSs. Create 2 files inside this drive: "ssh.txt" (this file will enable SSH connection to your Pi, which is how we will connect to it) and "wpa_supplicant.conf" (this file will contain your Wifi SSID and password, so that the Pi knows what to connect to).

Edit the "wpa_supplicant.conf" file to be more like this:

country=US
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
network={
	ssid="xxxxxxxxx"
	scan_ssid=1
	psk=yyyyyyyyyy
}

The "xxxxx" and "yyyyyy" are your SSID and password respectively, change the US to whatever is your country's 2 character code.

You can now eject the card and insert it into your Raspberry Pi and connect it to power. The lights should start flashing, and if everything was correct, it should appear on your network, note the IP address when you find it.

Now we should connect to it using SSH, which allows us to execute commands on the Pi. Granted SSH is not the most beautiful interface to work with, but it is universal. You can download the Adafruit Pi Finder (https://github.com/adafruit/Adafruit-Pi-Finder/releases - yes, it is old, but it works) to help you locate and connect to the Pi (default username is "pi" with password "raspberry" it is highly recommended to change this asap).

Next we need to enter a few command for the pi, to set it up:

passwd - run the set new password utility; this asks for the current password, and then the new password twice (the password entered is not displayed at all, so be sure to type it correctly).
sudo apt-get update - this will perform a set of updates, simply wait for it to complete and respond to prompts if there are any.
sudo apt-get upgrade - upgrades to the latest version, wait for it and respond to prompts as it happens.
sudo raspi-config - this loads a very basic configuration interface, where you can expand the file system, enable the camera (if you will use it) and more. Go through it and set it as you need it.

Finally we are ready to install Nginx as our proxy server:

apt install nginx - this will install the nginx package and start it.
sudo systemctl stop nginx - this will stop the nginx server, so that we can edit it.
cd /etc/nginx/sites-available - this will simply go to the nginx site configuration directory, where we will make an edit.
sudo nano default - open the basic (nano) file editor, as an administrator (sudo) and edit the file in the current directory named "default"; this will load the file with the default settings and information, modify it to be:

server{
	listen 80 default_server;
        listen [::]:80 default_server;
        server_name <rpiname>.local localhost;

	root /var/www;
	index index.php index.html index.htm;

       	error_log /var/log/nginx/<rpiname>.local.log;

	location / {
                proxy_pass http://<duetname>.local/;
                proxy_set_header Host $host;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
        }
	location ~/\.ht{
		deny all;
	}
}

Replace <rpiname> with the name you want to use to connect to your Pi; and replace <duetname> with the name of your duet board (to which the traffic should be forwarded).

Now we can run sudo systemctl start nginx to start the proxy server, and if all is well it will not give any error and you should be able to visit http://<rpiname>.local in your browser and have it display exactly what the direct link to the Duet display.

One known issue, is that uploading files does not work yet - this will take some more debugging and digging into logs (or if someone knows why it fails, you can chip in).

The next post will be about getting a self-signed certificate and implementing it in nginx to allow https connections between your browser and the Pi.

resam

I would suggest using the following options - and I think these might solve your upload issues:

client_max_body_size 0;
proxy_request_buffering off;

In addition, I'm also using a simple HTTP Basic Auth to restrict access (I don't trust the RRF password enough to rely on it alone):

auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/htpasswd;

(I'm also using a SSL cert to make sure my Basic Auth is only transmitted encrypted, but I guess this is beyond this post...)

And I don't think you need all the proxy_set_header options - my config works fine without them. Actually I had problems in the past with earlier Duet RRF firmwares, because there was a limit on the HTTP request (header) size.

Jacotheron

Hi @resam thank you for your contribution. I will try your recommendation as soon as my Pi up and running again (busy getting everything in their cases and mounting) positions.

The Basic Auth is also a good idea, though it is only between your browser and the Pi, so the RRF password is still the only protection for a direct connection to the Duet; that said any contributions are welcome.

For the proxy, I simply followed a tutorial on getting such a proxy setup, so there is some extras that are not needed; so for this to work, we only need the proxy_pass from the original one I had and then the 2 extras you mentioned?

Danal

Fantastic!!!

Once you have this "really the way you like it", consider writing a WiKi page?

wilriker

@jacotheron said in DuetWifi DWC Encryption using Rasberry Pi Zero W as Proxy Server:

For the proxy, I simply followed a tutorial on getting such a proxy setup, so there is some extras that are not needed; so for this to work, we only need the proxy_pass from the original one I had and then the 2 extras you mentioned?

You could even get by with only proxy_pass and client_max_body_size but I would recommend to keep the other settings as this enables the browser and nginx to be more efficient in some tasks.

Jacotheron

@wilriker That makes sense.

@Danal I plan to make it a wiki page as a reference for other to also use.

While I have a few more knowledgeable people here, I plan to power the Pi from the Duet's expansion port. The idea is that since the Pi and a Pi Cam (v1.3) use very little power, it should be a nice integrated place to have it - as soon as the Duet power up, the Pi also power up and ready to work.

My current setup: I have a relay with a momentary bypass switch in parallel before the power supply. Relay is triggered on startup, as the PS_ON (active low). I have made a shutdown macro which I use to shut the printer off.

I have read that the Pi does not always like to simply loose power, so I have been thinking about a way to ensure the Pi can safely shut down, when I want to switch the printer off: I use 2 IO pins on the Duet, which runs to 2 GPIO pins on the Pi for a very basic type of communication (since both are 3.3V logic, it should not be an issue). Wire 1 is the return from the Pi (to signal it is almost shutdown) and Wire 2 is input to the Pi to start shutdown. On startup, the Duet pulls wire 1 HIGH (or can be LOW) it is set as an Input, and writes wire 2 to HIGH (Output); the Pi writes the opposite to wire 1, and creates an interrupt on wire 2 for a rise or fall. When the Pi's interrupt triggers, it should start shutting down, but the important part is that wire 1 should remain what it is for as long as possible until the Pi is as close to being shut down as possible, then it released and this should then be detected by the Duet which have a slight extra second delay before releasing the PS_ON relay and be off.

Is this a good idea or should I simply have a standard 10 second delay (with a single wire to signal shutdown); or am I just making it more complicated than it needs to be?

The camera will mainly be used to stream to DWC, but may from time to time be used for stills and time-lapse videos, and when they record I will complete the video before shutting down anyways (and usually download it to a computer, to clear the space).

Danal

Others may vary... I have never shut down a Pi in my life, other than by yanking power.

I have never had to re-build a Pi flash as a result of this practice. And, if I did, it wouldn't take long.

T3P3Tony

@danal said in DuetWifi DWC Encryption using Rasberry Pi Zero W as Proxy Server:

Fantastic!!!

Once you have this "really the way you like it", consider writing a WiKi page?

Yes my thoughts exactly - or a guide if you feel up to breaking down into detailed steps!

dragonn

@jacotheron said in DuetWifi DWC Encryption using Rasberry Pi Zero W as Proxy Server:

I have read that the Pi does not always like to simply loose power, so I have been thinking about a way to ensure the Pi can safely shut down

In theory this is true. In practice i run some Pi which was so often hard power down and it still runs :D. Sometimes I wonder my self how it is possible. But they are some solutions which can improve hard power down reliability:

use an industrial grade SD Card
setups Pi file-system as read-only

Jacotheron

I have now written a guide for the Proxy part, the camera section will come slightly later, but it is really simple to install (only real requirement is to run it on a different port than the proxy - I had issues when they were on the same port).
https://www.instructables.com/id/DuetWifi-HTTPS-Proxy-and-Camera-Using-RaspberryPi-/

Any further advice, questions etc can be posted to the instructable or this thread. I will try to help anyone, but usually a Google Search can also help (in essence my guide is simply a compilation of information found on a whole lot of websites, added in a logical order for this specific task).

3dmntbighker

I just set mine up, and FYI if you don't have the WiFi password in double quotes it fails. I suggest including them everywhere anyone might copy/paste or they won't know what is going on without picking through the logs. I couldn't vi /etc/wpa_supplicant/wpa_supplicant.conf either because the Pi doesn't like the mappings on my keyboard. So there was no way to insert a double quote. I put the card back in my PC and added the double quotes and WiFi connects.

Of course so far I can't connect over SSH from my Mac or PC. I get as far as the password entry and Pi thinks I'm logged in, but I never get the prompt back. It's just hung there. So auth seems to be working according to the log but I never see the banner or a prompt that accepts typing. I have tried from Windows 10, Mac and Linux.

I'm very interested in the camera guide if you have a work in progress. My camera arrives tomorrow.

Danal

@jacotheron said in DuetWifi DWC Encryption using Rasberry Pi Zero W as Proxy Server:

I have now written a guide for the Proxy part, the camera section will come slightly later, but it is really simple to install (only real requirement is to run it on a different port than the proxy - I had issues when they were on the same port).
https://www.instructables.com/id/DuetWifi-HTTPS-Proxy-and-Camera-Using-RaspberryPi-/

Would you be willing to put this in the Duet Dozuki Wiki?

If not, would you be offended if I did?

Thanks,

Danal

Jacotheron

@3dmntbighker Ok, I will change it so that it have the double quotes.

@Danal You are more than welcome to add it to the wiki. As mentioned, my work was simply compiling it and ordering it. You can also, if you see a need for it, change grammar and spelling - English is not my native language.

T3P3Tony

@danal great if you did. can you link to @Jacotheron 's instructable if you do and focus the documentation on what to do, with the explanation of the background left in the instructable.

@Jacotheron thanks for writing this up, I plan on giving it a go as soon as possible. Do you think it is possible to put together a Pi zero image with everything configured (other than the obvious WIFI settings , printer name etc?

Torbjorn (of hang printer fame) has done his for the hangprinter development environment under Ubuntu

http://vitana.se/opr3d/tbear/2018#hangprinter_project_57

Jacotheron

@T3P3Tony I am actually a beginner with regards to a Raspberry Pi, how would I go about creating that image?

T3P3Tony

@jacotheron I am not up to speed with it either. I will look into it once i get a version working.