Archives de catégorie : Debian Stretch

Octopi behind proxy and credentials

I wanted to have an octopi behind a simple proxy.

So add the proxy to apache

<IfModule mod_proxy.c>
  ProxyRequests off
  ProxyVia On

  ProxyPass / http://octoprint.darkink.internal/
  ProxyPassReverse / http://octopi.darkink.internal/

  <Location />
    ProxyPassReverse /

then add some securtiy, creating a new CA following this and this.

openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem

openssl genrsa -out steven.key 2048
openssl req -new -key steven.key -out steven.csr
openssl x509 -req -in steven.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out steven.crt -days 365 -sha256

openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12

adding to the proxy

SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /srv/www/clients/client1/web26/ssl/auth/rootCA.pem
SSLCACertificatePath  /srv/www/clients/client1/web26/ssl/auth

We then need to add revocation here and here:

openssl ca -config rootCA.conf -gencrl -out rootCA.crl

We add this to the proxy

SSLCARevocationFile /srv/www/clients/client1/web26/ssl/auth/rootCA.crl
SSLCARevocationCheck chain

then add the certificate to the browser and try it !

if we want to revoke it we must do

openssl ca -config rootCA.conf -revoke certs/test.crt
openssl ca -config rootCA.conf -gencrl -out rootCA.crl

openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text