Pi WiFi Cam with RPi-Cam-Web-Interface

As a newbe i had a lot of issues while installing everything. So i wrote down my experiences – and that i can remember later 🙂 

Raspberry Pi Zero with Camera V2 8 and WiFi Stick Edimax (Realtek Chipsatz EW-7811Un Rasp to build a Wireless Cam to watch what is going on in the garden. And make it kinda secure. 

  • We will use the RPi-Cam-Web-Interface to control the cam and for motion detection. 
  • We should follow this to make the Pi a bit more secure when exposed to the Internet: change default password, make sudo require a password, unattended-upgrades, install a firewall like ufw and have fail2ban installed. 
  • The best way – and if you want to have your Pi fully and exposed for the long term you should build up a Reverse Proxy. You could either do this with TWO Pi’s (HowTo) or use on ONE single Pi a Ngnix on Port 443 exposed to the internet doing basic auth and SSL – and proxypass it internal to a apache on a random port (HowTo) doing the RPI-Cam-Web-Interface.

I will prepare a fresh SD card and will use ONE single Pi (Ngnix as a Reverse Proxy for Apache)

Let’s start:

  1. Write the latest full raspbian image on your SD card.
  2. Write the file ssh and wpa-supplicant.conf on the boot folder on the SD card. 
    How you set up the wpa-supplicant.conf in a right way:
    Enter: wpa_passphrase "YOURWIFI" "YOURPRESHAREDKEY" 
    you will get something like:
    network{
    ssid="YOURWIFI"
    #psk="YOURPRESHAREDKEY"
    psk=39f574a95df1df0accd19ad73a4de33af0edea0f60636ff86b500c0c32caf5ca
    }

    Copy this in a wpa-supplicant.conf and put it on the SD card like this:

    country=DE
    ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
    update_config=1
    
    network{
    ssid="YOURWIFI"
    #psk="YOURPRESHAREDKEY"
    psk=39f574a95df1df0accd19ad73a4de33af0edea0f60636ff86b500c0c32caf5ca
    }
  3. login with Terminal ssh pi@raspberrypi.local and change the password with sudo passwd
  4. remove extra material and update the Pi
    sudo apt-get remove --purge wolfram-engine scratch minecraft-pi sonic-pi dillo gpicview oracle-java8-jdk openjdk-7-jre oracle-java7-jdk openjdk-8-jre
    sudo apt-get clean
    sudo apt-get autoremove
    sudo apt-get update
    sudo apt-get dist-upgrade
  5. install apache, nginx, and php
    sudo apt-get install apache php nginx
  6. sudo reboot
  7. run sudo raspi-config and expand file system, change time zone and enable camera. raspi-config will ask you to reboot.
  8. git clone https://github.com/silvanmelchior/RPi_Cam_Web_Interface.git cd RPi_Cam_Web_Interface ./install.sh
    A screen will open, where you are asked to make settings. (you can find them later in the config.txt in the RPi_Cam_Web_Interface folder. Changes there have no affect on the running program – but if you would re-install it, what you wrote in the config.txt. you will finde at this install screen from the beginning.)
    So set the Port to a Port you know it is not used by anything (8080) and take php 7 as a choice. Enter a password and user and press Enter.
  9. RPi_Cam_Web_Interface should now be visible on your local network.
    Enter the IP of the PI 🙂 http://192.168.0.X:8080/html/
  10. out of the cd RPi_Cam_Web_Interface folder you can start or stop the service by running: ./start.sh or ./stop.sh
  11. All about RPI_Cam_Web_Interface you have to read on their page.
  12. If something is not right – you should visit the install-interface:
    cd RPi_Cam_Web_Interface
    ./RPi_Cam_Browser_Control_Installer.sh
    There you see if apache is running (green) or if the Cam is enabled (green) and so on. You can remove or re-install it from there.
  13. As we will expose the Pi to the great world outside your Lan – it should now made a bit more secure: install fail2ban and the firewall ufw
    sudo apt-get install ufw
    sudo ufw allow from 192.168.0.0/24 to any port 22
    (this allows ssh just from an ip of your lan (subnet))
    sudo allow https
    sudo ufw enable
    now install fail2ban:
    sudo apt-get install fail2ban
    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    not necessarily you could change the settings here:
    sudo nano /etc/fail2ban/jail.local
  14. The next thing is to set up the Reverse Proxy for Apache (HowTo).
  15. we have to check if the correct ports are used by apache:
    sudo nano /etc/apache2/ports.conf
    the lines should look like:

    NameVirtualHost 127.0.0.1:8080
    Listen 127.0.0.1:8080
  16. open up a new virtual host file:
    sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/example
  17. sudo nano /etc/apache2/sites-available/example
  18. the line should look like this: <VirtualHost 127.0.0.1:8080>
    Make sure your Document Root is correct.
  19. activate the virtual host: sudo a2ensite example
  20. sudo apt-get install nginx
  21. open up the nginx config: sudo nano /etc/nginx/sites-available/example
  22. change it to:
    server {
     listen 443;
    root /var/www/; 
     index index.php index.html index.htm;
    
    server_name example.com;
    
    location / {
     try_files $uri $uri/ /index.php;
     }
    
    location ~ \.php$ {
     
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $remote_addr;
     proxy_set_header Host $host;
     proxy_pass http://127.0.0.1:8080;
    
    }
    
    location ~ /\.ht {
     deny all;
     }
    }

    This configuration sets up a system where all extensions with a php ending are rerouted to the apache backend which will run on port 8080.

  23. activate the virtual host: 
    sudo ln -s /etc/nginx/sites-available/example /etc/nginx/sites-enabled/example
  24. restart both servers:
    sudo service apache2 restart
    sudo service nginx restart
  25. If you want to check which ports are open and which application is responsible run sudo netstat -plunt