Foscam F19821W & Apache Reverse Proxy

Finding myself with a few redundant Foscam F19821W cameras in my possession I thought I'd set them up around the house.

Getting them working with the browser plugin was relatively painless and gave live view and everything you'd expect from the manufactures app.

The next logical step was to access to them from anywhere.  The cameras come with UPnP and a DDNS setup.  No, don't want that, I want control of what comes in and out.

The installed firmware only allowed H.264 streams. An update to 1.1.1.10 and running :

http://<camera_ip>:<port>/cgi-bin/CGIProxy.fcgi?usr=<user>&pwd=<password>&cmd=setSubStreamFormat&format=1

Which enables a MJPEG stream which you can consume using a browser or something like VLC:

http://<camera_ip>:<port>/cgi-bin/CGIStream.cgi?cmd=GetMJStream&usr=<user>&pwd=<password>

I now have a couple of options to make these available outside.

1. Port forwarding each Foscam port on my internet router. << Easy
2. Reverse proxy. << Not so easy

Of course I wanted the not so easy and a single place to control and distribute access.  I don't like the idea of exposing the cameras directly.

Reverse proxy consisted of using my goto device Raspberry Pi and Apache.  Took a while to get the config nailed.

I'm not going to go into the entire Apache setup but I chose to create a virtual host :

 <VirtualHost *:80>
 ServerAdmin 
 ServerName <host>.<domain>
 ProxyRequests Off
 ProxyVia Off
 RewriteEngine On
 
 <Proxy *>
  Order deny,allow
  Allow from all
 </Proxy>
 # Used for iFrames
 ProxyPass /foscam1/ http://<camera_ip>:<port>/
 ProxyPassReverse /foscam1/ http://<camera_ip>:<port>/

 DocumentRoot /var/www/foscam
 <Directory /var/www/foscam>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride None
  Order allow,deny
  allow from all
 #Rules to rewrite camera urls
 RewriteEngine On
 RewriteRule ^cgi-bin/(.*)$ /camera1/cgi-bin/$1 [L]
 RewriteRule ^css/(.*)$ /camera1/css/$1 [L]
 RewriteRule ^images/(.*)$ /camera1/images/$1 [L]
 RewriteRule ^lg/(.*)$ /camera1/lg/$1 [L]
 </Directory>

# ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
# <Directory "/usr/lib/cgi-bin">
#  AllowOverride None
#  Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
#  Order allow,deny
#  Allow from all
# </Directory>
  
 ErrorLog ${APACHE_LOG_DIR}/home-error.log
 CustomLog ${APACHE_LOG_DIR}/home-access.log combined
</VirtualHost>

Hit your public IP with the /foscam1/ URI and it will redirect to your camera.  You can consume the MJPEG stream and get to the management app, but no live view due to the way Foscams plugin works with the cameras media port.

Alternatively build a simple html page with iFrames that Apache will serve each camera stream, which is what I did.  Its also a good idea to wrap some Apache authentication around this and if you have the option use DDNS to clean up the URL if your on a DHCP internet link.

I don't yet know if I'll leave it this way.  I doubt Foscam have a particularly robust security ethos and after this weeks amazing amount of hacks its only a matter of time before a vuln is found.  OpenVPN is next on the agenda so I may put all this behind that.

Display number of Apache connections

netstat -an |grep :80 |wc -l

I think I broke Google

A tweet from @MarkMaceSmith asking :

@paulmregan Why have you got hundreds of my images on your website Paul Regan?

Had me wondering what the hell !?

A quick look and he was right (kind of).. But not just his images, EVERYONES!

http://www.paulregan.co.uk/m/viewAlbum?uname=110372774069389594216&aid=5492124562868999953&start=0

Shows his gallery on my domain.  Note the the Picasa Mobile URL (/m/) which also gave me the answer.

I have masked the Picasa URL using an Apache rewriteRule on my site :

RewriteRule   ^m/(.*)   http://picasaweb.google.com/m/$1   [NC,P,L]

It appears the Google spiders came along and followed this all the way through Picasa's structure.  I don't know how deep but Google site:www.paulregan.co.uk/m/ currently returns >250K links and every one of them works!

I can probably fix this with robots.txt, but ..

• Should I?  
• Have I inadvertently discovered SEO gold? 
• Will I be struck off and sent to web-master jail/gaol? (I probably should be)

#twitter

A way/hack to use your own domain with Google Picasa

Assumes you already have :

a - domain
b - it being hosted somewhere with some space
c - access to create/edit .htaccess file.

Open up one of your galleries and we're looking for the part of the URL after google.com.

eg: http://picasaweb.google.com/paulregan73/GalleryName

In that URL paulregan73 is my Picasa user name and will remain on the new URL we'll create.

Now add the following to the .htaccess file, replace picasauser with your specific account name.

RewriteRule ^picasauser(.*) http://picasaweb.google.com/picasauser$1 [NC,P,L] #Rev proxy picasa
RewriteRule ^m(.*) http://picasaweb.google.com/m$1 [NC,P,L] #Rev proxy mobile picasa

The first rule means you can now hit the Picasa files using :

http://your_domain/picasauser/gallery

NB// Of course this only works for public galleries and not private/https - the google.com cert will fail for private.

eg: www.paulregan.co.uk/paulregan73/LondonPleasureGardensDocklands

The second rule takes care of mobile users. Google will redirect them to /m. Having this rule seems to take care of that.

EDIT : 24/8/2011 - Google seem to be switching the user id part of the URL from the name to a numerical representation of you google id.

https://picasaweb.google.com/102726977217362443519

So a new line in My .htaccess :

RewriteRule ^102726977217362443519(.*) http://picasaweb.google.com/102726977217362443519$1 [NC,P,L] #Rev proxy picasa url to paulregan.co.uk


It also looks like Google are redirecting all mobile access to https. So the ^m(.*) above still works if you specify the full mobile url, eg something like :
http://www.paulregan.co.uk/m/viewAlbum?uname=paulregan73&aid=5635917397624685905&start=0&fgl=true&pli=1

but when you use a regular link and hit it with a mobile client the https gets in the way and your dumped on the picasa login screen ... booooo. I'll keep playing with this but I don't see a way around it, which kind makes the whole thing worthless now. Maybe Google will let us use our own domains in the future, a-la blogger ..