Encrypting Zoneminder traffic with ssh tunnel

[skier]

I wish to access the server remotely to check that all is safe when
I'm away. But, even though I can turn on authentication to limit
access, I wouldn't be happy to have the security cameras send me the
images in clear, as they would be seen by all the machines along the
way. So I want to encrypt that traffic.

After some experimentation I've got this almost working, and I hope it
will also be useful to others.

What I do is ssh into the server and tunnel the http connection
through that, as follows:

client% ssh -L 8080:localhost:80 server.isp.com

This, as you might know, opens port 8080 on localhost and forwards any
requests to port 80 on server.isp.com over the ssh tunnel. Then I
point the client's browser at http://localhost:8080 and I should be
receiving the zoneminder console over the encrypted link.

So far so good. I get the console, OK. And I can view the individual
monitors, including the moving picture in the little window.

HOWEVER the montage window is instead totally blank and the cycle
window is filled up with error messages, reproduced at the end of this
post.

I confirm that both cycle and montage work fine, with the same browser
(firefox), if I instead access the server directly without the port
forwarding.

I also tried forwarding to local port 80 instead of 8080 (which
requires a little more acrobatics as it's a privileged port), just in
the unlikely case that something had a hardcoded :80 somewhere, but it
still didn't work.

Does anyone know if these two windows, cycle and montage (or the
javascript they make use of) require other ports that I should be
forwarding as well?

By the way, I don't think this is a very version-specific issue but in any case this is on a clean install, from source, of Zoneminder 1.24.2 on
Ubuntu server 9.10, and I'm viewing that from Firefox 3.5.5 on an Ubuntu 9.10 desktop.


Thanks in advance




APPENDIX: error messages in the cycle window when viewed through localhost:8080

Notice: Undefined offset: 0 in /var/www/skins/classic/views/cycle.php on line 63

Notice: Undefined offset: 1 in /var/www/skins/classic/views/cycle.php on line 64

Warning: Division by zero in /var/www/skins/classic/views/cycle.php on line 67

Warning: Division by zero in /var/www/skins/classic/views/cycle.php on line 68

Warning: Cannot modify header information - headers already sent by (output started at /var/www/skins/classic/views/cycle.php:63) in /var/www/includes/functions.php on line 97

Warning: Cannot modify header information - headers already sent by (output started at /var/www/skins/classic/views/cycle.php:63) in /var/www/includes/functions.php on line 98

Warning: Cannot modify header information - headers already sent by (output started at /var/www/skins/classic/views/cycle.php:63) in /var/www/includes/functions.php on line 99

Warning: Cannot modify header information - headers already sent by (output started at /var/www/skins/classic/views/cycle.php:63) in /var/www/includes/functions.php on line 100

Warning: Cannot modify header information - headers already sent by (output started at /var/www/skins/classic/views/cycle.php:63) in /var/www/includes/functions.php on line 101

[timcraig]

I access Zoneminder by ssh tunnels when I'm at work. I've been doing this from versions 1.22.2 to 1.24.2-svn. I use PuTTy on a Vista desktop at work.

I'm not having any issues. I don't have the bandwidth to run montage but cycle mode is working okay.

[skier]

I access Zoneminder by ssh tunnels when I'm at work.

Good--and the only port you forward is 80, as in my example above?

[timcraig]

I got apache running on port 80 and 8080 on my box at work. So I ssh tunnel from port 80 (my zoneminder box at home) to port 8081 (my box at work).

I whipped out my netbook just now (running Ubuntu 9.10 netbook remix) and tried "ssh <my> -L 80:localhost:80" and then "ssh <my> 8080:localhost:80". I don't have any errors or issues with the cycle mode.

[skier]

Thanks for this check! But then it looks like I'm doing precisely the same things that already work fine for you. And you're on firefox 3.5 too, since you're on ubuntu, right? What else could be wrong?

I'm on a lan (the zm server and the client with firefox are plugged into the same 100 Mb/s switch) and, just to be sure bandwidth isn't an issue, I'm running the client as "low".

On the client:
ssh zm -L 8080:localhost:80

then I point firefox at localhost:8080.

Stuff that works:
The console.
The "name" links, including moving picture.
The "function" and "source" links.
The "events", including moving picture.

Stuff that doesn't:
cycle and montage, in the way I explained above.

[timcraig]

I'm currently on Firefox 3.5. My zoneminder server is on an Ubuntu 8.10 Server Edition box.

It might be the browser is doing something funny. You can try clearing you're browser cache or try using a different web browser (SeaMonkey is a popular alternitave to firefox people use here.)

[skier]

[quote]It might be the browser is doing something funny.[/quote]

Wow! You just nailed it! THANKS A LOT!

I tried another machine (also firefox, but an older version, 3.0.15) and it just worked fine.

Then I thought: ok, it must be one of the add-ons I have on the main machine, perhaps no-script or adblock; but I disabled ALL the extensions one by one, then all the plugins, and cleared the cache, and it still doesn't work. So, I don't know why this particular Firefox 3.5 isn't working, but at least the problem is now isolated. Maybe I should try uninstalling the extensions rather than just disabling them, who knows. Or try making a different profile for watching ZM. Weird.

BTW I also tried Konqueror and it didn't work either, but then it was pretty hopeless because it wouldn't even work when talking to the zm server without the tunnel.

Once again thank you very much!

[timcraig]

You're welcome.

I'm glad I was of help.