Octoprint is a great web frontend for 3D printers. Octopi is a raspbian-based image for a Raspberry Pi that comes with everything you need set up and configured.
Octoprint is an extremely convenient way to manage your 3D printer. However, it’s capable of a lot of spooky things:
If you have them, provides access to webcams showing prints
Can set temperatures of both the tool and the heatbed
Start whatever print you feel like
In the best case, Octoprint gives whoever can access it the ability to see into your house and what’s going on with your printer. In the worst case, someone with malicious intent could burn down your house, or at least wreck your printer.
The smartest approach here is probably to put Octoprint on a trusted network and refrain from poking holes in your router to allow access from the Internet.
But I’m not that smart.
In this post I’m going to outline a couple of things I did that make me feel better about exposing my Octoprint instance to the Internet.
# I found this necessary in order to be able to upload large-ish gcode
What’s this access_by_lua hocus pocus?
I covered this in a previous post. The problem is that modern web applications don’t really play nicely with client certificates, and this seemed to include Octoprint. There’s a bunch of wizardry with web sockets and service workers that don’t send the client cert when they’re supposed to.
The basic idea behind the solution is to instead authenticate by a couple of cookies with an HMAC. When these cookies aren’t present, nginx redirects to a domain that requires the client certificate. If the certificate is valid, it generates and drops the appropriate cookies, and the client is redirected to the original URL.
See the aforementioned post for more details.
Goes without saying, but…
The Raspberry Pi itself should be secured as well. Change the default password for the pi user.
After quite a bit of iteration, I’m mostly happy with the way I’ve integrated Dash buttons into my home automation setup. Here’s a demo:
My goals were:
Make the buttons as responsive as possible.
Make it robust.
Setup should survive reboots and power outages without manual intervention.
Integrate with SmartThings.
In a previous post, I outlined two different approaches. I went with the approach that had the lowest latency (<1s). This one is quite a bit more work — mostly because it requires a dedicated wireless card.
Important! to use this approach, you need at least one WiFi dongle that supports monitor mode. The Edimax dongle I suggested doesn’t support monitor mode, but the one that comes with the CanaKit 2 does. Note that the Pi 3’s onboard WiFi device does not support monitor mode, so you’ll want to buy a dongle that does (you can buy the CanaKit dongle separately for $9).
Set up dash buttons
This approach will work with the normal setup process, but with a slight modification, you can ensure that the dash buttons don’t contact Amazon when pressed.
The only thing you need to do differently is set up the buttons on a network you can delete later. I have dd-wrt on my router, so I used a virtual interface. If your router supports a “guest network” or something to that effect, it’s the same thing.
Create the network, set up the dash buttons on it, delete the network. The buttons will still attempt to connect when pressed, but won’t be able to because it doesn’t exist.
If you’re using ethernet + a WiFi dongle, you shouldn’t need to do much of anything. If you’re using two WiFi devices, it’s a little trickier. In order for this to work consistently across reboots, you’ll have to:
Make sure that the interfaces (wlan0, etc.) are named consistently. They seemed to randomly swap by default, which obviously caused some problems.
Tell the OS which device should be connecting to the network.
(1) is easy enough with ifrename. There’s probably a way to do it with udev, but this is way easier. It allows you to assign names to interfaces based on hardware (MAC) addresses. Open up
/etc/iftab in your favorite editor (just create it if it doesn’t exist). Mine looks like this:
monitorwan mac 00:00:00:00:00:00
mainwan mac 00:00:00:00:00:01
After a reboot, you should see that the devices are named appropriately:
$ ifconfig | grep wan
mainwan Link encap:Ethernet HWaddr 00:00:00:00:00:01
monitorwan Link encap:Ethernet HWaddr 00:00:00:00:00:00
Notice you can name the interfaces whatever you want. monitorwan and mainwan seemed more informative than wlan0 and wlan1. 🙂
(2) is also pretty straightforward. There might be an easier way to do this, but I just did it by editing
/etc/network/interfaces to my liking:
You can apply these settings with a
sudo service networking restart . Probably good to reboot to make sure it works as expected.
This setup uses ha_gateway, which is a small REST gateway I use to bridge a bunch of custom hackery with the rest of my home automation setup (mostly SmartThings). To install it, just check out the project from Github:
While I haven’t tested ha_gateway with anything but ruby 2.3.1, it probably works with 1.9+. If you’re getting errors when running
bundle install , post a comment and I’ll help debug.
Create the monitor interface
In order to use monitor mode, we create a virtual monitor interface. We can do this with the
iw tool, but I stuffed all of the setup into a script shipped with ha_gateway. It takes two arguments: the interface you’re using for monitor mode, and what you want to name the virtual interface
15:46:08.905909 2412 MHz 11g -17dB signal antenna 1 39.0 Mb/s MCS 4 20 MHz lon GI CF +QoS Data IV:131a Pad 20 KeyID 0
5 packets captured
50 packets received by filter
14 packets dropped by kernel
If you have basically any WiFi traffic around you, you should see packets pretty much immediately. If you don’t, it either means the monitor device isn’t working, or you’re legitimately not seeing traffic on whatever channel the NIC is tuned to.
To make sure the monitor device survives reboots, you can invoke the same script from
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
# In order to enable or disable this script just change the execution
# By default this script does nothing.
# Print the IP address
printf"My IP address is %s\n""$_IP"
/apps/ha_gateway/bin/create_monitor_interface monitorwan DashMonitor||echo"Failed to create monitor interface"
Figure out MAC addresses of your dash button(s)
The easiest way I’ve found to do this is to use the monitor mode NIC and search for packets associated with the network you set them up on. I set my dash buttons up on a network called CMDashButton:
Ignore the stuff at the beginning and skip down to the
listeners: key. You’ll create a listener for each dash button you want to use:
# Put the MAC address of your button here
# Change this if you named your monitor interface something different.
# There will always be 5-10 packets each time you press the button.
# This prevents actions from repeating more than once every 5000ms
# (5 seconds).
This will fire an HTTP PUT request to http://google.com/some/path with the specified params every time the button is pressed. We can worry about making it do something useful later. First, let’s verify the button presses are getting picked up.
run_listeners.sh script to fire up the ha_gateway listener process. Note you’ll have to run it with sudo — it won’t be able to listen on the monitor interface otherwise:
After waiting 10-20 seconds, press your dash button. You should see a log message that looks like this:
This means ha_gateway is successfully detecting dash button presses! Now let’s make it do something useful.
Integrating with Smart Things
ha_gateway integrates with SmartThings. We’ll be able to control your existing ST devices and routines with the dash button. Getting this working is a little complicated because SmartThings requires clients to oauth with it. Let’s get that out of the way first.
First, you’ll have to install ha_gateway’s SmartApp. Log into your ST account (https://graph.api.smartthings.com/) and click on “My Smart Apps”. Click on the green “New SmartApp” button on the right near the top. Click on the “From Code” tab and paste in this code:
This should take you to an editor page. Couple of things to do to finalize setup:
Publish the newly created app – click on “Publish”, then “For Me”
Click on the “App Settings” button, then click on the “OAuth” section.
Click on the “Enable OAuth for this SmartApp” button.
You should see two text fields containing a “Client ID” and a “Client Secret”. Make note of ’em.
Click on “Update” near the bottom. OAuth settings won’t persist if you skip this!
Copy the client ID and client secret into ha_gateway’s config YAML:
site_location: is important so that the OAuth redirect ends up hitting the Pi again. For now, also make sure that
require_hmac_signatures: is set to false. It’ll make it easier to go through the OAuth process.
Now fire up the ha_gateway web server by running
bin/run.sh . Now navigate to:
This should direct you to an OAuth page on ST’s site. Select a hub, check the switches you want to allow control of, and click “Authorize”. You’ll be redirected to and endpoint that outputs a JSON blob containing information about the devices you authorized, which might look something like this:
Notice we don’t need to provide the full URL, just the path. ha_gateway will assume we want to send the request to its REST server. It’ll fill in the URL specified in the
You can start both the REST server and the listener process with the included start script. It’ll run the listener process as root, so make sure you’ve got an active sudo session (i.e., make sure it’s not prompting for a password):
sudo echo hi&&\
Logs are in
You can also run routines. You can access /smartthings/routines to get a list of routines. To run a routine, send a GET request to /smartthings/routines/<routine_name>. Normalize routine_name to be all lowercase, remove non-alphanumeric characters, and replace spaces with underscores (e.g., “Good Night!” -> “good_night”).
Starting ha_gateway at boot
Obviously we want the REST server and the listener process to survive a reboot. This is pretty easy. I use monit because I already had it set up, but it’s probably more straightforward to just add this line to
/apps/ha_gateway/bin/start || echo 'failed to start ha_gateway'
Make sure it appears above the
exit 0 at the end of the script.
If you don’t mind anyone on your network being able to access ha_gateway (and therefore turn off your Christmas Cheer), you can enable HMAC signatures. This will require anyone making a request to sign the request with a shared secret. Just edit the config file:
hmac_secret: <some random secret>
This works really well for me. It was way more work than I expected when I decided to look into hacking the dash buttons. I have five dash buttons for various uses, and they work very reliably. Adding new buttons is really straightforward.