Hello,
I have an IP camera, which if I enter the IP address into the browser uses http protocol. I want to redirect it to 443 protocol https. How can I do this?
Similar to this description, but I want to redirect http traffic to https on a local LAN network
Redirecting won't magically make it https:ed.
4 Likes
For the camera to operate in https you'd have to use some certificates, if the camera web interface supports it.
The camera supports https connection, I can decide which port I want to connect through. But I can't disable any of them, and I can't redirect them, only on the router side.
I don't know how to do LAN to LAN redirection in openwrt.
You can't, since you're not passing a firewall.
And again, it won't do you any good, it'll still be http, but now on port 443.
Port and protocol are two different things.
If you want to block http, put them on a separate subnet, and allow only https/443 traffic.
2 Likes
I have no idea how to do this. 
Can you send me some graphic pictures?
first of all, if your browser and your camera is on the same network there will be no lan to other zone traffic hence firewall will do nothing, no redirecting can be done. it will be a switched traffic.
second, your camera if can be accessed via https then just simply enter https://ip in your browser. your browser will remember next time.
third, if you are lazy, there are plugins like "https everywhere" (i think for chrome && firefox as well) which will try to connect to any website via https if possible automatically regardless what prefix you entered.
2 Likes
Not a bad idea, but the port should be closed somehow. How can I disable port 80? What firewall policy?
Is it possible to create two networks by redirecting the 443 port from LAN1 to LAN2 and then redirecting the 443 port from LAN2 to LAN1 port 80? LAN1 (192.168.1.1:443) to --> LAN2 (192.168.2.1:443) THEN LAN2 (192.168.2.1:443) to LAN1(192.168.1.1:80)
Making a http request to a server's port 443 which wants a SSL connection, will fail to connect.
There are two usual ways a connection gets promoted to https.
- The site replies on port 80 with a 302 Moved Permanently response, with https in the new URL.
- The browser finds no reply or TCP connection refused on port 80 then tries a https connection to otherwise the same URL on port 443.
With two networks you can block forwarding of port 80 and force users to use https / 443, which should be reasonably transparent to the user due to the second method above. What cannot be done is somehow translate port 80 to port 443, simply because the protocol is different.
3 Likes
assuming you are doing lawful stuff here only, not sure why it is matter if you access your own camera internally over your own lan via http or https. also, if your camera supports both and there is no built-in redirect from http to https, which is capability of your ip camera, not something you can force via owrt with your current setup, then yes, the only way to separate the camera into it a different network and zone (e.g. called iot). it is important to be in different zone, different network is not enough.
if browser and the camera are in different zones than you can configure firewall rules to police access.
but still the problem remains that if you enter http://ip in your browser even if you redirect the port in the background the browser will think it is an http traffic so will not establish tls connection. so you must anyhow should use https://ip. so why not just use this way? why create an overkill setup instead of pressing one more button?
1 Like
Now I understand why this solution won't work: " LAN1 (192.168.1.1:443) to --> LAN2 (192.168.2.1:443) THEN LAN2 (192.168.2.1:443) to LAN1(192.168.1.1:80)"
I do not consider the http protocol to be secure. I should disable it somehow. I don't know how to disable it on the router side. 
It's not. But that's why HTTPS was created -- the S is "secure" -- and this required a new protocol.
If your camera supports HTTPS, it may have a feature to disable plain HTTP. If your camera does not support HTTPS, there is nothing you can do, period.
This is not something that can really be done on the router. Others have explained (a few times now) that you could configure a separate network for the camera and then only permit traffic via port 443. However, the camera itself must support HTTPS. The router cannot magically add HTTPS functionality to your camera.
2 Likes
With two LANs in the same router (separate zones), first enable forwarding generally from the user side (lan) to the camera side lan2. Don't forward the other way, as you don't want the cameras initiating connections to the trusted LAN. Then set up a traffic rule (not a port forward) that rejects port 80 from lan to lan2.
I think it would also work to not have a config forward and only a traffic rule allowing port 443 but haven't tried that.
1 Like
I was thinking of a similar solution. The question is, how can I implement it? Do I place the camera on LAN1 (192.168.1.1) port forward the 443 port to LAN2?
Leave the port as 443, so that an ordinary https://cameraip/ will make the connection without needing to specify a non-standard port. Put the camera(s) into a new LAN network. Allow port 443 to forward from the network of PC viewers to the cameras. Do not allow port 80 to forward between the two networks. If you cannot turn off the http server in the camera, leave it as port 80 so that it is blocked by the network.
1 Like
