Our app is all HTTPS, but we grab mjpeg streams from low-budget devices that do not support SSL.
So, this means that we can either: i. Mix content and have browsers freak out. (Unacceptable since we train users not to trust mixed content pages.) ii. Make the site non-https. (REALLY unacceptable.)
I was thinking that we could run a relay on one of our servers, for which the browsers could hit using SSL, this server would then act as a proxy to the non-SSL mjpeg streams.
We know the IPs of the cameras (static), so we can check that and guard against dns attacks. And you can't establish a TCP-IP connection if you're spoofing an IP (makes 3-way handshake impossible), so I don't see this as disingenuous.
What other solutions could be used to solve this?
You can use the HTTPS-proxy to secure a web server protected by your Firebox or Firebox, or to examine HTTPS traffic requested by clients on your network. By default, when an HTTPS client starts a request, it establishes a TCP (Transmission Control Protocol) connection on port 443.
HTTP proxy servers can process HTTP connections (port 80). They can also support HTTPS connections (SSL) but usually such connections are only allowed on port 443 (the standard port for HTTPS).
Content Filtering For example, when a specific website is requested, the proxy can refrain from forwarding the request to the web server. Instead, it intercepts the connection and displays an error or notice to the user.
Even easier on Linux, with mod_proxy
and mod_ssl
Apache modules:
<VirtualHost *:80>
ServerName xxx.yyy
SSLProxyEngine On
ProxyPass / https://remote.server.org/
</VirtualHost>
Stunnel proved to be the easiest solution for a windows server.
http://www.stunnel.org/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With