After you've got your ZoneMinder server set up and running, you might want to enable remote access via the Internet so you can monitor your cameras and events while on the go.  The easiest way to do this would simply be to port forward / static NAT port 80 (HTTP) from your router to your ZoneMinder server.  While that might work, it's not the most secure option available, and if you're using a residential ISP service, you may find that inbound TCP/80 is blocked.  This article will detail how to configure ZoneMinder on CentOS to use SSL for your remote ZoneMinder connections.

First, we'll need to get a SSL certificate.  While it's certainly possible to use a self-signed SSL Certificate, due to security features on the iOS platform, you are required to have a validated SSL certificate from a trusted Certificate Authority (Verisign, GeoTrust, Thawte, Comodo, etc).  It's possible to create your own CA and push this to your iPhone or iPad, but that's beyond the scope of this document.  Why the emphasis on the iOS platform?  Well, I want the eyeZm app to work properly.  What if you're not using eyeZm or an iOS device?  Well, using a "real" SSL certificate will prevent browser warnings, and a lot of headaches and phone calls if anyone but you is going to be accessing your ZoneMinder server.

How do you obtain and install a "real" SSL certificate?  Any trusted CA will work - companies like Verisign, Thawte, GoDaddy, and GeoTrust.  I'm a big fan of NameCheap personally - both for domain registrations, and their cheap SSL certificates.  Their PositiveSSL domain validated SSL certificate from Comodo is very competitively priced at $8.95 per year.  For our purposes, this cheap SSL certificate should be perfect.  Regardless of which CA you choose to purchase your "real" SSL certificate from, the rest of these steps should be pretty much identical.

I suppose I should mention, all of this assumes you have a domain name registered (i.e, example.com).  If you don't, then NameCheap is a great place to start.  You don't need a dedicated domain name just for your ZoneMinder installation.  A subdomain would work just fine (i.e., zoneminder-home.example.com or zoneminder-office.example.com).  NameCheap also provides free DNS hosting, and a dynamic DNS client if you're on a dynamic public IP.

 

1 - If you purchased your SSL certificate from NameCheap, you need to place your order first.  Once you've done so, you'll be able to upload your Certificate Signing Request (CSR).  To generate it, we'll run the following from our ZoneMinder server:

[root@zm1 ~]# openssl req -nodes -newkey rsa:2048 -keyout myservername.key -out myservername.csr
Generating a 2048 bit RSA private key
...............................+++
...........+++
writing new private key to myservername.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:My State
Locality Name (eg, city) [Newbury]:My City
Organization Name (eg, company) [My Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My OU
Common Name (eg, your name or your server's hostname) []: zoneminder.example.com  <--NOTE - this needs to be EXACTLY the fully qualified domain name you intend to use!!  In this example, it would be https://zoneminder.example.com
Email Address []:me@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@zm1 ~]#
2 - Now, we'll want to view the contents of the .csr file we just generated to upload to our CA:
[root@zm1 ~]# cat myservername.csr

-----BEGIN CERTIFICATE REQUEST-----
A bunch of gibberish here...
-----END CERTIFICATE REQUEST-----

3 - Copy the CSR text to your clipboard, and upload it to your CA.  If you used NameCheap as your CA, you'll need to approve the certificate request by responding to an email associated with your domain (i.e., admin@example.com, webmaster@example.com, and so on).

4 - Once you've approved the certificate request, then you should receive an email with your new certificate and several associated files attached.  I'm going to upload these files to /etc/httpd/ssl (you may need to create this directory).

5 - I'm also going to copy my private key that we created in step 1 to this same folder (/etc/httpd/ssl):

[root@zm1 ~]# cp myservername.key /etc/httpd/ssl/
And we should end up with something like this:
[root@zm1 ~]# ls /etc/httpd/ssl/
AddTrustExternalCARoot.crt  PositiveSSLCA.crt  UTNAddTrustServerCA.crt  zoneminder_myservername_com.crt  myservername.key

Now, let's create a bundle file for using later:

[root@zm1 ~]# cd /etc/httpd/ssl
[root@zm1 ssl]# cat PositiveSSLCA.crt UTNAddTrustServerCA.crt AddTrustExternalCARoot.crt > PositiveSSL.ca-bundle

6 - If you don't already have it, go ahead and install mod_ssl:

[root@zm1 ~]# yum install mod_ssl

7 -  Now, let's go a head and open up ssl.conf and get SSL configured:

[root@zm1 ~]# emacs /etc/httpd/conf.d/ssl.conf

8 - Once we've got got ssl.conf open, I'm going to comment out (#) every line between <VirtualHost _default_:443> and </VirtualHost>.  Then, at the bottom of the file, I'll add my SSL configuration (my comments are notated in blue):

# New virtual host, using the IP of the local server (in this example, 192.168.1.10).
<VirtualHost 192.168.1.10:443>
DocumentRoot "/var/www/html"
# ServerName - needs to match EXACTLY what you entered in step 1, and submitted to the CA.
ServerName zoneminder.example.com
# The certificate we receieved from our CA
SSLCertificateFile /etc/httpd/ssl/zoneminder_myservername_com.crt
# The private key we generated back in step 1
SSLCertificateKeyFile /etc/httpd/ssl/myservername.key
# The bundle file we generated in step 5
SSLCertificateChainFile /etc/httpd/ssl/PositiveSSL.ca-bundle
SSLEngine on
SSLProtocol all -SSLv2
# Only allow for strong ciphers
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!MEDIUM:!EXP:RC4+RSA:+HIGH
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
ErrorLog /var/log/httpd/error-ssl.log
LogLevel warn
CustomLog /var/log/httpd//access-ssl.log "combined"
</VirtualHost>
9 - That should be it, as far as configuring SSL in Apache.  Let's first run a configtest to make sure we didn't fat finger anything.  If everything checks out, then restart Apache:
[root@zm1 ~]# service httpd configtest
Syntax OK
[root@zm1 ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@zm1 ~]#
10 - If you're running a default ZoneMinder install, then you probably will want to turn on authentication so that your ZoneMinder install isn't available for everyone on the Internet.  In ZoneMinder, Options, System, check OPT_USE_AUTH.  The default username and password will be admin/admin.  You can change this by going back to Options, then to the newly created "Users" tab (which is also where you could add additional restricted users).  Finally, we'll want to restart ZoneMinder for these changes to fully take effect.  You can do this from the web interface by clicking "Running", then Change State, Restart.
 
11 - All that's left to do now is to create a rule / port forward / ACL on your router or firewall.  This varies a lot, depending on your network setup, so it's beyond the scope of this document.  For added security, you may want to use a non-standard port for HTTPS.  Again, there is a lot of variability here.  Some routers can handle this, and forward the translated packet to your ZoneMinder server on 443.  Some routers can't, in which case, you'd have to modify Apache to run SSL on a non-standard port.
 

If all went well, then congratulations!  You've now got a ZoneMinder installation that can be monitored from pretty much any browser.  If you're using the eyeZm iPhone or iPad app - then you can truly monitor your ZoneMinder installation from anywhere (as long as there's 3G!).  

 

0 comments to the "Enabling SSL Support for ZoneMinder on CentOS with Apache"

Add new comment