Hi I have an IP camera “Tp-link NC450” whcih has a weak SSL for the admin page (port 8092 with cipher AES128-SHA) but no SSL for the video streaming (port 8080 is plain http).
I am using Haproxy on a Raspberry pi in order to harden the admin page with a stronger SSL cipher and add SSL to the video streaming.
From the admin page you have the option to open the video streaming by clicking a button which opens a new tab with the video streaming.
So far, I have successfuly added a stronger protection to the admin page and SSL to the video streaming page.
The issue I am facing is that if I try to open the video streaming from the admin page, the tab that is opened is the camera IP and not the one that goes through haproxy.
Here is a screenshot of the admin page with the button “Live View”:
This is the tab I get when opening it:
Without haproxy, this is the chinese camera working like this:
https://192.168.0.155:8092/index.html opens a tab to: http://192.168.0.155/live_view.html
Now, with haproxy configuration, I expect to see:
https://192.168.0.113:8092 opens a tab to: https://192.168.0.113:8080/live_view.html
And instead I get:
https://192.168.0.113:8092 opens a tab to: http://192.168.0.155/live_view.html
I guess a solution would be to force Haproxy to change what is serverd by backend in port 8092 with references to its local IP to the one that I am connected to:
For example:
If I am on admin page (https://192.168.0.113:8092) then change all serverd contented with references to http://192.168.0.155/whaterever http://192.168.0.113/whaterever
If I am using a DNS (https://camera.duckdns.org:8092) then change all serverd contented with references to http://192.168.0.155/whaterever http://camera.duckdns.org/whaterever
I am not sure if this is the right path nor where to start and would really appreciate if anyone can give me any hint or suggestion or Documentation section to read.
My Haproxy is running on a raspberry pi 3B+ and is:
root@raspberrypi /var/log # haproxy -vv
HA-Proxy version 1.8.19-1+rpi1 2019/03/14
And here is my actual Haproxy configuration for this camera:
frontend tplink_in_8080
bind-process 2-3
bind :8080 tfo ssl crt /etc/ssl/certs_self process 2 curves X25519:P-256:secp384r1
bind abns@haproxy-clt3 accept-proxy tfo ssl crt /etc/ssl/certs_self process 3 curves X25519:P-256:secp384r1
mode tcp
#option tcplog
option tcp-smart-accept
default_backend tplink_dest_8080
backend tplink_dest_8080
mode tcp
option tcp-smart-connect
server ipcam 192.168.0.155:8080 check fall 5 rise 2 maxconn 50
frontend tplink_in_8092
bind-process 2-3
bind :8092 tfo ssl crt /etc/ssl/certs_self process 2 alpn h2,http/1.1 curves X25519:P-256:secp384r1
bind abns@haproxy-clt5 accept-proxy tfo ssl crt /etc/ssl/certs_self process 3 alpn h2,http/1.1 curves X25519:P-256:secp384r1
mode http
option forwardfor
compression algo gzip
http-request redirect scheme https code 301 if !{ ssl_fc }
http-request redirect scheme https unless { ssl_fc }
http-request add-header X-Forwarded-Proto https
http-response set-header X-Frame-Options: DENY
http-response set-header X-Content-Type-Options: nosnif
http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload
http-response set-header X-XSS-Protection: 1;mode=block
http-response set-header Referrer-Policy no-referrer-when-downgrade
# HSTS (15768000 seconds = 6 months)
http-response set-header Strict-Transport-Security max-age=15768000
#http-request set-header X-Client-IP %[req.hdr_ip(X-Forwarded-For)]
default_backend tplink_dest_8092
backend tplink_dest_8092
mode http
option forwardfor
option http-keep-alive
compression algo gzip
#option http-server-close
option http-keep-alive
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
cookie SSIONID prefix indirect nocache
server ipcam 192.168.0.155:8092 maxconn 50 cookie SSIONID ssl verify none ciphers AES128-SHA
Thanks in advance!