Secure Foscam Webcam with Audio Over https
Written by max on 2013-08-08
So you want to use a cheap IP camera as a baby cam, huh? A little shocked at how little security there is?
Especially after reading recent articles.
“Oh, wait! I can reverse proxy this using apache!” you tell yourself. However you soon learn that in doing so you lose audio capabilities.
Solution? Use stunnel instead of apache to reverse proxy. Audio will still work, over the Internet/4G using IP Cam Viewer for Android. Using an Iphone? Go ask Steve Jobs for advice.
You will need to setup stunnel on a machine running 24/7 on the same network as your camera. This machine will then be hooked up to your router so it’s accessible from the internet at large. If you do everything right you will be exposing only the secure interface (https) and not the default interface to the world.
Apache Reverse Proxy
Lots of people have detailed how to reverse proxy your IP camera using Apache. This is great, and it works great, except for the audio functions. Because the audio is done in some proprietary way using an IP socket, and is not HTTP, Apache can’t properly encapsulate it for https. However, if you don’t care about Audio, this is still a great way to go.
You need to fix your camera to an IP Address. You have two options: 1. tell your router to always assign the same IP address to the camera using DHCP. Or 2. Used a static IP address when setting up the camera. Doing this is outside the scope of this document.
In the comments on bitsofinfo.wordpress.com, someone mentioned that stunnel would work. I first set it up and tried it with the app I had at the time, tinyCam Monitor Pro, but the audio would not work! The camera functions and video were working great though. I have since moved to IP Cam Viewer (above) as I mentioned.
I’m running Ubuntu, but you could be running any of Linux, OS X, or Windows and still be using stunnel. However, if you’re not running Linux I can’t help much.
This stunnel guide for ubuntu helped me set it up.
Here is my stunnel.conf. Note that I’ve fixed my camera to the IP 192.168.0.170. Change this to match your network settings.
chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid cert = /etc/stunnel/mail.pem options = NO_SSLv2 options = SINGLE_ECDH_USE options = SINGLE_DH_USE [cam] accept = 4445 connect = 192.168.0.170:80
Yup, that’s it.
service stunnel4 restart tail /var/log/syslog
You will need to have your router point to your machine running stunnel. Setting this is up is also outside the scope of the document. The port you choose in the step above is the port exposed to the outside world. Remember the IP address you put in the router is of the computer running stunnel, not the camera.
Setup your app to point to the IP address of your router and the port you setup. If you’re on a dynamic DNS and have a Bind server at your disposal, see my post about hosting your own dyndns.