@dinosauriecito wrote:
Hi I have an IP camera “Tp-link NC450” whcih has a weak SSL for the admin page (port 8092 with cipher AES128-SHA) but no SSL for the video streaming (port 8080 is plain http).
I am using Haproxy on a Raspberry pi in order to harden the admin page with a stronger SSL cipher and add SSL to the video streaming.
From the admin page you have the option to open the video streaming by clicking a button which opens a new tab with the video streaming.
So far, I have successfuly added a stronger protection to the admin page and SSL to the video streaming page.
The issue I am facing is that if I try to open the video streaming from the admin page, the tab that is opened is the camera IP and not the one that goes through haproxy.
Here is a screenshot of the admin page with the button “Live View”:
This is the tab I get when opening it:
Without haproxy, this is the chinese camera working like this:
https://192.168.0.155:8092/index.html opens a tab to: http://192.168.0.155/live_view.html
Now, with haproxy configuration, I expect to see:
https://192.168.0.113:8092 opens a tab to: https://192.168.0.113:8080/live_view.html
And instead I get:
https://192.168.0.113:8092 opens a tab to: http://192.168.0.155/live_view.html
I guess a solution would be to force Haproxy to change what is serverd by backend in port 8092 with references to its local IP to the one that I am connected to:
For example:
If I am on admin page (https://192.168.0.113:8092) then change all serverd contented with references to http://192.168.0.155/whaterever http://192.168.0.113/whaterever
If I am using a DNS (https://camera.duckdns.org:8092) then change all serverd contented with references to http://192.168.0.155/whaterever http://camera.duckdns.org/whatereverI am not sure if this is the right path nor where to start and would really appreciate if anyone can give me any hint or suggestion or Documentation section to read.
My Haproxy is running on a raspberry pi 3B+ and is:
root@raspberrypi /var/log # haproxy -vv
HA-Proxy version 1.8.19-1+rpi1 2019/03/14And here is my actual Haproxy configuration for this camera:
frontend tplink_in_8080 bind-process 2-3 bind :8080 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1 bind abns@haproxy-clt3 accept-proxy tfo ssl crt /etc/ssl/certs_self process 3 curves X25519:P-256:secp384r1 mode tcp #option tcplog option tcp-smart-accept default_backend tplink_dest_8080 backend tplink_dest_8080 mode tcp option tcp-smart-connect server ipcam 192.168.0.155:8080 check fall 5 rise 2 maxconn 50 frontend tplink_in_8092 bind-process 2-3 bind :8092 tfo ssl crt /etc/ssl/certs_self process 2 alpn h2,http/1.1 curves X25519:P-256:secp384r1 bind abns@haproxy-clt5 accept-proxy tfo ssl crt /etc/ssl/certs_self process 3 alpn h2,http/1.1 curves X25519:P-256:secp384r1 mode http option forwardfor compression algo gzip http-request redirect scheme https code 301 if !{ ssl_fc } http-request redirect scheme https unless { ssl_fc } http-request add-header X-Forwarded-Proto https http-response set-header X-Frame-Options: DENY http-response set-header X-Content-Type-Options: nosnif http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload http-response set-header X-XSS-Protection: 1;mode=block http-response set-header Referrer-Policy no-referrer-when-downgrade # HSTS (15768000 seconds = 6 months) http-response set-header Strict-Transport-Security max-age=15768000 #http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)] default_backend tplink_dest_8092 backend tplink_dest_8092 mode http option forwardfor option http-keep-alive compression algo gzip #option http-server-close option http-keep-alive http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } cookie SSIONID prefix indirect nocache server ipcam 192.168.0.155:8092 maxconn 50 cookie SSIONID ssl verify none ciphers AES128-SHAThanks in advance!
Posts: 1
Participants: 1