HTTPS (remotely)

[RoughRyder01]

Hi everyone,

I exercised some diligence and searched around, could not find a solution, so I hope you can help.

Thanks to the excellent guide below, I managed to setup ZoneMinder on Ubuntu 12.0.4 Desktop:
> http://www.zoneminder.com/wiki/index.ph ... e_easy_way

My problem is now with HTTPS (remotely):

Yes, I can access zone minder via https on the localhost [ https://localhost:port/zm ] without a problem

However, when I portforward via my router and try to access https://myipaddress:portforward/zm from a remote location, the url fails. However, I can access with no https such as http://myipaddress:portforward/zm

I would appreciate any help and advice

[mikb]

I would appreciate any help and advice

Dumb question: Have you forwarded ports 80 (HTTP) and 443 (HTTPS) ?

[RoughRyder01]

I would appreciate any help and advice

Dumb question: Have you forwarded ports 80 (HTTP) and 443 (HTTPS) ?

This is not a dumb question at all mikb, thanks for your response. I'm glad that I am getting some guidance.

The answer is no, I haven't used 443 at all. I'm actually a newbie with all this and was not aware about 443.

Can you please point me to a walk-through as to how to set this (i.e forward on port 443)? Is it done through the ubuntu terminal, router or zm-ui? I searched around but could not find a relevant guide, at-least with respect to zoneminder.

[mikb]

This is not a dumb question at all mikb, thanks for your response. I'm glad that I am getting some guidance.

The answer is no, I haven't used 443 at all. I'm actually a newbie with all this and was not aware about 443.

Port 443 is used for HTTPS protocol separately to port 80 for HTTP, so that could be where you are getting lost.

You would do it on your router -- if that's where your "access control" lives.

You said "when I portforward via my router" -- so you must have gone in there and added a rule to say that external connections arriving at the router's WAN side address (outside), port 80, should be forwarded to your Zoneminder's IP address (inside), port 80. That's how you can access ZM from the outside world, without that, you'd not see anything.

It sounds like you need a second rule to say the same, but forwarding 443 WAN to 443 LAN side. Then try again ...

I haven't got my ZM set up to use https, so attempts to use https://mymachine ... fail internally anyway

[RoughRyder01]

Port 443 is used for HTTPS protocol separately to port 80 for HTTP, so that could be where you are getting lost.

You would do it on your router -- if that's where your "access control" lives.

You said "when I portforward via my router" -- so you must have gone in there and added a rule to say that external connections arriving at the router's WAN side address (outside), port 80, should be forwarded to your Zoneminder's IP address (inside), port 80. That's how you can access ZM from the outside world, without that, you'd not see anything.

It sounds like you need a second rule to say the same, but forwarding 443 WAN to 443 LAN side. Then try again ...

I haven't got my ZM set up to use https, so attempts to use https://mymachine ... fail internally anyway

mikb, thanks so much for the explanation! I'm still learning here (I am a newbi) and I was unaware that 443 is assigned to htttps. Thanks so much for your help!

so I can access https://localhost:443/zm and in my router settings, I portforward 443 to assume 500, then I can access https://myipaddress:500/zm.

I haven't got my ZM set up to use https, so attempts to use https://mymachine ... fail internally anyway

Is there a reason to not use https? I thought https was to ensure security when accessing remotely?

[mikb]

so I can access https://localhost:443/zm and in my router settings, I portforward 443 to assume 500, then I can access https://myipaddress:500/zm.

Is there a reason to not use https? I thought https was to ensure security when accessing remotely?

Maybe I've not read that right, but, I think you'd actually need to portforward *500* to *443*, not the other way. Port forwarding is FROM the outside view TO the inside view. If that makes sense. Think of it as making holes in your router's defences to allow external traffic in, not to allow internal traffic out.

So you are using port 443 internally, and as you say that works. Externally, to see your ZM from "outside", you'd then connect to https://myipaddress:500/zm -- your router would forward that connection attempt from external:500 to https://internal:443 and onward to your ZM system.

Probably a good idea to use something that's not 443 externally -- it's a little bit "security by obscurity". It will keep the simple script kiddiez at bay, but a hardened hacker will still find your HTTPS port at 500, so do observe security procedures for passwords etc!

There's no reason NOT to use HTTPS, I evidently didn't bother ticking something/enabling something when I installed. Though, my ZM is not visible from outside anyway

[RoughRyder01]

Maybe I've not read that right, but, I think you'd actually need to portforward *500* to *443*, not the other way. Port forwarding is FROM the outside view TO the inside view. If that makes sense. Think of it as making holes in your router's defences to allow external traffic in, not to allow internal traffic out.

I thought port forward is TO the outside view FROM the inside view. I learned something, thank you!

So you are using port 443 internally, and as you say that works. Externally, to see your ZM from "outside", you'd then connect to https://myipaddress:500/zm -- your router would forward that connection attempt from external:500 to https://internal:443 and onward to your ZM system.

Yes, this set up works great!

Probably a good idea to use something that's not 443 externally -- it's a little bit "security by obscurity". It will keep the simple script kiddiez at bay, but a hardened hacker will still find your HTTPS port at 500, so do observe security procedures for passwords etc!

I agree, this is a good tip. However, this leads to another question. Suppose my IP Camers do not support HTTPS. Will this undermine all the efforts of having HTTPS enabled for zoneminder?

[mikb]

I agree, this is a good tip. However, this leads to another question. Suppose my IP Camers do not support HTTPS. Will this undermine all the efforts of having HTTPS enabled for zoneminder?

OK -- well it depends what you're trying to expose to the outside world, and where you think the bad guys are

If you want to see your cameras via Zoneminder, then you only need to expose the Zoneminder server by forwarding as we were discussing above.

Because the Zoneminder machine is "inside" your network, along with your cameras, it can fetch and process the pictures (non secured), and feed them out (secured)

You won't be able to see the cameras directly externally -- unless you set up even MORE forwarding rules, to forward an external port to a camera's HTTP/HTTPS port.

The rules you've set up ONLY expose ZM.

If you start adding rules like: Forward external ip:81 to camera01 ip:80 ... then you will expose the camera. BUT that's probably a bad idea, unless you are sure your camera is properly secure. Bear in mind a number of them have security failures that let people access them WITHOUT using passwords, or to hack them to discover the password. I wouldn't be too keen to suggest that! Note I said port 81, because you're already forwarding 80 to somewhere, you can't usually forward one port to multiple destinations.

In short: The cameras will be non-HTTPs insecure connections to Zoneminder, but you can't see that from outside anyway. A secure HTTPS connection from ZM to the outside world should be safe.

The only time you'd be really worried about HTTP from the cameras to Zoneminder is if the hackers are inside your network monitoring that traffic.

[RoughRyder01]

The rules you've set up ONLY expose ZM.

If you start adding rules like: Forward external ip:81 to camera01 ip:80 ... then you will expose the camera. BUT that's probably a bad idea, unless you are sure your camera is properly secure. Bear in mind a number of them have security failures that let people access them WITHOUT using passwords, or to hack them to discover the password. I wouldn't be too keen to suggest that! Note I said port 81, because you're already forwarding 80 to somewhere, you can't usually forward one port to multiple destinations.

In short: The cameras will be non-HTTPs insecure connections to Zoneminder, but you can't see that from outside anyway. A secure HTTPS connection from ZM to the outside world should be safe.

Thanks mikb for all your help! It is unfortunate that some cameras do not support HTTPS. I read about reverse-proxies (etc..), but I think that would just over complicate things - setting everything through a secure zm sufficient. Thanks for helping me get things sorted out, I appreciate all your help!