Using your Raspberry Pi as an SSL Proxy

Not long ago, I have purchased an IP camera for my home. A nice toy I must say. I wanted to expose this camera for outside access. The issue is that this camera's interface does not support SSL.

Well because privacy is involved, the least I could do is add SSL somehow. I googled a bit and came across this article. I decided to use my raspberry pi for that.

The process itself is relatively easy but I had to do some improvisations over the article above. So I decided to make a tutorial for this.

You can use this to add SSL layer on top of every http you have.

So here we go:

  1. Install apache2 on your raspberry pi:
    sudo apt-get install apache2
  2. Enable ssl, proxy and proxy_http modules:
    sudo a2enmod ssl
    sudo a2enmod proxy
    sudo a2enmod proxy_http
  3. Add listener to port 10001 (You can use any port, this is from the sample)
    I have used ports.conf file to add it. You can create a new configuration file for this if you like
    NameVirtualHost *:10001
    
    Listen 10001
  4. Add definitions for you camera's reverse proxy (VirtualHost tag)

    Few notes:

  • The camera's internal address and port in this example is 192.168.9.11:81
  • The logs are located in /var/log/apache2 - you can change it to a path you desire
  • The certificate are self signed. It is explained next
<VirtualHost *:10001>
 ProxyRequests Off
 ProxyPreserveHost On
 ProxyVia On

 Order deny,allow
 Allow from all

 ProxyPass / http://192.168.9.11:81/
 ProxyPassReverse / http://192.168.9.11:81/
 CustomLog /var/log/apache2/access_cam1.log combined
 ErrorLog /var/log/apache2/error_cam1.log
 ServerName cam1

 SSLEngine On
 SSLCertificateFile /etc/apache2/mycrt.crt
 SSLCertificateKeyFile /etc/apache2/mycrt.key

 <FilesMatch "\.(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars

 SSLOptions +StdEnvVars

 BrowserMatch "MSIE [2-6]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
 # MSIE 7 and newer should be able to use keepalive
 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

Now we need to create certificate files. I used this guide in order to do it. It's pretty straight forward (In my example above I've called them "mycrt")

We're almost good to go. In case you created a passphrase for you certificate, you will notice that as you restart your apache2 it will require you to enter your passphrase.

This can be avoided, if you'd like.

  • Create a shell script that echoes your passphrase:
    file: nopass.sh
    #!/bin/bash
     echo your-password
  • Add execute permissions to this script
  • Edit ssl.conf, and change the SSLPassPhraseDialog line
    SSLPassPhraseDialog exec:/etc/apache2/nopass.sh

That's it! Now you can restart your apahce with

sudo service apahce2 restart

Now try accessing your raspberry pi with https://<ip>:10001

You should see your webcam's login interface with SSL

Feel free to port-forward from your router to your raspberry pi's new SSL port in order to access your camera from the outer world

I hope this guide is useful for you.

Share