Monocle gateway behind a proxy - SSL Cert? [SOLVED]



  • Hi,

    I’ve got monocle gateway running using the docker image, and it’s been great so far, it’s a great solution to using local IP cameras with my Echo Show.

    I have the gateway running in a kubernetes cluster using the provided docker image, but in order to do so I had to allow monocle gateway exclusive use of port 443, ideally, I’d like to run it behind a proxy (nginx, traefik or similar), but to be able to do that, the proxy needs to have access to the SSL Certs for the assigned monocle *.mproxy.io hostname.

    Where is that cert stored? I exec’d into the running docker container but couldn’t locate it.



  • @kd

    Sorry for the delayed response. I missed this thread until now. The SSL cert is dynamically generated and delivered the the running Monocle Gateway and is updated on a regular basis. It is not persisted to the file system.

    TCP Port 443 is mandatory per Amazon’s requirements (as well as the SSL certificate and a publicly resolvable DNS hostname). If attempting to use behind a proxy, that proxy must support the RTSP protocol and not just HTTP(s).

    If you would like to pursue this, we can add support to allow you to use your own custom DNS hostname (instead of *.mproxy.io) and you would then provide/configure a fixed SSL certificate to the Monocle Gateway instance. Or perhaps we can add an option to disable the secure socket listener and just fire up a raw TCP listener and your proxy would be entirely responsible for the SSL stuff.

    Let me know, Thanks, Robert



  • @Monocle said in Monocle gateway behind a proxy - SSL Cert? [ANSWERED]:

    @kd

    Sorry for the delayed response. I missed this thread until now. The SSL cert is dynamically generated and delivered the the running Monocle Gateway and is updated on a regular basis. It is not persisted to the file system.

    TCP Port 443 is mandatory per Amazon’s requirements (as well as the SSL certificate and a publicly resolvable DNS hostname). If attempting to use behind a proxy, that proxy must support the RTSP protocol and not just HTTP(s).

    If you would like to pursue this, we can add support to allow you to use your own custom DNS hostname (instead of *.mproxy.io) and you would then provide/configure a fixed SSL certificate to the Monocle Gateway instance. Or perhaps we can add an option to disable the secure socket listener and just fire up a raw TCP listener and your proxy would be entirely responsible for the SSL stuff.

    Let me know, Thanks, Robert

    Hi Robert, thanks for the detailed reply. Either of those options would work I think. Probably disabling the secure listener and allowing raw TCP would provide more flexibility and is presumably easier to implement?



  • @kd

    I agree and I’ll start looking into this next week.
    So an option to override the DNS hostname and an option to listen on a raw TCP socket and disable the secure socket listener.

    Thanks, Robert



  • @kd

    So it turns out everything is already in place in the existing Monocle Gateway (v0.0.4) to accomplish this goal.

    First, the Monocle Gateway already includes a RAW TCP listener on port 8555 (by default). So you can setup an SSL proxy/stunnel instance in front on the Monocle Gateway and point it to redirect to the IP address running the Monocle Gateway instance on port 8555.

    You can change this port in the monocle.properties file. In the monocle.properties file. (https://monoclecam.com/monocle-gateway/custom-configuration) you can add the following properties and uncomment the rtsp.port=8555 line and change it to whatever port you want.

    #--------------------------------------
    # RTSP SERVICE PROPERTIES
    #--------------------------------------
    #rtsp.host=0.0.0.0
    #rtsp.port=8555
    #rtsp.ssl.port=443
    

    Next, in the monocle.properties file you will also need to add your custom DNS hostname. Add the following section and change monocle.mydomain.com to whatever hostname you end up creating.

    #--------------------------------------
    # RTSP SERVICE REGISTRATION OVERRIDES
    #--------------------------------------
    rtsp.register.fqdn=monocle.mydomain.com
    #rtsp.register.host=
    #rtsp.register.port=443
    

    Alternatively if you don’t want a separate SSL proxy/stunnel in front of Monocle Gateway, there are properties you can configure to allow Monocle Gateway to read in your SSL certificate and private key files and use that instead of the Monocle generated certificate. Let me know if you need more details on this.


    I was able to successfully set this up, using a custom DNS hostname (along with a SSL certificate from Let’s Encrypt) and test it in my home. I tested both the direct router forwarded port 443 method allowing Monocle Gateway to read in the custom certificate files as well as tested a STUNNEL instance in front of Monocle Gateway forwarding to the gateway’s raw TCP listening port. Both methods worked fine for me.

    Let me know how it goes and if you have any trouble.
    Thanks, Robert



  • @kd

    An additional follow up. We are also looking to add an additional authentication layer to the Monocle Gateway especially for those who may be exposing the gateway over the Internet.
    See: https://forum.monoclecam.com/topic/463/foscam-r2-with-lenovo-smart-tab/74

    Thanks, Robert



  • @Monocle those options sound familiar, cant remember now if I tried them before and couldn’t get it to work or if I missed some piece of the puzzle at the time. I’ll try to give that a go in the next week or so and confirm if it works but it certainly looks like it should.

    Thanks again



  • @kd

    Yeah, I knew they existed but I was not confident that they worked properly. So now that I have verified them using both the tunnel/proxy as well as direct methods I feel better about users trying them out. One thing I did note was that it looked like the SSL certificate settings assumed relative paths from working directory where the monocle gateway was launched and did not accept absolute paths. So that appears to be a small bug but easily worked around by copying the certificate files to the necessary location.

    Thanks, Robert



  • @kd

    This may not pertain to your setup, but we also just added a means to configure the system to automatically use your public IP address when connecting the monocle gateway. This helps users who want a public ingress but don’t want to use their own domain/SSL certs, etc.
    See: https://forum.monoclecam.com/topic/485/access-cameras-from-2nd-site-solved/9

    Thanks, Robert



  • Watching this thread now. I wouldn’t mind seeing the details configuring the SSL and custom DNS namespace inside of the monocle gateway (rather than a proxy in front)



  • @skarragallagher

    The SSL certificate config simply requires using a custom FQDN (DNS hostname) as shown here:

    #--------------------------------------
    # RTSP SERVICE REGISTRATION OVERRIDES
    #--------------------------------------
    rtsp.register.fqdn=monocle.mydomain.com
    #rtsp.register.host=
    #rtsp.register.port=443
    

    as well as modifying/enabling these additional properties:

    #--------------------------------------
    # RTSP SSL CERTIFICATE & PRIVATE KEY
    #--------------------------------------
    rtsp.ssl.cert=fullchain.pem
    rtsp.ssl.key=privkey.pem
    

    The files these properties point to should be in the relative path of the working directory where monocle-gateway starts. If in doubt, just start the monocle-gateway and look in the log for any errors. The full path is printed in the log when these options are enabled and the files are not found.

    These two files must be in the PEM format. (https://www.sslshopper.com/ssl-converter.html)

    With this enabled, Monocle will tell your Alexa devices to access the gateway using your custom domain hostname. (opposed to using the auto-generated mproxy.io hostnames and certificates) It’s up to you to get port 443 forwarded by your router to the monocle gateway instance and make sure the SSL certificates are valid for your domain name. The following command can help you see your SSL certificate from the public and you can make sure it matches the domain.

    openssl s_client -showcerts -connect monocle.mydomain.com:443
    

    Thanks, Robert



  • @kd

    FYI, if you are exposing your monocle gateway (port 443) to the Internet, you may want to have a look at this thread:
    https://forum.monoclecam.com/post/2382

    We have added additional security in the form of authenticated requests to the monocle gateway for users who want/need to expose the service to the Internet.

    Thanks, Robert


Log in to reply