Maybe I missed it but can somone post how to setup stunnel with blue iris? Maybe a small tutorial? Or lead me to the posts if it's been discussed.
Thanks
Thanks
stunnel
- Thread starter matsburr
- Start date
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,407
Welcome to the forum..the help file has instructions..looks straight forward.. albeit a little vague..im going to test this soon and report back.
We have recently discovered stunnel (www.stunnel.org) which you may install as a service onto your PC. Instead of configuring your router to forward traffic to Blue Iris, you would configure that traffic to go to stunnel, and then configure stunnel to then forward the traffic to the Blue Iris web server. For example, external port 443 (the standard HTTPS port) forwards to stunnel port 443, and stunnel forwards to Blue Iris on the same PC on port 80 or 81.
All that I did find and yes it does look simple and would be. I am looking for after installing the program how to set up the cert and how and where to change the config file.
I got it working. I am not a networking professional, so if you follow these instructions and end up with your camera feed playing on a billboard in times square, it's your own fault.
Some basics about Stunnel, as I know it: Let's say you previously would have used the ip address of 192.168.0.2:8290 to access the blue iris server internally. With stunnel, you use the ip address of 192.168.0.2:8291, then have stunnel redirect that traffic to 8290. During the redirect process, Stunnel makes the connection secure. This is a lot more simple than it at first seems.
1. Download stunnel. Use this site https://www.stunnel.org/downloads.html and download the .exe file, if you're using Windows. If you're not using windows, don't follow these instructions.
2. Install stunnel. Keep all the defaults.
3. In your start menu, go to Stunnel>stunnel GUI Start.
4. Click Configuration at the top, then Edit Configuration.
5. Scroll to the bottom. Below "Example SSL client mode services" delete all of the lines that don't start with ;. You don't need these.
6. Insert this text where you just deleted the other code:
[blue-iris]
accept = 8344 *or whatever port you want to have your computer accept TCP
connect = 8347 *or whatever port you specified on the Blue Iris Webserver page at the top
7. Save the file, close it, then go to Configuration back on the GUI and select Reload Configuration. Close the GUI.
8. Start menu > stunnel Service Install
9. Start menu > stunnel Service Start
10. The address you will use to access Blue Iris will now be your IP address followed by :8344, or whatever port you used. On the blue iris app, you will also need to edit the server settings and select Server is HTTPS, or it won't work.
11. You also need to make sure that your router is properly forwarding requests to your computer. So when you type in your external IP followed by :8344, your router knows to forward that traffic to 192.168.0.2:443. Those numbers don't have to be the same. You could have your router accept on port 8342 and forward to port 8344 on your computer, then have stunnel forward traffic from 8344 to 8347 by using accept = 8344 and connect = 8347, then have the blueiris webserver be located at 8347. Using a random port rather than 443 or 80 or 81 is better, or so I've read. If you do this, you will have to use port 8344 for internal connections (over the same wifi) and port 8342 for external connections (from work or over cellular).
12. If you're getting errors, make sure that you've installed the service and then started it. Also make sure your blue iris app is set to use https, and you're using the proper port. The port on the app needs to be looking for the port on the router that will forward to the port on the computer, which will then forward to the port of blue iris. If you put in the port of the blue iris web server, you're going to have a bad time.
Some basics about Stunnel, as I know it: Let's say you previously would have used the ip address of 192.168.0.2:8290 to access the blue iris server internally. With stunnel, you use the ip address of 192.168.0.2:8291, then have stunnel redirect that traffic to 8290. During the redirect process, Stunnel makes the connection secure. This is a lot more simple than it at first seems.
1. Download stunnel. Use this site https://www.stunnel.org/downloads.html and download the .exe file, if you're using Windows. If you're not using windows, don't follow these instructions.
2. Install stunnel. Keep all the defaults.
3. In your start menu, go to Stunnel>stunnel GUI Start.
4. Click Configuration at the top, then Edit Configuration.
5. Scroll to the bottom. Below "Example SSL client mode services" delete all of the lines that don't start with ;. You don't need these.
6. Insert this text where you just deleted the other code:
[blue-iris]
accept = 8344 *or whatever port you want to have your computer accept TCP
connect = 8347 *or whatever port you specified on the Blue Iris Webserver page at the top
7. Save the file, close it, then go to Configuration back on the GUI and select Reload Configuration. Close the GUI.
8. Start menu > stunnel Service Install
9. Start menu > stunnel Service Start
10. The address you will use to access Blue Iris will now be your IP address followed by :8344, or whatever port you used. On the blue iris app, you will also need to edit the server settings and select Server is HTTPS, or it won't work.
11. You also need to make sure that your router is properly forwarding requests to your computer. So when you type in your external IP followed by :8344, your router knows to forward that traffic to 192.168.0.2:443. Those numbers don't have to be the same. You could have your router accept on port 8342 and forward to port 8344 on your computer, then have stunnel forward traffic from 8344 to 8347 by using accept = 8344 and connect = 8347, then have the blueiris webserver be located at 8347. Using a random port rather than 443 or 80 or 81 is better, or so I've read. If you do this, you will have to use port 8344 for internal connections (over the same wifi) and port 8342 for external connections (from work or over cellular).
12. If you're getting errors, make sure that you've installed the service and then started it. Also make sure your blue iris app is set to use https, and you're using the proper port. The port on the app needs to be looking for the port on the router that will forward to the port on the computer, which will then forward to the port of blue iris. If you put in the port of the blue iris web server, you're going to have a bad time.
Overcon
Getting the hang of it
- Aug 6, 2014
- 196
- 31
Hi Bradconverse,
Thanks for the write-up, mind if I ask a few questions for clarification? I followed your steps and i installed stunnel, but I didn't get it to work so I was hoping you might be able to tell me where I messed up. During the installation, it asked me a bunch of information on my location and the like, which I provided. I believe that is for the cert? Then I ran the GUI and modified the configuration file as you suggested and this is where I have the questions.
I have my port set at 8888 for the BI Web server. I set the options for the Blue Iris config as follows:
[blue-iris]
accept=8889
connect=8888
Is that how it should be configured? Stunnel is installed on the BI server. Right now I get this message when I try to connect:
2015.01.15 14:26:35 LOG5[2108]: Service [blue-iris] accepted connection from 192.168.1.6:60748
2015.01.15 14:26:35 LOG3[2108]: SSL_accept: 1407609C: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
2015.01.15 14:26:35 LOG5[2108]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
I appreciate the help.
*192.168.1.6 is the Bi server IP
You're right, those questions are for the cert. It sounds like you might not have installed the service and started it. You have to go to Start>All Programs>Stunnel, then click stunnel Service Install. Then go to Start>All Programs>Stunnel and click Stunnel Service Start. I ran into the same issue, and those steps fixed it. Let me know what happens. You only have to do this once. It should automatically start when you restart the computer.
I also noticed in the configuration file that some authentication items are not automatically turned on by default. So while these steps get the program running over https, it may not be as secure as it could be/not secure at all. I don't know. Mechanical engineer here, not a network pro.
Overcon
Getting the hang of it
- Aug 6, 2014
- 196
- 31
Well I did figure it out. After a lot of service starting and stopping I realized I had to put https://192.168.1.6:8889. If I typed it without https it tries normal http and fails
It works great now.
Thanks!
Overcon
Getting the hang of it
- Aug 6, 2014
- 196
- 31
Well I did encounter a new problem. I can get it to work great for at my house, but when I try to access it remotely I get an weird error about my ssl certificate too large. I assume that I set my firewall access to allow connections coming in on the same 8889 port (instead of the 8888 I was using) but that doesn't seem to work. Anyone have any suggestions.
This is the message:
An error occurred during a connection to 192.168.1.1:8888. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
This is the message:
An error occurred during a connection to 192.168.1.1:8888. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
Last edited by a moderator:
Hi have stunell running and can connect from my iPhone app which I have set to secure. Can view camera and alerts ok. But when I try HTTPS get the warning certificate security problem. I have tried all sort of variation setting up the cert.
My pc is running windows Home server have whs server address, even tried SERVER which the name listed on the pc properties screen
location uk
area Glasgow
company here
divison there
FDQN tried numerical address 213.xx.xx.xxx also tried local 192.xxxx... SERVER which is the server name
Would be gratefull if you could give an example of how it should be setup
My pc is running windows Home server have whs server address, even tried SERVER which the name listed on the pc properties screen
location uk
area Glasgow
company here
divison there
FDQN tried numerical address 213.xx.xx.xxx also tried local 192.xxxx... SERVER which is the server name
Would be gratefull if you could give an example of how it should be setup
The problem is likely that your phone does not trust the system that created the certificate. This is just how it is with self-signed certificates. In some cases you can teach your device/browser/application to trust certain certificates that it otherwise would not, but often you can't and you just have to live with the warning.
Hi I tried adding the address to trusted sites, no joy. Still got the warning about the certificate. Blue Iris is running on WHS 2011. While searching for info on certificates and stunnel I came across the following at
[HOWTO] WHS homeserver.com Certificate in Jetty...and Others - SageTV Community
Describing how to export a windows certificate. It is with regard to sage tv, but the export direction allowed me to export whs 2011 certificate. I then found how to convert the certificate format, to a type suitable for stunnel, see second paragraph
Open Server Manager by clicking on the link in the task bar that WHS
supplies by default. You may also get there other ways like pressing WINDOWS-R
on the keyboard and entering servermanager.msc.
https://www.sslshopper.com/ssl-converter.html
I converted the certificate loaded into stunnel, deleted the line cert = stunnel.pem and put in the new cert file name cert = newcert.pem
open ie and went thro no problem to the secure web page. Also tested mobile app and made secure connection
Only problem now, when blue iris web page opens, shows jpg picture, history, if I click on a file to open it, windows just sits showing connecting.
All of the above info is that gleaned from other authors.
Now all I have to do is solve why can't play the video files.
[HOWTO] WHS homeserver.com Certificate in Jetty...and Others - SageTV Community
Describing how to export a windows certificate. It is with regard to sage tv, but the export direction allowed me to export whs 2011 certificate. I then found how to convert the certificate format, to a type suitable for stunnel, see second paragraph
Open Server Manager by clicking on the link in the task bar that WHS
supplies by default. You may also get there other ways like pressing WINDOWS-R
on the keyboard and entering servermanager.msc.
- On the menu on the left, expand Roles, then Web Server (IIS), and then click
on IIS Manager. - Expand the server name then Sites, and click on Default Web Site.
- Click Bindings, scroll down to HTTPS, highlight and click Edit.
- Select the myserver.homeserver.com certificate from the drop-down and click
on the View button. - Go to the Details tab and click on Copy to File.
- Follow the wizard making sure to export the private key, save as PFX, and
include all certificates and export extended properties. - Enter a password, (you may use 123456 to match the Jetty for SageTV Wiki),
and select to save somewhere, (I use D:\ServerFolders\Documents as that’s where
I moved that default WHS share), with the name myserver_homeserver_com.pfx. - Now the certificate needs to be converted, this can accomplished using openssl.exe bundled with stunnel see the following link
https://www.sslshopper.com/ssl-converter.html
I converted the certificate loaded into stunnel, deleted the line cert = stunnel.pem and put in the new cert file name cert = newcert.pem
open ie and went thro no problem to the secure web page. Also tested mobile app and made secure connection
Only problem now, when blue iris web page opens, shows jpg picture, history, if I click on a file to open it, windows just sits showing connecting.
All of the above info is that gleaned from other authors.
Now all I have to do is solve why can't play the video files.
Finally managed to get video playback when connecting through https. Could get video playback in alerts, real time etc on iPhone app, but not when trying to Could establish secure (see previous post)connection, which displayed ictures ok, but if I click a particular clip displayed just sat saying "Connecting" at the top of the main view window click on java viewer and can now remote view clips from ie, so the problem not being able to playback was the activex was selected... must be due to installing active x to view foscam cameras.
Hopefully my trials and tribulation may help someone else
Hopefully my trials and tribulation may help someone else
Thanks a lot, bradconverse. That quick tutorial really helped. I got this working on the app and on bp2008's BlueIrisViewer (thanks BP for that, BTW - it's perfect).
I haven't noticed any slowdowns but I'm curious as to if this has any possibility of slowing down playback because of the SSL stuff? Not that it matters - just curious.
I haven't noticed any slowdowns but I'm curious as to if this has any possibility of slowing down playback because of the SSL stuff? Not that it matters - just curious.
My push to talk quit working on my hikvision cubes as soon as I got stunnel set up. That feature isn't critical for my use, but wanted to make a note of it on this thread.
I am having issues on getting stunnel working on my setup (win 7).
The stunnel service is created and running.
stunnel.conf
; ***************************************** Example TLS client mode services
[blue-iris]
accept = 8777
connect = 8666
On the same computer BI and stunnel is running on I can't access BI with 'https://192.168.2.115:8666/'
Nor Can i access it using the BI iphone app (same address)
I tried using port 8777 as well, but no luck. I am trying to get this working on the LAN before I start port fowarding on the router to open it up on the web.
The stunnel service is created and running.
stunnel.conf
; ***************************************** Example TLS client mode services
[blue-iris]
accept = 8777
connect = 8666
On the same computer BI and stunnel is running on I can't access BI with 'https://192.168.2.115:8666/'
Nor Can i access it using the BI iphone app (same address)
I tried using port 8777 as well, but no luck. I am trying to get this working on the LAN before I start port fowarding on the router to open it up on the web.
Attachments
figured it out. You need this line the stunnel.conf file as well.
; ***************************************** Example TLS client mode services
[blue-iris]
accept = 8777
connect = 8666
cert = stunnel.pem
Also, the webserver needs to be configure like this (using these settings)
; ***************************************** Example TLS client mode services
[blue-iris]
accept = 8777
connect = 8666
cert = stunnel.pem
Also, the webserver needs to be configure like this (using these settings)
Attachments
Cloudscout
n3wb
- Aug 6, 2015
- 10
- 9
I'll add some details to this discussion...
I could NOT get this working and today I figured out why. I had the non-encrypted port set up on Port 80. This worked fine for almost everything except the ActiveX control.
I could use the Java viewer over SSL but the ActiveX control would fail. I decided to switch the HTTP server to a high port number and updated my stunnel config accordingly and now everything works correctly including the Java viewer AND the ActiveX control.
I could NOT get this working and today I figured out why. I had the non-encrypted port set up on Port 80. This worked fine for almost everything except the ActiveX control.
I could use the Java viewer over SSL but the ActiveX control would fail. I decided to switch the HTTP server to a high port number and updated my stunnel config accordingly and now everything works correctly including the Java viewer AND the ActiveX control.