Link Search Menu Expand Document

Remote Access with a Reverse Proxy and Port Forwarding

Setting up basic authentication

This configuration will expose your OctoPrint installation to the internet. To protect it, you’ll need to set up a layer of authentication on top of the regular OctoPrint access control system. This will require entering a separate username and password whenever you want to access OctoPrint over the internet. (Polymer will handle this automatically.)

Please note that basic authentication is not encryption. When you login with basic authentication, your credentials will be sent over the internet unencrypted. Hence, if you connect to an untrusted WiFi network and log in, it is possible that an attacker on the same network could see those credentials. There are ways of securing this, such as setting up SSL, but they are more complex to set up and maintain. Again, using a more secure alternative such as OctoEverywhere, Ngrok tunnel, or PiVPN is strongly recommended.

Logging into your Pi

This guide assumes that your Pi is at the address octopi.local. If it is at a different address, substitute octopi.local with that address in the following steps.
By default, OctoPi uses the username pi and the password raspberry. If you have changed the default password, use that instead in the following steps.

First, you will have to log in to a shell on your Raspberry Pi.

If you use macOS or Linux, open the Terminal app. Type ssh pi@octopi.local. When prompted for a password, enter the password (default raspberry).

If you use Windows, download, install, and run PuTTY. Enter octopi.local as the host name. Click open, and when prompted enter the username (default pi) and the password (default raspberry).

Configuring basic authentication

OctoPi uses a program called HAProxy to serve the web interface. We are going to modify HAProxy’s configuration to require an additional username and password when logging in over the network.

  1. First, stop HAProxy:
    sudo service haproxy stop

    If you are asked for a password, type in your password and hit enter. Note you will not be able to see the characters in the password as you type.

  2. Then move into the HAProxy configuration folder:
    cd /etc/haproxy/
  3. Make a backup of the existing configuration:
    sudo mv haproxy.cfg haproxy.cfg.bak
  4. Download the basic auth configuration template:
    sudo wget
  5. Now, we’ll edit the configuration file. Open it up:
    sudo nano haproxy.cfg
  6. Scroll down to line 33. This must contain the first 2 values of your local IP address, so that you won’t be asked for a username and password on your local network. If your local IP addresses start with 192.168, you can leave this as-is. Otherwise, replace 192.168 with the first 2 numbers in your local IP address.
    # Don't require authentication when accessing from your local network
    # Update this line to use the IP prefix of your local network
    # This is the first 2 values in your local IP, e.g. 192.168.x.x
    http-request auth realm octoprint if !AuthSuccessful !{ hdr_beg(host) -i 192.168 }
  7. Next, we will set the username and password. Scroll down to the end of the file, and replace your_username and your_password with the usernames and passwords you want to set. Take note of these, as you will need them later when setting up the app.
    # The user credentials for basic authentication
    userlist BasicAuthUsers
         # Change this to your own username and password
         user your_username insecure-password your_password
  8. Press Ctrl-X to exit the file. When prompted to save the modified buffer, press Y. Then press enter when prompted with File Name to Write: to save the file.

  9. Restart HAProxy
    sudo service haproxy start

    If you edited the file correctly, it should start successfully. If it errors, run the following command to tell you where the mistake in the config file is:

    haproxy -c -V -f haproxy.cfg
  10. To check that the configuration works, navigate to the OctoPrint web interface in your browser. You should not be prompted for a username and password. If you are, double check that you set the right prefix. If it works, you can log out of the Pi:

Port forwarding

Now that OctoPrint is secured, we will set it up to be accessible over the internet. You will need to log in to your router and add a port forward rule for OctoPi. The instructions for this vary from router to router. Here is a sample configuration from my router, but likely yours will be different:


Check that the authentication works

Navigate in your web browser to your public IP address (you can find it at a website like this). You should be prompted for a username and password. Check that the username and password you set earlier work


Setting up Polymer

In Polymer, navigate to ‘Settings’ → ‘Printers’. Either edit an existing printer configuration, or add a new configuration using the ‘Manual Setup’ option.

In the printer settings, change the address to your public IP address, and enter the username and password you set in the ‘HTTP Authentication’ section

🎉 Congratulations, you’ve set up remote access

Copyright © 2017–2022 Lachlan Bell

OctoPrint is a registered trademark of Gina Häußge. iOS, iPhone and iPad are trademarks of Apple Inc., registered in the U.S. and other countries.