CODEWITHSUNDEEP
htmlapachesslraspberry-pistreaming
James L.
James L.

Reputation: 14535

Using SSL/HTTPS with Motion Video Streaming

Is it possible to create a secure connection using motion? I have embedded my motion stream on an HTML page using Apache, but it will not display as it is an insecure iframe on a secure page. I can view the motion stream at 

http://example.com:<Motion-Port>

but the embedded video at 

https://example.com

will not display.

iFrame code:

<iframe src="http://example.com:<Motion-Port>" width="1300" height="740"></iframe>

Upvotes: 1

Views: 3698

Answers (3)

Praetorian
Praetorian

Reputation: 119

Motion is still actively maintained here (last commit 25 days ago), and I had a similar problem.

Motion allows us to use HTTPS with following settings:

# for web UI
webcontrol_tls   on
webcontrol_cert  /full/path/to/motion.crt
webcontrol_key   /full/path/to/motion.key

# only for streams
# requires webcontrol_cert & webcontrol_key
stream_tls       on

For local needs you can use it with self-signed certificate, as I did:

sudo apt -y install openssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out motion.crt -keyout motion.key
sudo chmod motion:motion motion.crt
sudo chmod motion:motion motion.key

Then edit motion.conf as described above and restart it. Note: Motion will serve HTTPS only.
Hope it would help someone.

Upvotes: 3

Vizzyy
Vizzyy

Reputation: 540

Yessir -- You can totally do this -- but you cannot do it with motion alone. Motion only does minimal auth. Essentially, it boils down to you need something to proxy the http stream, and wrap it in ssl.

Within node there is a somewhat dated package called mjpeg-proxy, which you can use as a middleware. https://github.com/vizzyy-org/mothership/blob/master/routes/cam.js#L27

Within java, you can do the same thing: make a call to your webserver which makes a call to the motion stream and then wraps the whole thing within an ssl connection back to the client. https://github.com/vizzyy-org/spring_react/blob/master/src/main/java/vizzyy/controller/VideoController.java#L54

Lastly, you can accomplish this with ngix or apache2. In apache, it's just as simple as setting up mutual auth and then proxy to the stream. Here's my apache config for 2-way ssl wrapping my stream

<VirtualHost *:443>
  ServerAdmin somehost

  SSLEngine on
  SSLProtocol -all +TLSv1.2 +TLSv1.3
  SSLHonorCipherOrder on
  SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AE$
  SSLCompression      off
  SSLSessionTickets   off
  SSLCertificateFile server-cert.pem
  SSLCertificateKeyFile server-key.pem
  SSLVerifyClient require
  SSLCACertificateFile "ca-bundle-client.crt"

  ProxyPass "/video" "http://stream.local:9002"
  ProxyPassReverse "/video" "http://stream.local:9002"

</VirtualHost>

It is important to note that all three of the above options must occur within your LAN/VPC/Locally, as otherwise you are exposing your stream. You gotta proxy it within your trusted network, and then expose the wrapped stream to the outside net.

Upvotes: -1

James L.
James L.

Reputation: 14535

The answer is to not use motion. It hasn't been updated in 3 years! Use ZoneMinder or iSpy instead.

I wish I had checked this before stubbornly pushing through Motion.

Upvotes: 2

Related Questions