How to use gateway when 443 port is in use and only single IPv4 address

jyavenard

Hi.

I run my own HTTPS server at home, with multiple domains via virtual hosting. As a consequence port 443 is in use.

Is there any alternative to make the monocle gateway usable?
Has someone managed to get it to work with a reverse proxy ?

Monocle

@jyavenard

So the issue is that the Amazon devices will ONLY connect to camera streams on port 443. Additionally the stream must be encrypted using TLS 1.2 and have a valid public SSL certificate and will only connect on a publicly resolvable DNS hostname. (direct IP addresses and local network DNS resolution are not allowed).

Thus the Monocle Gateway provides all the necessary complicated security requirements but it still MUST listen on port 443. There is no way around this requirement as many Amazon devices will refuse to connect to camera streams on an alternate port – even if all the other security requirements are met.

You could use a TCP proxy like STUNNEL assuming you meet all the other requirements: TLS 1.2, valid SSL certificate, public DNS record, etc. However, I was not able to get a simple HTTP proxy server like NGINX working. I think the reason is that the RTSP protocol is not fully compliant with HTTP/S servers. Now maybe there are reverse proxies (HAProxy maybe?) that can handle both RTSP and HTTP but I have not tested any.

A simpler solution would be to setup your server to have a secondary IP address used exclusively for the Monocle Gateway. Or perhaps a virtual server or Docker container with a secondary IP address on the same network where the Monocle Gateway is running inside the VM/container.

Keep in mind, the IP address for the Monocle Gateway can be an IP address on your local/private network. It does not have be be your public IP address. (unless you are trying to do something more complicated like access your camera stream remotely)

Thanks, Robert

jyavenard

@Monocle thank you for your answer.

I understand why port 443 is in use. My question was more about how to have the gateway share it with another server.

Could this be done with an existing Apache setup: like having a virtual host that forward all 443 traffic to and from the gateway.

The setup would be something like:

Public_IP -> Router (192.168.10.1) -> port forwarding -> Apache server (192.168.10.2) -> Monocle Gateway (192.168.10.3)

That’s just for handling port 443

Or did I misread the whole lot, and that the gateway only needs to listen to port 443 on the local network rather than on a public IP

Thank you

Monocle

@jyavenard

The Monocle Gateway can listen on port 443 on a private/internal IP address. It does not have to be exposed on your Internet facing IP.

I don’t think the Apache proxy would work unless it can support a TCP proxy at a lower level than the HTTP protocol layer. Perhaps HA proxy or maybe Stunnel could be used if it serves the SSL certificate and redirects traffic based on the requested hostname. In this case Monocle Gateway would need to disable its handling of SSL and listen on a non-encrypted port. I think it can do this but may require a little investigation.