After you've got your ZoneMinder server set up and running, you might want to enable remote access via the Internet so you can monitor your cameras and events while on the go. The easiest way to do this would simply be to port forward / static NAT port 80 (HTTP) from your router to your ZoneMinder server. While that might work, it's not the most secure option available, and if you're using a residential ISP service, you may find that inbound TCP/80 is blocked. This article will detail how to configure ZoneMinder on CentOS to use SSL for your remote ZoneMinder connections.
First, we'll need to get a SSL certificate. While it's certainly possible to use a self-signed SSL Certificate, due to security features on the iOS platform, you are required to have a validated SSL certificate from a trusted Certificate Authority (Verisign, GeoTrust, Thawte, Comodo, etc). It's possible to create your own CA and push this to your iPhone or iPad, but that's beyond the scope of this document. Why the emphasis on the iOS platform? Well, I want the eyeZm app to work properly. What if you're not using eyeZm or an iOS device? Well, using a "real" SSL certificate will prevent browser warnings, and a lot of headaches and phone calls if anyone but you is going to be accessing your ZoneMinder server.
How do you obtain and install a "real" SSL certificate? Any trusted CA will work - companies like Verisign, Thawte, GoDaddy, and GeoTrust. I'm a big fan of NameCheap personally - both for domain registrations, and their cheap SSL certificates. Their PositiveSSL domain validated SSL certificate from Comodo is very competitively priced at $8.95 per year. For our purposes, this cheap SSL certificate should be perfect. Regardless of which CA you choose to purchase your "real" SSL certificate from, the rest of these steps should be pretty much identical.I suppose I should mention, all of this assumes you have a domain name registered (i.e, example.com). If you don't, then NameCheap is a great place to start. You don't need a dedicated domain name just for your ZoneMinder installation. A subdomain would work just fine (i.e., zoneminder-home.example.com or zoneminder-office.example.com). NameCheap also provides free DNS hosting, and a dynamic DNS client if you're on a dynamic public IP.
1 - If you purchased your SSL certificate from NameCheap, you need to place your order first. Once you've done so, you'll be able to upload your Certificate Signing Request (CSR). To generate it, we'll run the following from our ZoneMinder server:
[root@zm1 ~]# openssl req -nodes -newkey rsa:2048 -keyout myservername.key -out myservername.csr Generating a 2048 bit RSA private key ...............................+++ ...........+++ writing new private key to myservername.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:My State Locality Name (eg, city) [Newbury]:My City Organization Name (eg, company) [My Company Ltd]:My Company Organizational Unit Name (eg, section) :My OU Common Name (eg, your name or your server's hostname) : zoneminder.example.com <--NOTE - this needs to be EXACTLY the fully qualified domain name you intend to use!! In this example, it would be https://zoneminder.example.com Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : [root@zm1 ~]#
[root@zm1 ~]# cat myservername.csr -----BEGIN CERTIFICATE REQUEST----- A bunch of gibberish here... -----END CERTIFICATE REQUEST-----
3 - Copy the CSR text to your clipboard, and upload it to your CA. If you used NameCheap as your CA, you'll need to approve the certificate request by responding to an email associated with your domain (i.e., firstname.lastname@example.org, email@example.com, and so on).
4 - Once you've approved the certificate request, then you should receive an email with your new certificate and several associated files attached. I'm going to upload these files to /etc/httpd/ssl (you may need to create this directory).
5 - I'm also going to copy my private key that we created in step 1 to this same folder (/etc/httpd/ssl):
[root@zm1 ~]# cp myservername.key /etc/httpd/ssl/
[root@zm1 ~]# ls /etc/httpd/ssl/ AddTrustExternalCARoot.crt PositiveSSLCA.crt UTNAddTrustServerCA.crt zoneminder_myservername_com.crt myservername.key
Now, let's create a bundle file for using later:
[root@zm1 ~]# cd /etc/httpd/ssl [root@zm1 ssl]# cat PositiveSSLCA.crt UTNAddTrustServerCA.crt AddTrustExternalCARoot.crt > PositiveSSL.ca-bundle
6 - If you don't already have it, go ahead and install mod_ssl:
[root@zm1 ~]# yum install mod_ssl
7 - Now, let's go a head and open up ssl.conf and get SSL configured:
[root@zm1 ~]# emacs /etc/httpd/conf.d/ssl.conf
8 - Once we've got got ssl.conf open, I'm going to comment out (#) every line between <VirtualHost _default_:443> and </VirtualHost>. Then, at the bottom of the file, I'll add my SSL configuration (my comments are notated in blue):
# New virtual host, using the IP of the local server (in this example, 192.168.1.10). <VirtualHost 192.168.1.10:443> DocumentRoot "/var/www/html" # ServerName - needs to match EXACTLY what you entered in step 1, and submitted to the CA. ServerName zoneminder.example.com # The certificate we receieved from our CA SSLCertificateFile /etc/httpd/ssl/zoneminder_myservername_com.crt # The private key we generated back in step 1 SSLCertificateKeyFile /etc/httpd/ssl/myservername.key # The bundle file we generated in step 5 SSLCertificateChainFile /etc/httpd/ssl/PositiveSSL.ca-bundle SSLEngine on SSLProtocol all -SSLv2 # Only allow for strong ciphers SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!MEDIUM:!EXP:RC4+RSA:+HIGH SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 ErrorLog /var/log/httpd/error-ssl.log LogLevel warn CustomLog /var/log/httpd//access-ssl.log "combined" </VirtualHost>
[root@zm1 ~]# service httpd configtest Syntax OK [root@zm1 ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@zm1 ~]#
If all went well, then congratulations! You've now got a ZoneMinder installation that can be monitored from pretty much any browser. If you're using the eyeZm iPhone or iPad app - then you can truly monitor your ZoneMinder installation from anywhere (as long as there's 3G!).