this post was submitted on 02 Aug 2024
33 points (100.0% liked)

Linux

48328 readers
636 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Locally, everything works fine on HTTP (http://192.168.1.222).

Externally, however, only PARTIALLY on HTTPS (https://mydomain:8344) through Caddy. I can connect to the site (first picture), but streams won't start.

Any idea why this is the case? My theory is that the RTSP port (554) is for streaming and that when I go to the local address (that is on 80), the site ITSELF initiates a connection to port 554 in the background. However, this apparently does not happen when I connect remotely.

EDIT: In the same Caddyfile, I reverse proxy my Jellyfin server that only uses a single port, and that works fine. The Caddy server runs on my Ubuntu Server 23 on Raspberry pi 5.

top 10 comments
sorted by: hot top controversial new old
[–] SteveTech@programming.dev 8 points 3 months ago (1 children)

I really wouldn't expose a DVR to the internet, and especially not RTSP, those sorts of things get brute forced all the time, and you can find websites full of hacked cameras.

What I would do is run a VPN server (maybe Wireguard) on your Pi, and VPN in when you want to look at your cameras.

[–] dysprosium@lemmy.dbzer0.com 0 points 3 months ago (2 children)

yeah but I am not exposing my DVR to the internet, right? I only expose my reverse proxy (Caddy) to the internet that is just redirecting the traffic from my DVR. You kinda make me worry as if this is still not safe enough??

[–] possiblylinux127@lemmy.zip 3 points 3 months ago (1 children)

That's exposing it to the internet

[–] dysprosium@lemmy.dbzer0.com 1 points 3 months ago

That's right. My bad.

[–] SteveTech@programming.dev 1 points 3 months ago* (last edited 3 months ago) (1 children)

A reverse proxy by itself doesn't do much security wise. You could possibly setup some sort of authentication, attempt blocking, and rate limiting (in the reverse proxy, don't trust the DVR), but it'll probably also break the DVR even more.

There's bots that port scan and specifically target all sorts of stuff, and DVRs are a very common target. With a VPN in the way, there's no way of knowing what's there. A VPN also shouldn't break the web UI.

[–] dysprosium@lemmy.dbzer0.com 1 points 3 months ago

Ah yes, I see my mistake... VPN is good option then. Thank you

[–] gaylord_fartmaster@lemmy.world 4 points 3 months ago* (last edited 3 months ago) (1 children)

My theory is that the RTSP port (554) is for streaming and that when I go to the local address (that is on 80), the site ITSELF initiates a connection to port 554 in the background. However, this apparently does not happen when I connect remotely.

I think you're on the right track here. The DVR is probably telling your browser to connect to http://192.168.1.222:554 for the stream, which on LAN is fine because you have a route to 192.168.1.222, but when connecting externally you won't be able to get to 192.168.1.222.

You can probably check the network connections in dev tools in the browser to confirm that.

Edit: Editing this to also stress the importance of the advice given by @SteveTech@programming.dev. My home cameras are also only accessible from outside my network via wireguard.

[–] dysprosium@lemmy.dbzer0.com 1 points 3 months ago

You're right. Now I just need to find a good and easy to set up FOSS vpn that runs on Arch and Ubuntu

[–] possiblylinux127@lemmy.zip 2 points 3 months ago (1 children)

The stream isn't http as it is likely a web socket which caddy doesn't support.

You shouldn't use a reverse proxy for this. Just setup a VPN or a mesh VPN like netbird.

[–] dysprosium@lemmy.dbzer0.com 1 points 3 months ago* (last edited 3 months ago)

A web socket? So basically a different protocol ? That's also probably on the mentioned 554 streaming port?