Https using Lets Encrypt

varazir · November 3, 2018, 9:54pm

Hello,

I'm using this guide for my Domoticz installation.
I want to use the same on my octoprint installation.
Could someone point me to where I could add the cert config line ?

TIA
Daniel

jneilliii · November 4, 2018, 12:27am

That is part of the steps in my ssl tutorial.

Restrict Access to OctoPi Utilizing SSL Client Certificates

Your final haproxy.cfg file should look something like the one below. This one started as the default config that came with OctoPi 0.15.1 with the above modifications completed.

global
        maxconn 4096
        user haproxy
        group haproxy
        log 127.0.0.1 local1 debug
		tune.ssl.default-dh-param 2048

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        retries 3
        option redispatch
        option http-server-close
        option forwardfor
        maxconn 2000
        timeout connect 5s
        timeout client  15min
        timeout server  15min

frontend public
        bind :::80 v4v6
        bind :::443 v4v6 ssl crt /home/pi/ssl/mydomain.com.pem ca-file /home/pi/OctoPrintCA.crt verify required
        option forwardfor except 127.0.0.1
        redirect scheme https code 301 if !{ ssl_fc }
        use_backend webcam if { path_beg /webcam/ }
		use_backend gstreamer if { path_beg /gstreamer/ }
        default_backend octoprint

backend octoprint
        acl needs_scheme req.hdr_cnt(X-Scheme) eq 0

        reqrep ^([^\ :]*)\ /(.*) \1\ /\2
        reqadd X-Scheme:\ https if needs_scheme { ssl_fc }
        reqadd X-Scheme:\ http if needs_scheme !{ ssl_fc }
        option forwardfor
        server octoprint1 127.0.0.1:5000
        errorfile 503 /etc/haproxy/errors/503-no-octoprint.http

backend webcam
        reqrep ^([^\ :]*)\ /webcam/(.*)     \1\ /\2
        server webcam1  127.0.0.1:8080
        errorfile 503 /etc/haproxy/errors/503-no-webcam.http

At this point save the file by pressing ctrl+x followed by y for yes and enter to overwrite the previous file. Restart haproxy sudo service haproxy restart and if we attempt to go to our octoprint https address you will get the below error. This is good news, because this is what we want.

Hopefully that will point you in the right direction. The haproxy.cfg has some pre-configured ssl settings for the snakeoil cert in there if I'm remembering correctly..

varazir · November 4, 2018, 9:03am

Found this guide

If you wish you could update your guide to get a cert from that guide. Worked great.

Loziva · June 14, 2019, 5:07pm

I have read it here but do not know if it works.

varazir · June 17, 2019, 3:48pm

Solved it by letting my router act as frontend for the SSL traffic.