Is there some way to secure an ffserver webcam stream using Apache / HTTP Authentication? Some type of Apache proxy perhaps?
Right now I have it so only machines on the LAN can view the http://webcam/stream.mjpg, but I want people from the outside to be able to access it if they provide a username / pw (HTTP Auth, which isn't built into ffserver).
Thanks!
For anyone else looking for the solution, I found it:
Use proxy.conf (apache mod-proxy) with directives such as the following:
ProxyPass |external path| http://internal_lan_ip/internal_path
One of mine that works is:
ProxyPass /proxy/matt.mjpg http://192.168.1.10:8090/matt.mjpg
So externally they are going to:
http://myserver.com/proxy/matt.mjpg
And the stream (matt.mjpg) is coming from a different host on the LAN at
http://192.168.1.10:8090/matt.mjpg.
Thus, myserver.com is a "proxy.com" for internal LAN hosts.
Related
I have configured neo4j in a local machine and it can be easily accessed via LAN (with its IP address like 192.168.22.25:7474).
Now I would like to access the neo4j remotely eg. from my home via web proxy.
What I have tried?
I have changed the dbms.connector.http.address=0.0.0.0:7474 in neo4j.conf file.
In server( IP of server 123.123.123.123) machine I have also added ProxyPass and ProxyPassReverse as follow:
ProxyPass /browser *192.168.22.25:7474/browser
ProxyPassReverse /browser *192.168.22.25:7474/browser
(*could not add http:// here since I could not post two links)
I can access the neo4j remotely like
http://123.123.123.123/browser
but when I tried to login then it does not work further.
Any suggestion is appreciated.
Thanks a lot in advance.
Shrestha
Is there a reason why the Spring-Security dose not provide any possibility to lookup for the RemoteAddress when the application is located behind a proxy e.g. load balancer, apache httpd server? At the moment the WebAuthenticationDetails object is saving the ip of the proxy. I saw that there are also solution for finding the remote address over the X-FORWARDED-FOR header attribute. I am curios is a reason why this is not provided?
If you use Tomcat, you could configure RemoteIpValve.
Tomcat port of mod_remoteip, this valve replaces the apparent client remote IP address and hostname for the request with the IP address list presented by a proxy or a load balancer via a request headers (e.g. "X-Forwarded-For").
We configured ELB with sticky sessions for the JSESSIONID cookie for two tomcats (tomcat1 and tomcat2)(Flow is - Apache Http Server - ELB - tomcats)
AJP protocol with port 8009 has been configured on tomcat side as from AWS ELB there is no AJP option, we have configured with tcp:8009
So the Apache httpd.conf entry is, (xxx.amazonaws.com is ELB name)
BalancerMember ajp://xxx.amazonaws.com:8009
Somehow the sticky session is not working, the http request is sent to both tomcat servers. Is it because of the protocol on ELB side (tcp:8009)? We are not sure what is missing here, Need help!!
Once you change it to TCP you lose sticky sessions. It is an ELB limitation. You might be able to get away with switching the protocol to HTTP but with a different port other than 80.
Unless I am mistaken, you might have to setup an HA Proxy or something else instead of the ELB. Something that can do both TCP with sticky.
It is well know that websockets+sticky doesn't work on amazon.
https://forums.aws.amazon.com/thread.jspa?messageID=627367
I am trying to get client ip in Rails 3.
Application is installed in cloud hosting, with SSL, and nginx server.
I wrote some code to get client ip.
request.remote_ip
request.env['HTTP_X_FORWARDED_FOR']
But it returns wrong address, like '10.159.21.86'
Is there any issue related Nginx server, or SSL installation?
def remote_ip
#remote_ip ||= (#env["action_dispatch.remote_ip"] || ip).to_s
end
request.remote_ip gets the ip address of the client outside of local proxies but If your request is coming from your development machine and the development machine is where your server is, probably you will get 127.0.0.1 or wrong ip But if the request is coming from another machine, this will be the IP the remote machine. However, under various conditions this may not be the real IP of the machine (machine behind proxy, using tor or other tool to hide it e.t.c.). so you can also try:-
request.env['REMOTE_ADDR']
You should visit this post written by rails contributor describing Repeated headers and Ruby web servers
I believe the issue you have is the same described in the following Engine Yard support request: HAProxy, SSL Requests & Request IP Addresses.
Apparently there is a workaround, but you are supposed to contact them directly to know what it is.
The docs team is working on formal documentation, for the short term, please open a ticket and a support engineer can help out.
If you're using SSL with HAProxy (the default configuration for multi-instance environments) then it will not be able to pull the remote IP due to the hand-off from HAProxy to Nginx. We have a solution that uses stunnel to get around this but since all SSL decryption is done on the App Master instance, if you have more than about five instances then performance will suffer.
The other option is to use Elastic Load Balancer instead of HAProxy. The documentation for that is at https://support.cloud.engineyard.com/entries/21715452-Use-Elastic-Load-Balancing-with-Engine-Yard-Cloud.
Evan
I have a setup of the following:
Proxy server: https://proxy-server.com
application server: https://app-server.com
and a CAS (sso) server: https://sso-server.com
I can get the following working:
https://proxy-server.com/cas/login?service=https://app-server.com/app
But the problem for this URL is it exposes the actual app-server, which is behind the proxy server.
Ideally, I want the following:
https://proxy-server.com/cas/login?service=https://proxy-server.com/app
My question is:
Is there a way to hide (use post, encrypt targetService part, callback on proxy side, or...) the app-server.com in the URL? since I have a proxy server in front, I don't want to expose the actual app server name.
thanks
If you're running something like Apache mod_proxy on https://proxy-server.com then you should be able to hide your app behind it. Based on your example it looks like you're already doing that with your cas server since your stated your cas login url as https://proxy-server.com/cas/login
Following the same idea your app can be reached using https://proxy-server.com/app
ProxyPass /cas https://sso-server.com/cas
ProxyPassReverse /cas https://sso-server.com/cas
ProxyPass /app https://app-server.com/app
ProxyPassReverse /app https://app-server.com/app
You'd probably have to modify your serviceUrls so they are relate to proxy-server.com
ProxyPass And ProxyPassReverse Configuration
Proxy HOW-TO