Tag Archives: web server

Remote Access Without Port Forwarding

The usual way to set up remote access to our CCTV software SecuritySpy running on your Mac is via port forwarding (see Installation Manual – Remote Access). This method allows direct incoming connections to SecuritySpy from the Internet, and is achieved by configuring your router (which SecuritySpy can do automatically for most routers). This method is great for most users, as it usually allows high-performance remote access with minimal configuration.

However, some users may want to consider other methods for the following reasons:

  • Port forwarding only works when your ISP gives you a true public IP address, which is not always the case, especially with cellular or satellite internet connections (e.g. 4G, 5G, Starlink).
  • If you have two routers between the Mac and the Internet (e.g. your ISP router plus your own router), port forwarding configuration is difficult – the usual solution is to switch one of these routers to bridge/passthrough mode, but this isn’t always possible.
  • ISP routers sometimes prevent users from setting port forwarding rules.
  • Institutions with very strict network policies may have a blanket ban on allowing any kind of incoming connections from the Internet.

If you can’t use port forwarding for any reason, the solution is to set up a Virtual Network or a Tunnel (sometimes called a proxy) via a third-party service in order to access your system. A number of these solutions are described below, with setup instructions.

A Virtual Network, as opposed to a physical network, is a Software-Defined Networking (SDN) solution that creates an overlay network on top of existing network infrastructure, spanning across multiple physical networks and the Internet. Members of this virtual network can communicate with each other as if they were on the same physical network.

With a Tunnel solution, the data is relayed via a third-party server acting as an intermediary. Note that many providers apply data transfer limits, so you should take steps to moderate your bandwidth usage when accessing remotely, such as minimising live video streaming, avoiding large file downloads, and generally using the connection sparingly.

Which solution you choose generally comes down to the following question: do you have a fixed set of devices from which you want to access your SecuritySpy server? For most users, the answer to this question is yes, and in this case a Virtual Network is the best solution. On the other hand, if you want your SecuritySpy server open to the Internet for anyone to (attempt to) access, then a Tunnel solution provides this.

In terms of security, both solutions offer encrypted Internet communication, however the Virtual Network solution is considered more secure because clients have to first be a member of the network in order to even attempt connections to the server, which adds an extra layer of security. Note that in either case, the connection to SecuritySpy itself is via its plaintext HTTP web interface (not the secure HTTPS interface), so this must be enabled in SecuritySpy’s web settings. This is because the encryption is handled by the virtual network / tunnel solution itself, not by SecuritySpy.

Virtual Network (SDN) Solutions

Client software is installed on all devices, allowing them to communicate freely with each other as if they were on the same physical network. The system assigns each device a virtual IP address. Devices are only accessible to others within this virtual network, not from outside. The central server primarily helps set up direct connections between devices, rather than relaying data itself.

Continue reading

How to purchase and install an SSL certificate for SecuritySpy

[NOTE 1: As of version 5, SecuritySpy automatically obtains official SSL certificates when using its free built-in viewcam.me domain name system, so this post should be ignored unless you wish to use your own domain name to access SecuritySpy.] [NOTE 2: This more recent blog post outlines an easy way to use your own domain name to access SecuritySpy’s web server: Using Your Own Domain Name With SecuritySpy.]

SecuritySpy has built-in support for HTTPS (HTTP Secure), which allows you to set up an encrypted web connection to your SecuritySpy server over the internet.

In order to set up any HTTPS server, an SSL certificate is required (SSL being the protocol that provides the security features to HTTPS). With some web servers this can be a complicated process, but we have designed SecuritySpy’s HTTPS server to be a simple as possible to set up: you simply enable the HTTPS option in the Web Server Settings window and SecuritySpy will do the rest for you. SecuritySpy will automatically create and use a “self-signed” certificate for this purpose, which gets you up and running immediately and provides a fully encrypted connection. The downside of such a certificate though is that it won’t be automatically trusted by any client software that you use to connect to SecuritySpy (e.g. a web browser such as Safari), so you will get a warning message to this effect. In this case though, as you are the one setting up the server, you can be assured of its authenticity, so it is safe to ignore such warnings.

The other option is to purchase an official certificate for your SecuritySpy server from a recognised Certificate Authority (CA). Any web browser connecting to SecuritySpy will automatically trust such a certificate, so the person viewing the web interface will see the reassuring padlock icon and no warning messages. This may be preferable, for example, if your server is to be viewed by people outside your organisation. Below are instructions on how to do this.

Note: these instructions are for SecuritySpy versions 4.1.5 and later, with the location of the SecuritySpy folder being within the Home folder (i.e. at ~/SecuritySpy/). If you are using an earlier version, note that your SecuritySpy folder will be at ~/Documents/SecuritySpy/.

Continue reading

Setting Up SecuritySpy Over SSL

UPDATE 4 JUNE 2014: SecuritySpy now has built-in support for HTTPS, so the setup described below is no longer needed for setting up SecuritySpy over SSL (although it may still be useful for generating SSL keys, certificates and certificate signing requests for other purposes). See the Web Server Settings section in the SecuritySpy user manual for information about the built-in HTTPS feature.

Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications on the internet. It uses two keys to encrypt data: a public key and a private key. URLs that require an SSL connection start with https:// insead of http:// and operate on port 443 instead of 80 by default. SSL increases security as it makes it impossible for someone intercepting the stream of data to decode any information from it.

SecuritySpy does not have built-in support for SSL, however Mac OS X comes with Apache, a fully-featured and powerful web server, that can be used to set up the secure communication between the internet and SecuritySpy. In this way, Apache will be acting as a secure “reverse proxy” web server for SecuritySpy. This post describes how to set this up.

Continue reading