Jan 13

Using your Raspberry Pi as an SSL Proxy

Not long ago, I have purchased an IP camera for my home. A nice toy I must say. I wanted to expose this camera for outside access. The issue is that this camera's interface does not support SSL.

Well because privacy is involved, the least I could do is add SSL somehow. I googled a bit and came across this article. I decided to use my raspberry pi for that.

The process itself is relatively easy but I had to do some improvisations over the article above. So I decided to make a tutorial for this.

You can use this to add SSL layer on top of every http you have.

So here we go:

  1. Install apache2 on your raspberry pi:
    sudo apt-get install apache2
  2. Enable ssl, proxy and proxy_http modules:
    sudo a2enmod ssl
    sudo a2enmod proxy
    sudo a2enmod proxy_http
  3. Add listener to port 10001 (You can use any port, this is from the sample)
    I have used ports.conf file to add it. You can create a new configuration file for this if you like
    NameVirtualHost *:10001
    Listen 10001
  4. Add definitions for you camera's reverse proxy (VirtualHost tag)

    Few notes:

  • The camera's internal address and port in this example is
  • The logs are located in /var/log/apache2 - you can change it to a path you desire
  • The certificate are self signed. It is explained next
<VirtualHost *:10001>
 ProxyRequests Off
 ProxyPreserveHost On
 ProxyVia On

 Order deny,allow
 Allow from all

 ProxyPass /
 ProxyPassReverse /
 CustomLog /var/log/apache2/access_cam1.log combined
 ErrorLog /var/log/apache2/error_cam1.log
 ServerName cam1

 SSLEngine On
 SSLCertificateFile /etc/apache2/mycrt.crt
 SSLCertificateKeyFile /etc/apache2/mycrt.key

 <FilesMatch "\.(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars

 SSLOptions +StdEnvVars

 BrowserMatch "MSIE [2-6]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
 # MSIE 7 and newer should be able to use keepalive
 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Now we need to create certificate files. I used this guide in order to do it. It's pretty straight forward (In my example above I've called them "mycrt")

We're almost good to go. In case you created a passphrase for you certificate, you will notice that as you restart your apache2 it will require you to enter your passphrase.

This can be avoided, if you'd like.

  • Create a shell script that echoes your passphrase:
    file: nopass.sh
     echo your-password
  • Add execute permissions to this script
  • Edit ssl.conf, and change the SSLPassPhraseDialog line
    SSLPassPhraseDialog exec:/etc/apache2/nopass.sh

That's it! Now you can restart your apahce with

sudo service apahce2 restart

Now try accessing your raspberry pi with https://<ip>:10001

You should see your webcam's login interface with SSL

Feel free to port-forward from your router to your raspberry pi's new SSL port in order to access your camera from the outer world

I hope this guide is useful for you.

  • zaliis

    wow great minds think alike. I am doing exactly the same thing with a Raspberry PI with 2 IP cameras but used nginx instead of Apache. I still have to setup my SSL so thanks for that information. I also had to install/configure ddclient because my domain name is a free one from dnsdynamic.com. My reverse proxy setup is as follows:

    location /cameraup/ {
    proxy_redirect off;
    proxy_set_header Host $host:$server_port;
    proxy_set_header X-Real-IP $remote_addr;
    location /cameradown/ {
    proxy_redirect off;
    proxy_set_header Host $host:$server_port;
    proxy_set_header X-Real-IP $remote_addr;

  • alfred

    linux noobie here, thank you very much for your example. it helped me a great deal setting up the ssl proxy. hopefully this comment will help out other newbies looking to set up their working ssl proxy

    there seems to be a few mistakes/more advice? (please correct or clarify, i am new to this stuff)

    1) Where do you put the Virtualhost......./Virtualhost file?

    not the ports.conf file. the /etc/apache2/sites-available/default-ssl file
    i commented out all the previous and inserted Arnon's example up above. don't forget to move down. i did this as i had no use for 443 (most likely broke it)

    2) errors about expecting /FilesMatch instead of /VirtualHost

    you missed "" inserted before "BrowserMatch". i am unsure if you need "SSLOptions +StdEnvVars" twice

    3) the link you provided did not create a working SSL key for me

    instead i just generated a .crt key using command
    sudo openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/mycrt.crt -keyout /etc/apache2/mycrt.crt
    (obtained partly from http://www.debianadmin.com/install-and-configure-apache2-with-php5-and-ssl-support-in-debian-etch.html)
    i also commented out "SSLCertificateKeyFile /etc/apache2/myrt.key" as it i did not make it. i believe if you self-sign using the SSL key link provided you can still leave this here.

    4) i still couldn't get the ssl link to establish at some point so i ran "sudo a2ensite default-ssl" at some point. this may or may not have fixed some issues. note that there is a new file "default-ssl" that appears in /etc/apache2/sites-enabled

    5) error about order

    i just commented out "order deny,allow" and "allow from all" as they appeared to cause problems for me. can someone tell me if this compromises the SSL security?

    once again thanks for the guide. i hope this helps point some people in the right direction. let me know if there are flaws in my logic/instructions (please do, especially if it defeats the purpose of this tutorial)

  • alfred

    *edit: "" in before ""BrowserMatch"

  • alfred

    **edit: " " in before "BrowserMatch" wow html fail?

  • alfred

    ***edit: " /FilesMatch " in before "BrowserMatch" (put around filesmatch)