Getting them working with the browser plugin was relatively painless and gave live view and everything you'd expect from the manufactures app.
The next logical step was to access to them from anywhere. The cameras come with UPnP and a DDNS setup. No, don't want that, I want control of what comes in and out.
The installed firmware only allowed H.264 streams. An update to 1.1.1.10 and running :
http://<camera_ip>:<port>/cgi-bin/CGIProxy.fcgi?usr=<user>&pwd=<password>&cmd=setSubStreamFormat&format=1Which enables a MJPEG stream which you can consume using a browser or something like VLC:
http://<camera_ip>:<port>/cgi-bin/CGIStream.cgi?cmd=GetMJStream&usr=<user>&pwd=<password>I now have a couple of options to make these available outside.
- Port forwarding each Foscam port on my internet router. << Easy
- Reverse proxy. << Not so easy
Of course I wanted the not so easy and a single place to control and distribute access. I don't like the idea of exposing the cameras directly.
Reverse proxy consisted of using my goto device Raspberry Pi and Apache. Took a while to get the config nailed.
I'm not going to go into the entire Apache setup but I chose to create a virtual host :
<VirtualHost *:80>
ServerAdmin
ServerName <host>.<domain>
ProxyRequests Off
ProxyVia Off
RewriteEngine On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# Used for iFrames
ProxyPass /foscam1/ http://<camera_ip>:<port>/
ProxyPassReverse /foscam1/ http://<camera_ip>:<port>/
DocumentRoot /var/www/foscam
<Directory /var/www/foscam>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
#Rules to rewrite camera urls
RewriteEngine On
RewriteRule ^cgi-bin/(.*)$ /camera1/cgi-bin/$1 [L]
RewriteRule ^css/(.*)$ /camera1/css/$1 [L]
RewriteRule ^images/(.*)$ /camera1/images/$1 [L]
RewriteRule ^lg/(.*)$ /camera1/lg/$1 [L]
</Directory>
# ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
# <Directory "/usr/lib/cgi-bin">
# AllowOverride None
# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
# Order allow,deny
# Allow from all
# </Directory>
ErrorLog ${APACHE_LOG_DIR}/home-error.log
CustomLog ${APACHE_LOG_DIR}/home-access.log combined
</VirtualHost>Hit your public IP with the /foscam1/ URI and it will redirect to your camera. You can consume the MJPEG stream and get to the management app, but no live view due to the way Foscams plugin works with the cameras media port.
Alternatively build a simple html page with iFrames that Apache will serve each camera stream, which is what I did. Its also a good idea to wrap some Apache authentication around this and if you have the option use DDNS to clean up the URL if your on a DHCP internet link.
I don't yet know if I'll leave it this way. I doubt Foscam have a particularly robust security ethos and after this weeks amazing amount of hacks its only a matter of time before a vuln is found. OpenVPN is next on the agenda so I may put all this behind that.
No comments:
Post a Comment