search

silvanmelchior / RPi_Cam_Web_Interface

A web interface for the RPi Cam
MIT License
1.54k stars 492 forks source link

HTTPS/SSL Support #311

Open jksinton opened 7 years ago

jksinton commented 7 years ago

I've customized my Apache configuration to use SSL with the RPi Cam Web Interface. Can we add this option?

roberttidey commented 7 years ago

Can you post details of exactly what you did and I'll check out if this can be added to install. The guide here seems to be the necessary steps; Is that what you did? https://debian-administration.org/article/349/Setting_up_an_SSL_server_with_Apache2

One of the issues will be the certificate. Did you use a self-signed one, e.g. generated by apache2?

jksinton commented 7 years ago

Hey Robert:

Apologies for the slow reply.

Yeah I configured Apache with similar steps discussed in that tutorial as well as these: https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04 https://hallard.me/enable-ssl-for-apache-server-in-5-minutes/

I'm using self-signed certificates. I don't think there would be an easy way to script an installation that supports "trusted" certificates.

I'm only listening on port 443. This might be optional, but in my case I don't mind only allowing traffic on the SSL port. ports.conf:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

#Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

Then I edited the default-ssl.conf to include what seemed to be important from raspicam.conf:

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin <myemail>

                DocumentRoot /var/www
                <Directory /var/www/cam>
                        Options Indexes FollowSymLinks MultiViews
                        AllowOverride All
                        Order allow,deny
                        Allow from all
                </Directory>
                ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
                <Directory "/usr/lib/cgi-bin">
                        AllowOverride All
                        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                        Order allow,deny
                        Allow from all
                </Directory>
...

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
                SetEnvIf Request_URI "/cam_pic.php$|/status_mjpeg.php$" dontlog
                CustomLog ${APACHE_LOG_DIR}/access.log common env=!dontlog
...
                SSLCertificateFile      /etc/apache2/ssl/apache.crt
                SSLCertificateKeyFile /etc/apache2/ssl/apache.key
...

        </VirtualHost>
</IfModule>

I'm not sure how Apache is handling that double call to CustomLog for access.log.

Finally, I enabled default-ssl as a site on Apache and disabled raspicam.

wawanUnic commented 2 months ago

Has anyone tried using Caddy for protection?

(https://caddyserver.com/docs/automatic-https)

nano /etc/caddy/Caddyfile:

myWriteIP.com { reverse_proxy 127.0.0.1:81 }

roberttidey commented 2 months ago

I have not tried using Caddy

In principle, one should be able to make it work but the install would have to be done manually.

It might be easiest to do a basic install say with Apache first as this would get the basic files and support infrastructure in place.

The one would need to install Caddy with php support and configure that to use the site files under /var/www.

The apache server could then be disabled / removed.