3

I've successfully configured a Motion webcam server for monitoring my puppy as he destroys the kitchen: The video is presented within an HTML page with allows for basic HTTP authentication, but is presented only with an unsecure HTTP (http://192.168.1.20:8081) connection.

As I would ultimately like to present this stream externally (I'm familiar with port forwarding), I was wondering how I would go about presenting this with HTTPS to prevent eavesdropping and ensure the password information sent is invisible.

I know it would be possible to somehow proxy this on the Pi, but I do not know the terminology to search for or where to begin looking!

The desired end state would be to connect to https://myFreeDomain.net/, provide credentials and then view the webpage presented internally as http://192.168.1.20:8081.

The Motion service can present the webpage as http:// localhost if needed.

Thanks in advance for any advice or examples you can provide, or any additional help,

James

asked Feb 9, 2017 at 11:41
6
  • "I know it would be possible to somehow proxy this on the Pi, but I do not know the terminology to search for or where to begin looking!" -> In fact you do. You want arrange a (forward) proxy: en.wikipedia.org/wiki/Proxy_server Take "server" to refer to a piece of software and not "discrete machine". Commented Feb 9, 2017 at 12:43
  • Thanks, @goldilocks - Thanks for the pointer to "forward proxying", I'll see how I get on now I know I'm looking in the right place! Commented Feb 9, 2017 at 14:29
  • 1
    As C Malasadas pointed out, you'll need an SSL certificate. They don't have to cost money. Letsencrypt is a free, trusted SSL provider that I use on my own projects. Commented Feb 9, 2017 at 16:20
  • 1
    Also, you can create your own CA (certificate authority), use that to sign the server certificate, and install the CA cert into a web browser and it will trust your server. Doesn't cost anything, doesn't require any one else, and is only 5 minutes more complicated than creating a self-signed cert. Commented Feb 9, 2017 at 16:48
  • Thanks @goldilocks - I'll have a look at creating my own CA in the future, but will wimp out now as my geek stamina is waning. Solution posted. Commented Feb 10, 2017 at 13:41

1 Answer 1

3

Right, I got there in the end!

Using Apache 2.2.22

SSL Proxy Configuration

Install Apache2

sudo apt-get install apache2

Enable Apache2 Modules for Proxying & SSL

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod ssl

Create directory and SSL Cert

sudo mkdir /etc/apache2/ssl/
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/puppycam.key -out /etc/apache2/ssl/puppycam.crt

Configured as follows:

Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Berkshire
Locality Name (eg, city) []:Tilehurst
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mysite
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:puppycam.mysite.com
Email Address []:[email protected]

Create VirtualHost File for service:

sudo vim /etc/apache2/sites-available/001-SecureWebcam.conf

Contents:

<VirtualHost *:443>
ProxyRequests Off
SSLProxyEngine On
<Proxy *>
 Order deny,allow
 Allow from all
</Proxy>
ProxyPass / http://192.168.1.20:8081/
#ProxyPassReverse / http://192.168.1.20:8081/
<Location /proxy/>
 ProxyPassReverse /
 Order deny,allow
 Allow from all
</Location>
 ServerAdmin webmaster@localhost
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 SSLEngine on
 SSLCertificateFile /etc/apache2/ssl/puppycam.crt
 SSLCertificateKeyFile /etc/apache2/ssl/puppycam.key
 <FilesMatch "\.(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory /usr/lib/cgi-bin>
 SSLOptions +StdEnvVars
 </Directory>
 BrowserMatch "MSIE [2-6]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

Enable Site

sudo ln -s /etc/apache2/sites-available/001-SecureWebcam.conf /etc/apache2/sites-enabled/001-SecureWebcam.conf

Restart Apache

sudo service apache2 restart

Test access to webcam from https://192.168.1.22 (internal address of Apache server)

Install & Configure Dynamic DNS (for Google Domains)

Accept all defaults - we wil change later

sudo apt-get install ddclient

Edit the ddclient config

sudo vim /etc/ddclient.conf

Contents:

ssl=yes
protocol=googledomains
use=web
server=domains.google.com
login=thisisasecret
password='thisisalsoasecret'
puppycam.mysite.com

Security Configuration

Create a directory for the password file

sudo mkdir /etc/htpasswd/

Add a user to the password file

sudo htpasswd -c /etc/htpasswd/.htpasswd james

Edit the VirtualHost configuration to add authentication:

sudo vim /etc/apache2/sites-available/001-SecureWebcam.conf

Modify the <Proxy *> section as follows:

...
<Proxy *>
 AuthType Basic
 AuthName "Authentication Required"
 AuthUserFile "/etc/htpasswd/.htpasswd"
 Require valid-user
 Order deny,allow
 Allow from all
</Proxy>
...

Enable the appropriate authentication modules:

sudo a2enmod authn_file
sudo a2enmod auth_basic

Restart Apache2

sudo service apache2 restart

Mop Up Actions

  1. Perform network capture to be sure allk traffic is secure (no plain text password)
  2. Configure Port Forwarding on router
  3. Test remote access
answered Feb 10, 2017 at 13:37

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.