CameraBridge is simple, fast, and secure proxy server software that modifies your IP camera feeds for easy integration with SplashTiles or standard web browser windows.
CameraBridge is INCLUDED for free with your current PRO subscription.
CameraBridge Server features
- Removal of old basic/digest auth from MJPEG and JPEG camera feeds
- Replacement with token based http (unencrypted) authentication for LAN access
- Replacement with token based https (encrypted) authentication for external internet access
- Single port encrypted external internet access to all your IP cameras
- CORS header replacement or insertion to simplify javacript API/AJAX access
- Caching to improve performance of slow cameras
First you need to select the hardware CameraBridge will run on:
- Raspberry Pi: Any version, although Pi 3 or 4 is recommended.
- PC running 64b Linux (Ubuntu, etc)
- Other Linux hardware is possible. CameraBridge is built for armhf and amd64.
- Wired ethernet is highly recommmended.
Prepare your hardware (instructions for Raspberry Pi)
- Download the Raspberry Pi OS (Lite version, 32b) (Manual or installer, your choice) Link
- After you have created your SD card, add the 'ssh' file to the /boot partition to enable ssh. This is just an empty file named 'ssh', create with
touch ssh in linux.
- Boot up your Pi. Find it's IP address
- Connect using SSH (either Linux or PUTTY)
- Login using user=pi, password=raspberry
Now install CameraBridge
- Switch to root user (
- Download our DEB package.
- PC running 64b linux (x86_64/amd64):
- Raspberry PI (all types, armhf):
apt-get install ./camerabridge_XXXX.deb (either amd64 or armhf)
- Most likely you will want CameraBridge to autostart. On PI, just edit /etc/rc.local and add the line
/usr/local/bin/camerabridge >/dev/null 2>&1 &
- Other Linux distributions often have different startup files. Consult the oracle Google.
- If your device will use DHCP, goto your router and reserve the current DHCP address. Otherwise, set the desired static ip. (IP address must be known and unchanging)
Finally, configure CameraBridge
- Enter http://device_ip:9087 in a browser window
- Enter your SplashTiles username and password
- If you would like token auth, enter your token (any string)
- If you need HTTPS, continue below. Otherwise, you are done!
HTTPS setup and security considerations
This section is optional (only required if you will port forward CameraBridge port 9089 to the internet).
- HTTPS requires an unique SSL key/certificate pair for your server. You must generate this and link it in the config page before port 9089 will be active.
CameraBridge includes the ability to LIMIT external access to only the URLS you specify
- Decide if you will be using a self signed SSL or a Cert authority signed SSL (see below)
- Self signed SSL
- Make sure you have openssl installed (
sudo apt-get install openssl)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 7300
- Cert authority signed SSL (advanced)
- See below
- We also recommend making the KEY file only readable by root (
chmod 600 filename). Change the default root login password on your server hardware and disable any other users. This is just to prevent tampering by anyone already on your network.
- Put the SSL text files on your server. Include the full path to the file on the CameraBridge config page.
- Using this feature is HIGHLY recommended. It limits external access even if your token is compromised.
- Create a text file with all the internal URLs you need to access. Include the http(s):// and the full path, but leave out any arguments (the '?' and anything after it).
- One URL per line of the text file.
- Put the text file on your server. Include the full path to the file on the CameraBridge config page.
Self signed vrs Cert Authority signed certificates
- Self signed certificates are very simple.
- However, your https proxied camera streams will be considered "untrusted" by web browsers. Browsers will block these by default.
- You will need to import your certificate manually once for each browser/computer you use. Please see this link
- Some automation systems or apps will not allow you to import certicates, so they will always block this method. This is usually mitigated by the fact that those systems/devices are usually on your LAN and don't need to use the https port.
- Self signed certs do not expire, so no periodic renewal is needed.
- Certifacate authority certificates are universally compatible, but more work.
- Your server key is signed by a recognized trusted certificate authority. Browsers authomatically accept the security.
- You will need to register a Domain (yourname.org etc) and attach it to your external IP address. If your external address is dynamic (most are), you will need to run a dynamic dns client (usually on this linux device) to keep your domain pointed to your current IP address.
- The certificate itself can either be purchased (example Digicert) for around $200/yr.
- Or you can use a free certificate authority (Let's Encrypt is the one to use).
- Refer to the documentation from your choosen vendor to create your key/cert pair.
- Your certificates will also need to be renewed periodically (when they expire).
- SplashTiles recommends using Let's Encrypt. It's free and works perfectly. Your Linux device can also use their scripts to automatically renew itself.
Here is the full protocol documentation for CameraBridge server. You can use this to manually setup tiles, automation access, or direct web browser access.
Accessing this port (with any path) will give you the web configuration page. This is just a simple HTML form to set the values in the camerabridge.conf file. This file is normally located at /etc/camerabridge.conf. However, you can also use command line argument 1 to provide an alternate path to the configuration file.
- USERNAME: SplashTiles username
- PASSWORD: SplashTiles password
- TOKEN: URL security token (if blank, token auth is disabled)
- PEM_KEY: Full path to text file containing your SSL unencrypted server key
- PEM_CERT: Full path to text file containing your SSL certificate
- URL_FILE: Full path to text file containing allowed URLs for the HTTPS port (if blank, all URLs allowed)
The is the http proxy port. This is intended for accesses from devices on your local network.
- PATH /proxy/cachedimage This is the default path to use to fetch JPEG camara images. The server will provide a cached image if the proxied camera is busy/slow. This prevents flashing in a standard HTML IMG tag.
- PATH /proxy/image This is an unbuffered proxy for JPEG camera images.
- PATH /proxy/mjpeg This is the proxy for MJPEG streams.
All parameters must be URL encoded.
- PARAMETER furl This is the final URL to access (camera url). Do NOT include the user:password here.
- PARAMETER usr If the final URL is using basic or digest auth, put the username here
- PARAMETER psswd If the final URL using basic or digest auth, put the password here
- PARAMETER token If CameraBridge has token auth enabled, put the token here
This is the secure proxy port (https). The secure port has the same paths and parameters as port 9088 above.
If you have set an Allowed URL file (in config), only URLs which match the URLs in the file will be allowed.