OpenALPR Webhook Processor for IP Cameras

Quick follow-up to my previous post. Since I don't like the idea of port forwarding, I decided to work around it by using a secure tunnel via Cloudflare. This is a free service that opens a tunnel to your local machine via a specified port. The only downside is that you need a domain name in Cloudflare, so that's around $10 a year. I already have a domain, so it's no big deal to me.

Once I created the tunnel, I added a WAF rule for the subdomain serving the tunnel to block any traffic without the token in the URL. Then I gave cloud.openalpr.com the webhook URL with the verification token, effectively making that service the only one that can access the tunnel. All other attempts to access the subdomain without the token are blocked.

To access the webhook processor locally, I continue to use my internal IP address. And since I already run a VPN on my devices, I can access that IP address wherever I need to.

At some point I may see if I can get cloud.openalpr.com running locally (it doesn't seem to work in Docker), but until then, I think this is a good security option.

Here are the steps I took. Thought it might be helpful to someone else out there.
  • Setup a Cloudflare account and associate a domain with it.
  • Install cloudflared: Downloads · Cloudflare Zero Trust docs
  • Setup a tunnel using this command:
    • cloudflared tunnel create your-tunnel-name
    • cloudflared tunnel route dns your-tunnel-name yoursubdomain.yourdomain.com
    • cloudflared tunnel run --url http://localhost:YOURPORT your-tunnel-name
      • Make sure you put in the port for your webhook processor server.
  • Run in background:
  • Check to make sure everything is running with this command “cloudflared tunnel info your-tunnel-name” or in the Cloudflare dashboard.
  • Next, go to your domain in Cloudflare and setup a WAF rule with this expression:
    • (http.host eq "yoursubdomain.yourdomain.com" and http.request.uri.query ne "verify=put_a_long_token_here”)
    • Have the action set to “Block”
  • Go to Login - OpenALPR by Rekor and change your webhook link to:
  • Now get something like Tailscale (Tailscale · Best VPN Service for Secure Networks) running. This will allow you to continue going to your localhost (via your internal IP) on any device running Tailscale without getting blocked.
  • Final step is to remove the port forwarding on your router.
 
Thank you. I've updated my container to the latest and it's running fine after changing my port to 8080.

I'm very happy with the project! I have a few questions...

1) Others have commented it would be helpful to have the images stored separately. I would like to keep my plates database on NVME, but move the images to SMR. Again, eventually we may want separate retention of the images, though I guess we can run a sqlite command once a year. If I have 14TB SMR and 1TB NVME, I would hope I could keep both for a long time.
2) The text overlay is great! I wish we could see something other than 'processing time' though. If it could be replaced with 'visits this week', it would be more useful. This of course depends on being able to run that sql query fast.
3) At night it usually can't determine the make / model, but it would be possible to look up in the DB to see if it has a match from a daytime plate. I know this can be done manually later of course.
 
Is there any information to query to see CA Exempt plates that get scanned which is normally city vehicles (Fire, Police, etc)?
 
I reverse engineered the web socket connection between the rekor agent and the cloud and have a basic form of it implemented in the app. v5.1.0-alpha4 adds this websocket support. in your aplrd.conf file make sure websockets_enabled = 1 is set and the upload_address = https://192.168.1.2 has https, this won't work over http
View attachment 177323
@mlapaglia Just setting up and transferring to new computer, is the upload_address still required to be modified from standard setting in release 5.3.0, getting 'Disconnected' message at the moment. My upload_address is just default at the moment.

Checking logs it looks like an Api issue, simplified error message is "failed to validate the token.....bearer was not authenticated.........Lifetime validation failed, the token is expired".

Also note in logs 'Executing endpoint '405 HTTP Method Not Supported'

Additional note, I am testing this on a Windows 11 build! Thanks in advance.
 
Last edited:
I know some members on here @biggen @IReallyLikePizza2 and others have been great assisting troubleshooting this system. Wondering if anyone moved install with latest release to new computer, struggling at the moment, cannot see any issues in setup but something is causing the problems in post above. Any thoughts or experience appreciated, now on Windows 11 with Docker installed. Under settings I just get spinning progress wheel 'checking', no entry box for Api key on current version, I assume this is now replaced with token authentication? well above my paygrade but trying as always!
 
Last edited:
Oh man I'm way behind! I'll update my install and see what I can see
 
  • Like
Reactions: CamCrazy
Oh I'll break it for sure! :lmao:

I'm so far out that I'm sure something would break. Part of me is tempted to deploy a net new box, but then I'd lose all my history
 
  • Haha
Reactions: CamCrazy
Oh I'll break it for sure! :lmao:

I'm so far out that I'm sure something would break. Part of me is tempted to deploy a net new box, but then I'd lose all my history
I have about been ready to put a hammer through mine today, spent hours trying to figure it out yesterday, driving me crazy!! Good to see you are approaching it with a sense of humour!

Side note, if I enter my endpoint URL into browser direct, it shows me captured images fine!
 
Last edited:
Wow, I knew I was behind, but I didn't think I was THIS behind..

1718033472604.png
 
  • Like
Reactions: CamCrazy
sqlite doesn't handle drop/create operations very well. while your db size has double, half of it is "unused" sqlite doesn't give up storage space unless you run a vacuum. you can run it yourself if you want to shrink the db
https://stackoverflow.com/questions/18126997/how-to-vacuum-sqlite-database
Try running a browser incognito and see if it works then, you might have some frontend code cached.

Just circling back to this upgrade. Should I run this before the upgrade?
 
Mine is 156GB

Is that large compared to everyone else?
 
Mine is 156GB

Is that large compared to everyone else?
Mine is only 25GB but volume of traffic at location is quite low, been running for I think about 3-4 years. Initially mine was snappy to access plates, as time went on it began to slow, now it takes almost minutes to do anything, hence my lack of desire to retain during transfer to new machine. It is running on an M2 Samsung drive for reference. Very close to just running with version 4.2.4 on the new machine since I know that has been working with Docker OK, that will also confirm if any issues are cropping up due to Windows 11 vs Windows 10 on the existing setup.

Update after installing 4.2.4 in Docker on Windows 11 - this works as expected, identical to Windows 10 machine running Docker, just for reference. Will await any further feedback from others before attempting anything with latest release again.
 
Last edited:
Well I pulled the latest, and no dice. Going to have to do some troubleshooting

The command could not be loaded, possibly because:
* You intended to execute a .NET application:
The application 'OpenAlprWebhookProcessor.dll' does not exist.
* You intended to execute a .NET SDK command:
No .NET SDKs were found.
 
  • Like
Reactions: CamCrazy
Well I pulled the latest, and no dice. Going to have to do some troubleshooting

The command could not be loaded, possibly because:
* You intended to execute a .NET application:
The application 'OpenAlprWebhookProcessor.dll' does not exist.
* You intended to execute a .NET SDK command:
No .NET SDKs were found.
That sounds about right, .NET was I believe the cause of issues I was having, in part at least. I would rather be running latest release but for now I am going to let 4.2.4 do the work, was so close with new version but just could not get it to play ball. Hope someone smarter than me will maybe figure that out :)
 
OK, here is a question, my Docker time zone in Windows is correct, but, when I run ALPR Webhook and check the logs, time zone is UTC and 1 hour behind my UK time zone! Tried implementing -e TZ=Europe\London into docker run command but no change. Anyone has ideas on this please make me look stupid :lol:

Am wondering if the time zone can cause issues with the token validation where ,NET is involved, or is this set outside those parameters, just thinking out loud here. Existing install on Windows 10 shows time behind by 1 hour in logs but working fine for reference.

OK, sorted the timezone but the http 405 error and token validation persists as below......answers on a postcard.....


HTML:
2024-06-11 13:51:12.187 +01:00 [INF] Bearer was not authenticated. Failure message: IDX10223: Lifetime validation failed. The token is expired. ValidTo (UTC): '06/11/2024 10:28:29', Current time (UTC): '06/11/2024 12:51:12'.
   at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
   at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateTokenPayloadAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
   at Microsoft.IdentityModel.Tokens.Validators.ValidateLifetime(Nullable`1 notBefore, Nullable`1 expires, SecurityToken securityToken, TokenValidationParameters validationParameters)
Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation failed. The token is expired. ValidTo (UTC): '06/11/2024 10:28:29', Current time (UTC): '06/11/2024 12:51:12'.
2024-06-11 13:51:12.186 +01:00 [INF] Failed to validate the token.
2024-06-11 13:51:12.184 +01:00 [WRN] attempted login failed


Code:
2024-06-11 13:14:09.507 +01:00 [INF] Executed endpoint '405 HTTP Method Not Supported'
2024-06-11 13:14:09.506 +01:00 [INF] Executing endpoint '405 HTTP Method Not Supported'
2024-06-11 13:14:08.024 +01:00 [INF] HTTP POST /webhook responded 405 in 2.2535 ms
2024-06-11 13:14:08.024 +01:00 [INF] Executed endpoint '405 HTTP Method Not Supported'
2024-06-11 13:14:08.022 +01:00 [INF] Executing endpoint '405 HTTP Method Not Supported'
2024-06-11 13:10:22.980 +01:00 [INF] HTTP POST /webhook responded 405 in 2.1266 ms
2024-06-11 13:10:22.979 +01:00 [INF] Executed endpoint '405 HTTP Method Not Supported'
2024-06-11 13:10:22.978 +01:00 [INF] Executing endpoint '405 HTTP Method Not Supported'
2024-06-11 13:10:22.855 +01:00 [INF] HTTP POST /webhook responded 405 in 3.1201 ms
2024-06-11 13:10:22.853 +01:00 [INF] Executed endpoint '405 HTTP Method Not Supported'
2024-06-11 13:10:22.852 +01:00 [INF] Executing endpoint '405 HTTP Method Not Supported'
2024-06-11 13:07:56.308 +01:00 [INF] HTTP POST /webhook responded 405 in 2.2211 ms
2024-06-11 13:07:56.307 +01:00 [INF] Executed endpoint '405 HTTP Method Not Supported'
2024-06-11 13:07:56.306 +01:00 [INF] Executing endpoint '405 HTTP Method Not Supported'
2024-06-11 13:07:56.060 +01:00 [INF] HTTP POST /webhook responded 405 in 1.9606 ms
2024-06-11 13:07:56.059 +01:00 [INF] Executed endpoint '405 HTTP Method Not Supported'
2024-06-11 13:07:56.058 +01:00 [INF] Executing endpoint '405 HTTP Method Not Supported'
2024-06-11 13:07:52.248 +01:00 [INF] HTTP POST /webhook responded 405 in 2.2474 ms
2024-06-11 13:07:52.247 +01:00 [INF] Executed endpoint '405 HTTP Method Not Supported'
2024-06-11 13:07:52.245 +01:00 [INF] Executing endpoint '405 HTTP Method Not Supported'
 
Last edited: