CentOS 5.x and Motion: View video stream after authorization
I did not find in this package the built-in authorization mechanism to view the stream in the browser via the Internet. Because of this, the service will be constantly available to all. Access can of course be limited via the required IP address by the rules in iptables, but this is inconvenient, since An IP address can be dynamic, for example, the Internet on a smartphone.
In this case, we will do authorization through Apache + IPTables.
Suppose that Motion, Apache, and IPTatables are already installed on the system. There is a site available on the Internet mysite.ru
Physically on disk it is located:
')
# / home / www / mysite.ru / cgi-bin
# / home / www / mysite.ru / www
We need to create a webcam.cgi file, put it in the /home/www/mysite.ru/cgi-bin folder and assign 775 permissions to it:
#touch /home/www/mysite.ru/cgi-bin/webcam.cgi
#chmod 755 /home/www/mysite.ru/cgi-bin/webcam.cgi
Contents of webcam.cgi file:
Now, if you type in the browser mysite.ru/cgi-bin/webcam.cgi , then this file will broadcast the stream that sends motion to port 8081.
Next, create a password file for authorization through apache, execute:
#htpasswd -cb /home/www/mysite.ru/.htpasswd user parol
Next, create the .htaccess file in /home/www/mysite.ru/cgi-bin:
#touch /home/www/mysite.ru/cgi-bin/.htaccess
Contents of the .htaccess file:
Now, if you type in the browser mysite.ru/cgi-bin/webcam.cgi , then the authorization panel will appear for entering the login and password.
All this is good, the login with the password is already there, but the stream can still be seen at the direct address mysite.ru : 8081 bypassing the webcam.cgi call file page
Now the fun part.
Create a webcam_ipt.cgi file and put it in the /home/www/mysite.ru/ folder
#touch /home/www/mysite.ru/webcam_ipt.cgi
#chmod 755 /home/www/mysite.ru/webcam_ipt.cgi
Contents of webcam_ipt.cgi file:
Next, we need the webcam_ipt.cgi file to be executed when webcam.cgi is executed.
We bring the webcam.cgi file to the form:
We have already become closer to the goal, but it will not work, the following is necessary. To run perl scripts from WEB as root, you need to install the package:
#yum install perl-suidperl
The files you need to run need to set the UID when running chmod 4755 file.cgi
Those. to run our webcam_ipt.cgi file as root, execute:
#chmod 4755 /home/www/mysite.ru/webcam_ipt.cgi
I will try to describe on the fingers how it works.
Go to the browser, enter mysite.ru/cgi-bin/webcam.cgi , apache authorization request appears, enter the login and password, if authorization is passed in the webcam.cgi script is executed:
$ ip_for_ipt = "$ ENV {'REMOTE_ADDR'}"; # getting IP address
system ("/ home / www / mysite.ru / webcam_ipt.cgi $ ip_for_ipt"); # run webcam_ipt.cgi script which has IP address as input
Next, the webcam_ipt.cgi file is executed, in it the received IP address is inserted into the iptables command, which opens port 8081 for the received IP address.
The rule is created, the port is open, and the webcam.cgi file starts to drive the video stream with mysite.ru:8081
Now you need to take care that the port is closed. We do it simply and drastically, add the following entry to the crontab file * * * * * root / sbin / iptables -F Motion-Port-INPUT> / dev / null
#echo "* * * * * root / sbin / iptables -F Motion-Port-INPUT> / dev / null" >> / etc / crontab
The output will be such that the iptables command will clear all table rules in the Motion-Port-INPUT chain and port 8081 will be closed in a minute.
The contents of the file with the location of the chains and the rules in them / etc / sysconfig / iptables:
In this case, we will do authorization through Apache + IPTables.
Suppose that Motion, Apache, and IPTatables are already installed on the system. There is a site available on the Internet mysite.ru
Physically on disk it is located:
')
# / home / www / mysite.ru / cgi-bin
# / home / www / mysite.ru / www
We need to create a webcam.cgi file, put it in the /home/www/mysite.ru/cgi-bin folder and assign 775 permissions to it:
#touch /home/www/mysite.ru/cgi-bin/webcam.cgi
#chmod 755 /home/www/mysite.ru/cgi-bin/webcam.cgi
Contents of webcam.cgi file:
#!/usr/bin/perl $ENV{PATH} = "/usr/bin"; print "Content-type: text/html \n\n"; print <<HTML; <html> <head> <title> - </title> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body> <center> <img src="http://mysite.ru:8081"> </center> </body> </html> HTML Now, if you type in the browser mysite.ru/cgi-bin/webcam.cgi , then this file will broadcast the stream that sends motion to port 8081.
Next, create a password file for authorization through apache, execute:
#htpasswd -cb /home/www/mysite.ru/.htpasswd user parol
Next, create the .htaccess file in /home/www/mysite.ru/cgi-bin:
#touch /home/www/mysite.ru/cgi-bin/.htaccess
Contents of the .htaccess file:
AuthType Basic AuthName "Monitor MySite.Ru" AuthUserFile /www/mysite.ru/.htpasswd require valid-user Now, if you type in the browser mysite.ru/cgi-bin/webcam.cgi , then the authorization panel will appear for entering the login and password.
All this is good, the login with the password is already there, but the stream can still be seen at the direct address mysite.ru : 8081 bypassing the webcam.cgi call file page
Now the fun part.
Create a webcam_ipt.cgi file and put it in the /home/www/mysite.ru/ folder
#touch /home/www/mysite.ru/webcam_ipt.cgi
#chmod 755 /home/www/mysite.ru/webcam_ipt.cgi
Contents of webcam_ipt.cgi file:
#!/usr/bin/perl $ENV{PATH} = "/usr/bin"; foreach $arg_ip (@ARGV){ if ($arg_ip =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/){ $arg_ip =~ /(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/; $ip_on = "$1.$2.$3.$4"; system("/sbin/iptables -A Motion-Port-INPUT -p tcp -m state -m tcp -s $ip_on --dport 8081 --state NEW -j ACCEPT"); } } Next, we need the webcam_ipt.cgi file to be executed when webcam.cgi is executed.
We bring the webcam.cgi file to the form:
#!/usr/bin/perl $ENV{PATH} = "/usr/bin"; $ip_for_ipt = "$ENV{'REMOTE_ADDR'}"; system("/home/www/mysite.ru/webcam_ipt.cgi $ip_for_ipt"); print "Content-type: text/html \n\n"; print <<HTML; <html> <head> <title> - </title> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body> <center> <img src="http://mysite.ru:8081"> </center> </body> </html> HTML We have already become closer to the goal, but it will not work, the following is necessary. To run perl scripts from WEB as root, you need to install the package:
#yum install perl-suidperl
The files you need to run need to set the UID when running chmod 4755 file.cgi
Those. to run our webcam_ipt.cgi file as root, execute:
#chmod 4755 /home/www/mysite.ru/webcam_ipt.cgi
I will try to describe on the fingers how it works.
Go to the browser, enter mysite.ru/cgi-bin/webcam.cgi , apache authorization request appears, enter the login and password, if authorization is passed in the webcam.cgi script is executed:
$ ip_for_ipt = "$ ENV {'REMOTE_ADDR'}"; # getting IP address
system ("/ home / www / mysite.ru / webcam_ipt.cgi $ ip_for_ipt"); # run webcam_ipt.cgi script which has IP address as input
Next, the webcam_ipt.cgi file is executed, in it the received IP address is inserted into the iptables command, which opens port 8081 for the received IP address.
The rule is created, the port is open, and the webcam.cgi file starts to drive the video stream with mysite.ru:8081
Now you need to take care that the port is closed. We do it simply and drastically, add the following entry to the crontab file * * * * * root / sbin / iptables -F Motion-Port-INPUT> / dev / null
#echo "* * * * * root / sbin / iptables -F Motion-Port-INPUT> / dev / null" >> / etc / crontab
The output will be such that the iptables command will clear all table rules in the Motion-Port-INPUT chain and port 8081 will be closed in a minute.
The contents of the file with the location of the chains and the rules in them / etc / sysconfig / iptables:
*filter :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :Motion-Port-INPUT - [0:0] :RH-Firewall-1-INPUT - [0:0] :OUTPUT ACCEPT [0:0] ### Motion-Port-INPUT -A INPUT -j Motion-Port-INPUT ### ### RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 21 --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT -A INPUT -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -j REJECT ### COMMIT Source: https://habr.com/ru/post/163835/
All Articles