SSL and TLS Web UI in thingino - themactep/thingino-firmware GitHub Wiki

Thingino by default doesn't support SSL/TLS due to resource constraints in cameras. This tutorial shows how to support SSL/TLS by building thingino yourself from source, which is made very easy to do, thanks to the way it works. A reverse proxy can be used (stunnel) for the main Web UI that controls the camera settings, to protect from eavesdropping your root password.

Note that using Wireguard is a much better option. If you can restrict access to your camera Web UI to Wireguard interface or 127.0.0.1/localhost (we'll show in this tutorial how to do it) and then use an SSH tunnel to access your camera, that's a much better and convenient (and equally secure) option that works with the default software.

Before you start:

  1. Make sure you know how to build thingino and deploy it to your camera (this can be done remotely, very convenient, but you need to know how to use build tools). Refer to this tutorial. We assume here that you know how to build and do OTA deploys. Please practice this before starting to mess with new builds with more complex things, like SSL/TLS.

  2. Prepare your SSL/TLS certificates, whether with a self-signed CA (certificate authority) or not. You have to have good knowledge about this topic. This tutorial assumes that you understand how SSL/TLS works.

WARNING: DO NOT use heavy protocols like RSA-4096. Maybe RSA-2048. Cameras cannot really handle too much processing. At least this is the author's observation. Elliptic curve encryption is a good option, but these are less supported in different places. For example, Ed25519 signature scheme isn't supported in MacOS key chain.

  1. Before blocking http (unencrypted) access, make sure you test everything for a while, and make a backup plan. Make sure you don't lock yourself out. To be fair, at worst, SSH should always be accessible to you.

How to add the SSL/TLS encryption to Thingino build:

  1. In your source build dir, find the file local.fragment and add the line BR2_PACKAGE_STUNNEL=y to it. This adds stunnel software to the build, a software that can act as a reverse proxy and that will be the main tool for SSL/TLS.
  2. Compile the camera firmware.
  3. Push the firmware to the camera
  4. Issue your certificate (in case it's self-signed), and concatenate your CA certificate, server private key and signed certificate (nginx and haproxy style) and place that file in /etc/stunnel.pem (with scp -O stunnel.pem root@your-camera-hostname:/etc/)
  5. Edit the file /etc/stunnel/stunnel.conf to the following (clear the file then add the following):
[https]
accept  = 443
connect = 80
cert = /etc/stunnel.pem

[ws]
accept  = 8090
connect = 8089
cert = /etc/stunnel.pem

Notice that we need websocket too for the camera stream. See the this PR for more information on how this matters.

  1. Run stunnel. Now the reverse proxy works. If everything is alright, it usually doesn't write anything in the terminal's stdout/stderr. Note that stunnel starts automatically on startup, so no need to do anything else. But we run stunnel to ensure we have no errors.

  2. You can check with netstat -plunt that port 443 is occupied. If yes, that means our reverse proxy is running.

  3. Visit the https link to your camera's hostname, like https://hostname.local. Again, I'm assuming you've installed your CA in your OS and you know how this works. Restarting the browser helps if your browser acts up.

That's it. Now you can access your camera using SSL/TLS with end-to-end encryption. stunnel will use your local http server as source and feed the requests in the browser. For more information on how this really works, learn more about stunnel and the configuration we provided.

Disabling http access, to restrict access through https

The http server serves by default to 0.0.0.0. If you wish, you can restrict connections to https. To do this, you have to edit the configuration of busybox's httpd server. For that:

  1. Edit the file /etc/httpd.conf
  2. At the TOP, AFTER THE LINE OF H:, add:
A:127.0.0.1
D:*

And restart your camera to reload the configuration (or reload the service). More information on httpd configuration can be found here. You can also restrict connections to only Wireguard subnet by adding more lines like the one A:127.0.0.1, for example, A:10.0.0.0/24, before the line D:*. Think of this as an Access Control List (ACL).