Indeed
Active member
This guide is divided in two parts due to the 10000 character limit.
The methods listed below work on my printer but I don't know if they will work for you.
My machine has an Intel NUC with ubuntu 22.04.
Mainsail, klipper and friends were installed with kiauh.
I have not tried this with a raspberry pi but the setup should be similar, if not identical.
Level 1, trusted home network
First we'll look at a simple way to limit access to your printer running Mainsail behind nginx as usual, using "basic auth".
"basic auth" is quite insecure if used by itself only, credentials are sent in clear text over the network but this may be good enough depending on what your goal is.
Maybe the printer is on your home network where you trust all users and all you want to do is to stop a family member, who has no malicious intent, from browsing the Mainsail printer page and make accidental changes.
Who knows, fat fingers on a phone or curiosity might result in an emergency stop just minutes before your 15 hour print is finished, a restart of previous print, a config file edit, or worse.
If protection from accidental changes is all you need then the "basic auth" password protection may be enough.
See section PASSWORD below.
Level 2, workplace network
Next level is if your printer is on a network where you kind of trust all users, but perhaps not with your life or wallet. Such as an office network or a corporate network.
Then you can try and improve things by adding https (ssl) and a couple of local firewall (iptables) rules in addition to the password protection (basic auth).
See sections HTTPS and FIREWALL below. Or rather, in part 2 of this guide.
Level 3, internet
If you intend to connect to your printer over the internet, then don't trust this guide.
Go with some other solution instead, such as a vpn.
First we'll create a password file with "htpasswd",
then add a couple of lines to the nginx config and make nginx use the "basic auth" method,
and finally restart nginx.
htpasswd is found in package apache2-utils, install it if needed:
Or you can instead use apt-get if you like:
Create a file with a user+password entry. Replace USER_NAME with your choice of username. You will be prompted for a password.
Make a backup of the nginx mainsail config. Just in case.
Edit file /etc/nginx/sites-available/mainsail
and add these two lines somewhere under the "server" section.
Example config from my machine
Save, then restart nginx. One of these will probably work. Both work on my machine.
Notes
The password file doesn't have to be "/etc/nginx/0-passwords.txt", it's just what I called it.
I like to prefix my files with "0-" so there's no doubt that the file was created by me and didn't come with the software package.
You can call it anything and place it in any directory. Such as "/home/pi/htaccess".
If it didn't work you can revert with
and then restart nginx again.
It should also be noted that if the printer is on a wireless network (where by design all traffic is broadcasted to all clients more or less), anyone using a sniffer such as wireshark, tcpdump or similar will be able to see the user credentials in clear text.
But this method may still be good enough for use at home where you know and trust all users.
Continued in part 2
The methods listed below work on my printer but I don't know if they will work for you.
My machine has an Intel NUC with ubuntu 22.04.
Mainsail, klipper and friends were installed with kiauh.
I have not tried this with a raspberry pi but the setup should be similar, if not identical.
Level 1, trusted home network
First we'll look at a simple way to limit access to your printer running Mainsail behind nginx as usual, using "basic auth".
"basic auth" is quite insecure if used by itself only, credentials are sent in clear text over the network but this may be good enough depending on what your goal is.
Maybe the printer is on your home network where you trust all users and all you want to do is to stop a family member, who has no malicious intent, from browsing the Mainsail printer page and make accidental changes.
Who knows, fat fingers on a phone or curiosity might result in an emergency stop just minutes before your 15 hour print is finished, a restart of previous print, a config file edit, or worse.
If protection from accidental changes is all you need then the "basic auth" password protection may be enough.
See section PASSWORD below.
Level 2, workplace network
Next level is if your printer is on a network where you kind of trust all users, but perhaps not with your life or wallet. Such as an office network or a corporate network.
Then you can try and improve things by adding https (ssl) and a couple of local firewall (iptables) rules in addition to the password protection (basic auth).
See sections HTTPS and FIREWALL below. Or rather, in part 2 of this guide.
Level 3, internet
If you intend to connect to your printer over the internet, then don't trust this guide.
Go with some other solution instead, such as a vpn.
PASSWORD
First we'll create a password file with "htpasswd",
then add a couple of lines to the nginx config and make nginx use the "basic auth" method,
and finally restart nginx.
htpasswd is found in package apache2-utils, install it if needed:
Code:
sudo apt install apache2-utils
Code:
sudo apt-get install apache2-utils
Create a file with a user+password entry. Replace USER_NAME with your choice of username. You will be prompted for a password.
Code:
sudo htpasswd -c /etc/nginx/0-passwords.txt USER_NAME
Make a backup of the nginx mainsail config. Just in case.
Code:
sudo cp /etc/nginx/sites-available/mainsail /etc/nginx/sites-available/mainsail.orig
Edit file /etc/nginx/sites-available/mainsail
Code:
sudo nano /etc/nginx/sites-available/mainsail
and add these two lines somewhere under the "server" section.
Code:
auth_basic "<here you can write a message if you like>";
auth_basic_user_file /etc/nginx/0-passwords.txt;
Example config from my machine
Code:
# /etc/nginx/sites-available/mainsail
server {
listen 80;
auth_basic "Go away";
auth_basic_user_file /etc/nginx/0-passwords.txt;
Save, then restart nginx. One of these will probably work. Both work on my machine.
Code:
sudo service nginx restart
sudo systemctl restart nginx
Notes
The password file doesn't have to be "/etc/nginx/0-passwords.txt", it's just what I called it.
I like to prefix my files with "0-" so there's no doubt that the file was created by me and didn't come with the software package.
You can call it anything and place it in any directory. Such as "/home/pi/htaccess".
If it didn't work you can revert with
Code:
sudo cp /etc/nginx/sites-available/mainsail.orig /etc/nginx/sites-available/mainsail
It should also be noted that if the printer is on a wireless network (where by design all traffic is broadcasted to all clients more or less), anyone using a sniffer such as wireshark, tcpdump or similar will be able to see the user credentials in clear text.
But this method may still be good enough for use at home where you know and trust all users.
Continued in part 2
Last edited: