Yeah that didn't really help.
I think best is you post the inside of your haproxy.cfg and maybe somebody sees an error there. I'm not quite familiar with haproxy and hoped these commands would give us an easy solution.
Btw there are several undervoltage warnings - are you sure that your power supply for the pi is sufficient?
A charger is not a power supply.
Do you think this creates the problem in haproxy.cfg?
I've seen insufficient power cause all kinds of issues on RPis. Misread configs. Network disconnects. Garbled data on the serial. Malformed responses. Mayhem.
But if you don't get an undervoltage warning it's probably not the reason. Still - a charger is not a power supply.
So the haproxy.cfg file looks correct, so the only thing that I can think of that may be causing haproxy to not work properly would be the certificates themselves. Are they actually there where you are specifying them in the cfg file? For example, if you followed the instructions exactly your ca-file should be /home/pi/ssl/OctoPrintCA.crt. And remember in linux systems capitalization does matter.
You're right. I just fixed that in the original post. The path to the ca-file was incorrect.
What does your haproxy.cfg contain?
speed-pro.ml.pen might should be speed-pro.ml.pem
The file names have to match...
Thank you're right.
I fix this and there is no error in sudo service haproxy restart.
I'm installing the username1.p12 and OctoPrintCA.crt certificate,
Still getting browser error, test on chrome and explorer
Hi Octopi’ers,
I may be in the minority, but I am not using OctoPi to control my printer. It’s been a while, but a few years ago when I set OctoPi up, it was not able to control Ultimaker printers properly. It had something to do with header gcode needed. So I ended up using OctoPi strictly for webcam access. I used it with DDNS, HTTP (not S) and port forwarding with a static IP on my Pi to monitor print status. I never really considered it dangerous since the USB/printer control part was simply not in use.
Recently I thought “hey I should upgrade OctoPi” so I did and now I MUST login to even use the webcam. Maybe someday I can control the printer and these security measures would be more relevant to me. In the mean time, I have a few simple questions:
Can I set up guest access not requiring authentication on current releases of OctoPi? I could give a sh*t if some unscrupulous hacker watches my prints.
What about Let’s Encrypt for SSL certificates? This seems like a more robust way to get free SSL certificates that are not based on self-signed domains. Typically HTTP (non-SSL) is needed for occasionally renewing the certificate, but Apache can be restricted to only allow non-SSL access to very specific URLs needed for this purpose.
Or if anybody has better ideas for dumb non-authenticated webcam access not requiring OctoPi, I’d be open to that for now!
fyi, if you just want to install your own certificate, just to access octopi via https (without client certificate)
after downloading your certificate from your preferred certificate authority
merge certificate and key into one file
cat ssl-cert-XXX.com.crt ssl-cert-XXX.com.key > ssl-cert-XXX.com.pem
make sure in the pem file that the end of the certificate, and the start of the private key are on different lines
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
copy the cert and bundle in the certs directory
cp ssl-cert-XXX.com.pem /etc/ssl/certs/
cp ssl-cert-XXX.com.ca-bundle /etc/ssl/certs/
edit the haproxy.cfg file
vi /etc/haproxy/haproxy.cfg
change
frontend public
bind :::80 v4v6
bind :::443 v4v6 ssl crt /etc/ssl/snakeoil.pem
to
frontend public
bind :::80 v4v6
bind :::443 v4v6 ssl crt /etc/ssl/certs/ssl-cert-XXX.com.pem ca-file /etc/ssl/certs/ssl-cert-XXX.com.ca-bundle verify none
how you should be able to access your octipi using https://octopiDNSname.com/
It may be worth noting that octopiDNSname.com is within a public top-level domain like .com rather than something within .local.
that was just an example, but yes, the certificate i installed was a sectigo/comodo wildcard certificate for a '.com' top-level domain. ... well technically, it is for a subdomain.
A lot of people attempt to bind a certificate to octopi.local or similar.
Hello, doesn't work for me. Have a SSL connexion error and i can not connect to my octoprint
share a screenshot of the error
my bad it's working rn, was because of bad ports forwading. but still have certificate error and have to click on advanced to connect.
Also, link between Cura and Ocoprint is broken, even with ssl on check box on Cura ...
Ah, yeah. Here is my current haproxy.cfg that doesn't force ssl on internal IP addresses. You'll need to adjust the ip range for the acl line.
global
maxconn 4096
user haproxy
group haproxy
log 127.0.0.1 local1 debug
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
option http-server-close
option forwardfor
maxconn 2000
timeout connect 5s
timeout client 15min
timeout server 15min
frontend public
bind :::80 v4v6
bind :::443 v4v6 ssl crt /home/pi/ssl/mydomain.com.pem ca-file /home/pi/ssl/OctoPrintCA.crt verify required
acl InternalIP src -i 192.168.0.0/24
option forwardfor except 127.0.0.1
redirect scheme https code 301 if !{ ssl_fc } !InternalIP
use_backend webcam if { path_beg /webcam/ }
default_backend octoprint
backend octoprint
acl needs_scheme req.hdr_cnt(X-Scheme) eq 0
reqrep ^([^\ :]*)\ /(.*) \1\ /\2
reqadd X-Scheme:\ https if needs_scheme { ssl_fc }
reqadd X-Scheme:\ http if needs_scheme !{ ssl_fc }
option forwardfor
server octoprint1 127.0.0.1:5000
errorfile 503 /etc/haproxy/errors/503-no-octoprint.http
backend webcam
reqrep ^([^\ :]*)\ /webcam/(.*) \1\ /\2
server webcam1 127.0.0.1:8080
errorfile 503 /etc/haproxy/errors/503-no-webcam.http
and then make sure that Cura is not using the https connection and just http.
Thank a lot, i'm novice, how to adjust it ? ip of my octoprint is 192.168.1.150
Like there below ?
acl InternalIP src -i 192.168.1.0/24
And i cannot use my tapo smartplug with internal ip adress, is it because of ssl ?