Apache using a reverse proxy

[gommo]

I've configured zoneminder to run off a machine behind my linux firewall machine.

I'm using a reverse proxy setup in order for me to access it from outside my network.

From inside the network everything is running great if I directly access the machine running zoneminder. (192.168.0.88).

But when I attempt to view the monitors outside my firewall I get no streaming or images from the webcams. I can access the site and configure things, but any images or streams from the web cams just doesnt work.

Has anyone successfully done this?

My firewall's apache configuration looks like this

<IfModule mod_proxy.c>
ProxyRequests Off

<Proxy *>
AllowOverride AuthConfig
#Order deny,allow
#Deny from all
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/linuxmonht
</Proxy>

ProxyPass /zm/ http://192.168.0.88:80/zm/
ProxyPassReverse /zm/ http://192.168.0.88:80/zm/

</IfModule>

Thanks

[akupsta]

Hi I have the same issue, using nearly identical apache config. Any ideas?

Thanks.

[zoneminder]

Do you get no static images either or just no streams? If you have authentication on then it is possible that the authentication is failing, you should be able to verify this by looking at your log files.

If this is the case then check in Options -> System that ZM_AUTH_HASH_IPS is off as it may be that your proxy is presenting different or varying request ip addresses that is confusing it.

[akupsta]

Hi!

Sorry, I have a similar setup. Unlike the example above all I have is the proxy statements in Apache, not Apache Authentication.

I have authentication configured in ZM (the same behaviour exists without ZM auth and the IPS switch off -- below).

- I can see stills from events (no stream)
- I cannot see stills from the monitor
- I cannot see stream from the monitor.

My seutp:

Public IP --> Router (NAT) / Port Forward --> Apache Server (10.1.1.1) --> (via reverse proxy) ZM PC (10.1.1.2) --> IP Camera (10.1.1.3)

Apache directives:

ProxyPass /zm/ http://10.1.1.2/zm/
ProxyPassReverse /zm/ http://10.1.1.2/zm/


The apache server in the front also hosts other sites, and our ZM install 'hangs' off once of the sites.

When accessing the ZM server directly everything is fine.

When accessing the ZM through the front end everything works EXCEPT, streaming or stills from the monitor AND stream from events (I can see stills).

When I view the live monitor (in IE) all I see is a place holder for a picture (in still mode) with a red X beside the name of the monitor (appears as if the "image" or stream cannot be found). When in Stream mode, I get a black screen.

Looks like it may be related to how ZM streams the image. It appears that ZM is simply passing through a URL of my web cam to my browser as opposed to proxying it.

Regards,

Adam.

Do you get no static images either or just no streams? If you have authentication on then it is possible that the authentication is failing, you should be able to verify this by looking at your log files.

If this is the case then check in Options -> System that ZM_AUTH_HASH_IPS is off as it may be that your proxy is presenting different or varying request ip addresses that is confusing it.

[zoneminder]

Looks like it may be related to how ZM streams the image. It appears that ZM is simply passing through a URL of my web cam to my browser as opposed to proxying it.

I don't quite follow this statement. Can you expand on it a little?

[akupsta]

Hi Phil,

I come from the infrastructure background not the programming side per say. In taking a closer look at the image properties the page displayed in IE, I may be wrong on this one (more on this later).

My initial thinking:

When the image is streamed from a camera, it appears (and again, my understanding of this may be way off), that there are two forks of the stream:

1. Fork 1 --> is analyzed and recorded on disk (as per zone rules/definition).
2. Fork 2 --> the stream (e.g. URL) is simply passed on to the client to view. Much like a web page that references another site (or host) for images that is cannot be routed to.

What happens in #2 is the folliowing:

The client (from a public network using a public address) downloads the web page from a server hosting zoneminder. Zoneminder generates the entire page, EXCEPT the video stream / stills. Zoneminder references the Camera's IP / streaming url and the browser downloads the stream directly from the camera. When the client is on the public network, and the camrea is on a private network (inheritly no route exists), therefore the image cannot be found. IE displays a 640x480 place holder for an image that it can't find.

IF zone minder captures the stream and presents the stream, it effectively proxies or relays the stream therefore public clients can view the reverse-proxied application.

The revised thinking:

When I open up the image place holder's properties in IE, I see the following:

The image name referenced is:

nph-zms?mode=single&monitor=3&scale=100&auth=<hash removed>&rand=1175269990

The URL of the image is as follows:

http://10.1.1.2/cgi-bin/nph-zms?mode=si ... auth=<hash removed>&rand=1175269990&1175269685373

The above tells me that I was initally off in my assessment, and perhaps a "feature" can be added to ZM to allow the image URL to be re-written within the application to say the ZM URL specified in the OPTIONS->EMAIL page...

One thing that I haven't tried is to proxy the cgi-bin/ directory to the ZM server. I'll give that a try later on tonight and let you know. I'm not 100% if the apache reverse proxy module can re-write embedded URLs in a web page.

Thanks for you help. This is really a great piece of software!!

Adam.

Looks like it may be related to how ZM streams the image. It appears that ZM is simply passing through a URL of my web cam to my browser as opposed to proxying it.

I don't quite follow this statement. Can you expand on it a little?

[cordel]

akupsta is spot on. If you alias /cgi-bin/ so that you have zm/cgi-bin then it should work. You can also just add /cgi-bin to your proxy settings. Obviously there are other options as well.

[akupsta]

Ok, got home after a long day. Umm, on second though Cordel I don't think just aliasing cgi-bin would work. It's still needed, but there're more too it.

You see, when I view the still images in my monitor and I view the HTML source for the page generated I get the following as my image location:

http://<my_internal_ip>/cgi-bin/nph-zms?mode=single&monitor=3&scale=100&auth=<removed>&rand=1175306910&1175306760941

<my_internal_ip> is not routed from the internet. What I think should be done is allowing a configuration parameter to be set in the config to replace this ip/host name with whatever is accessible publicly. This way it will work no matter what.

ZM is getting <my_internal_ip> from the URL. For a simple test:

1. Create a DNS entry or host entry for your zm server. You'll need a name to access it by for this test.
2. Launch your fav. browser.
3. Access ZM by the IP address (Eg. http://10.1.1.1/zm)
4. Go to a monitor, get a video stream, go to stills mode. Right click on the image and note URL of image.

NOW.

Repeat the above steps except in step 3 use your dns name such (e.g. http://security.mydomain.tld).

Note that the image URL using this test shows the Fully Qualified Hostname used.

This is why its failing in the reverse proxy scenario since ZM is being called by Apache using its domain name and the Apache Reverse proxy module does not handle embedded URLs (in the HTML), just browser URLs, it expects the application to handle the rest.

We should have a way to manually force this to a defined host, regardless of the browser URL.

I'd really like to help implementing this, but my knowledge of the ZM architecture (from a coding perspective) isn't there yet. It should be a relatively minor change, if you know where to change it . This weekend hopefully I'll finish my Toshiba IK-WB15A PTZ script and will submit it, perhaps it may help someone.

Adam.

akupsta is spot on. If you alias /cgi-bin/ so that you have zm/cgi-bin then it should work. You can also just add /cgi-bin to your proxy settings. Obviously there are other options as well.

[cordel]

You must be using virtual host in apache then?
The reason I say that /cgi-bin/ needs to be defined is that it does not fall in the path you have specified:

• ProxyPass /zm/ http://192.168.0.88:80/zm/
• ProxyPassReverse /zm/ http://192.168.0.88:80/zm/

cgi-bin is not under zm so it's excluded.

This is not a function of ZM but of apache.

[akupsta]

Correct Cordel,

I'm using vhosts. This is not an issue with proxypass statements, yes the revised proxy pass statements should be:

ProxyPass /zm/ http://192.168.0.88:80/zm/
ProxyPassReverse /zm/ http://192.168.0.88:80/zm/
ProxyPass /cgi-bin/ http://192.168.0.88:80/cgi-bin/
ProxyPassReverse /cgi-bin/ http://192.168.0.88:80/cgi-bin/

The issue is with ZM taking the hostname from the passed URL. Please see previous post.

There should be an option (user configurable setting) to force ZM not to use the hostname passed on the URL line of the browser.

Do the test in my prev. post and you'll know what I'm talking about.

Thanks,

Adam.

UPDATE: A quick fix for this is to make a local /etc/hosts entry on your apache server (public facing).

Eg.

/etc/hosts
10.1.1.1 zoneminder.yourdomain.tld

NOTE: the above has to be the internal IP of your install!

Your PUBLIC (internet) DNS should contain the public address.

Then add the following proxy statements under the desired vhost (if using vhosts) that responds to zoneminder.yourdomain.tld.

ProxyPass /zm/ http://zoneminder.yourdomain.tld/zm/
ProxyPassReverse /zm/ http://zoneminder.yourdomain.tld/zm/
ProxyPass /cgi-bin/ http://zoneminder.yourdomain.tld/cgi-bin/
ProxyPassReverse /cgi-bin/ http://zoneminder.yourdomain.tld/cgi-bin/

Restart apache and it will work.

The suggestion made in this thread identifies a potential zoneminder feature that can eliminate the local /etc/hosts entry.

Hope this helps someone..

Adam.

You must be using virtual host in apache then?
The reason I say that /cgi-bin/ needs to be defined is that it does not fall in the path you have specified:

• ProxyPass /zm/ http://192.168.0.88:80/zm/
• ProxyPassReverse /zm/ http://192.168.0.88:80/zm/

cgi-bin is not under zm so it's excluded.

This is not a function of ZM but of apache.

[zoneminder]

Have you thought about just using OpenVPN or something like that? I started using it a few weeks ago and it is the canines cajones. Suddenly your whole private LAN is accessible from anywhere! It works really well and I have stopped port forwarding and the like pretty much now and just reference everything as a LAN address.

[akupsta]

Hi Phil,

A VPN solution is what I use most of the time. This works flawlessly with ZM.

A web method of accessing ZM is important from networks that have locked down desktop configs (like Internet cafes) and/or firewalls blocking outbound VPN (corporations). Web is the most convieniant way to keep tabs on once's house.

I think the procedure that I outlined in my previous post works well. I have it running without any problems. The trick is to make sure that the Apache web server performing the reverse proxy function calles the SAME URL as the user is calling from their browser. The secret is in the /etc/hosts file.

Regards,

Adam.

Have you thought about just using OpenVPN or something like that? I started using it a few weeks ago and it is the canines cajones. Suddenly your whole private LAN is accessible from anywhere! It works really well and I have stopped port forwarding and the like pretty much now and just reference everything as a LAN address.

[zoneminder]

Yes, I still have an open web port as well for those circumstances but just do it via port forwarding from the gateway so haven't had to use any reverse proxying or anything like that.

Is there any particular reason for doing it with apache?

[akupsta]

Installations that are at home or small office / warehouse where you typically have one IP address assigned to the internet connection (e.g. Cable or DSL).

In my case I'm fortunate to have a static IP on a DSL connection and this IP must be used to creatively publsh all services ( I need ) to the internet. This includes about 10 websites (across 3 web servers), VPN, DNS, an email server and zone minder.

In this particular scenarion we apply the usual firewall filters as well as port forwarding (once the traffic is deemed clean) to the appropriate backend server. Since we currently have 3 apache servers, one on the front and two in the back, we use Apache reverse proxing to achieve our goal of having both Windows (IIS)-based websites as well as UNIX-based websites using apache. Zone minder is really a third Apache backend server, however it's purpose-centric.

I've seen many small - mid size clients with this type of architecture.

When I initally saw the URL option in the Email config tab, I immiediately assumed it would also be applied to the URLs ZM sends back to the browser. Hence this thread In any regard, a simple check box to force this URL to be applied to any broswer-derived URLs would be nice, however not critical now as a workaround with hosts files works fine.


Adam.

Yes, I still have an open web port as well for those circumstances but just do it via port forwarding from the gateway so haven't had to use any reverse proxying or anything like that.

Is there any particular reason for doing it with apache?

[Andy.Styles]

I too have placed my ZM machine on a non-visible server behind my firewall. I've managed to get proxying to work to a degree with a minor code mod to zm.php:

Code: Select all

if (!isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
        define( "ZM_BASE_URL", $protocol.'://'.$_SERVER['HTTP_HOST'] );
}
else
{
        define( "ZM_BASE_URL", $protocol.'://'.$_SERVER['HTTP_X_FORWARDED_HOST'] );
}

in place of the line that says

Code: Select all

define( "ZM_BASE_URL", $protocol.'://'.$_SERVER['HTTP_HOST'] );

I don't know the security implications of using this, but it allows me to view my cams from work, although streaming doesn't seem to work but viewing stills is fine. No mods to /etc/hosts needed. I use dyndns.org for my hostname, and by using a prefix to my domain-name, I make Apache proxy all requests (including, I think, cgi-bin) over to the other server.

I have problems with streaming from work though:

http://cctv.styles.homeip.net

is where my camera is. It's currently open, so no authentication required, though that will change when I get it set up properly. Streaming at home (ie, on the internal network) works fine.

Suggestions?

Andy