15

Our app is all HTTPS, but we grab mjpeg streams from low-budget devices that do not support SSL.

So, this means that we can either: i. Mix content and have browsers freak out. (Unacceptable since we train users not to trust mixed content pages.) ii. Make the site non-https. (REALLY unacceptable.)

I was thinking that we could run a relay on one of our servers, for which the browsers could hit using SSL, this server would then act as a proxy to the non-SSL mjpeg streams.

We know the IPs of the cameras (static), so we can check that and guard against dns attacks. And you can't establish a TCP-IP connection if you're spoofing an IP (makes 3-way handshake impossible), so I don't see this as disingenuous.

What other solutions could be used to solve this?

Chad
  • 307
  • 1
  • 2
  • 5

2 Answers2

7

Even easier on Linux, with mod_proxy and mod_ssl Apache modules:

<VirtualHost *:80>
        ServerName xxx.yyy
        SSLProxyEngine On

        ProxyPass  / https://remote.server.org/

</VirtualHost>
Bruno
  • 119,590
  • 31
  • 270
  • 376
agui
  • 71
  • 1
  • 3
  • 2
    There is a complete example in http://www.giuseppeurso.eu/en/redirect-from-http-to-https-and-viceversa-with-apache-proxypass/ – juanmah Jun 05 '17 at 08:07
4

Stunnel proved to be the easiest solution for a windows server.

http://www.stunnel.org/

Chad
  • 307
  • 1
  • 2
  • 5
  • Please, can you provide an example. I couldn't find any. There are some unanswered questions about this: https://serverfault.com/questions/512013/stunnel-redirect-http-traffic-to-https and https://stackoverflow.com/questions/8437399/stunnel-https-gets-redirected-to-http – juanmah Jun 05 '17 at 08:10