Not long ago, I have purchased an IP camera for my home. A nice toy I must say. I wanted to expose this camera for outside access. The issue is that this camera’s interface does not support SSL.
Well because privacy is involved, the least I could do is add SSL somehow. I googled a bit and came across this article. I decided to use my raspberry pi for that.
The process itself is relatively easy but I had to do some improvisations over the article above. So I decided to make a tutorial for this.
You can use this to add SSL layer on top of every http you have.
So here we go:
-
Install apache2 on your raspberry pi:
sudo apt-get install apache2
-
Enable ssl, proxy and proxy_http modules:
sudo a2enmod ssl sudo a2enmod proxy sudo a2enmod proxy_http
-
Add listener to port 10001 (You can use any port, this is from the sample)
I have used ports.conf file to add it. You can create a new configuration file for this if you likeNameVirtualHost *:10001 Listen 10001
-
Add definitions for you camera’s reverse proxy (VirtualHost tag)
Few notes:
- The camera’s internal address and port in this example is 192.168.9.11:81
- The logs are located in /var/log/apache2 – you can change it to a path you desire
- The certificate are self signed. It is explained next
<VirtualHost *:10001> ProxyRequests Off ProxyPreserveHost On ProxyVia On Order deny,allow Allow from all ProxyPass / http://192.168.9.11:81/ ProxyPassReverse / http://192.168.9.11:81/ CustomLog /var/log/apache2/access_cam1.log combined ErrorLog /var/log/apache2/error_cam1.log ServerName cam1 SSLEngine On SSLCertificateFile /etc/apache2/mycrt.crt SSLCertificateKeyFile /etc/apache2/mycrt.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars SSLOptions +StdEnvVars BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost>
Now we need to create certificate files. I used this guide in order to do it. It’s pretty straight forward (In my example above I’ve called them “mycrt”)
We’re almost good to go. In case you created a passphrase for you certificate, you will notice that as you restart your apache2 it will require you to enter your passphrase.
This can be avoided, if you’d like.
-
Create a shell script that echoes your passphrase:
file: nopass.sh#!/bin/bash echo your-password
- Add execute permissions to this script
-
Edit ssl.conf, and change the SSLPassPhraseDialog line
SSLPassPhraseDialog exec:/etc/apache2/nopass.sh
That’s it! Now you can restart your apahce with
sudo service apahce2 restart
Now try accessing your raspberry pi with https://<ip>:10001
You should see your webcam’s login interface with SSL
Feel free to port-forward from your router to your raspberry pi’s new SSL port in order to access your camera from the outer world
I hope this guide is useful for you.