Open Forceu opened 9 months ago
I'm using this:
Apache ReverseProxy with SSL Termination:
<VirtualHost *:443>
ServerName spoolmanager.mydomain.tld
ProxyPass / http://localhost:7912/
ProxyPassReverse / http://localhost:7912/
<Location />
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Frame-Options "SAMEORIGIN"
</VirtualHost>
In Moonraker.conf:
[spoolman]
server: https://myuser:mypassword@spoolmanager.mydomain.tld
As I don't want to run spoolman on the same system that contains my Klipper installation, I am hosting it on my home server. Securing the frontend is done by integrating Authelia, which makes it very easy. Unfortunately there is no way to secure the API.
It would be great if there was an option to require an API key. The most basic implementation could be a unmutable key supplied by an environment variable on the Spoolman server / container. A better but more work intensive way would be an interface to manage API keys.
Although I haven't looked much into the code yet, I would most likely be able to implement the first option myself. Please let me know your thoughts on that regard
As rufinus said, you can use other services to create a secured gateway. However, a simple API-key configurable as an environment variable would be simple and effective. Care needs to be taken however in how this would interact with the web client, how should it inject the API key?
As I don't want to run spoolman on the same system that contains my Klipper installation, I am hosting it on my home server. Securing the frontend is done by integrating Authelia, which makes it very easy. Unfortunately there is no way to secure the API. It would be great if there was an option to require an API key. The most basic implementation could be a unmutable key supplied by an environment variable on the Spoolman server / container. A better but more work intensive way would be an interface to manage API keys. Although I haven't looked much into the code yet, I would most likely be able to implement the first option myself. Please let me know your thoughts on that regard
As rufinus said, you can use other services to create a secured gateway. However, a simple API-key configurable as an environment variable would be simple and effective. Care needs to be taken however in how this would interact with the web client, how should it inject the API key?
Create an an endpoint where one can log in using username/password, as provided in the .env and return a short-lived api-key in a cookie. Add an option in the user interface to generate long-lived API-keys. This could be realized using JWTs.
Just for information, just proxy doesn't work....we need websockets to moonraker work. This is my working configuration for remote/centralized spoolman with SSL termination and basic auth password:
<VirtualHost <IP>:443>
ServerName spoolman.mydomain
ServerAdmin webmaster@spoolman.mydomain
UseCanonicalName Off
CustomLog /var/log/apache2/domlogs/spoolman.mydomain.ssl.bytes bytes
CustomLog /var/log/apache2/domlogs/spoolman.mydomain.ssl.log combined
ErrorLog /var/log/apache2/domlogs/spoolman.mydomain.ssl.error.log
<Location />
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd-spoolman
Require valid-user
</Location>
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "ws://127.0.0.1:7912/$1" [P,L]
ProxyPass / http://127.0.0.1:7912/
ProxyPassReverse / http://127.0.0.1:7912/
LimitRequestBody 0
ProxyRequests off
SSLCertificateFile /etc/letsencrypt/live/spoolman.mydomain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/spoolman.mydomain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
@jmceara thanks, noticed that connection was failing, after some printers got their moonraker update.
I've used nginx container for adding basic auth: https://github.com/xpert13/Spoolman-with-basic-auth
As I don't want to run spoolman on the same system that contains my Klipper installation, I am hosting it on my home server. Securing the frontend is done by integrating Authelia, which makes it very easy. Unfortunately there is no way to secure the API.
It would be great if there was an option to require an API key. The most basic implementation could be a unmutable key supplied by an environment variable on the Spoolman server / container. A better but more work intensive way would be an interface to manage API keys.
Although I haven't looked much into the code yet, I would most likely be able to implement the first option myself. Please let me know your thoughts on that regard