Fj Graf

Category: Uncategorized

  • Wireguard

    Using WireGuard on Debian involves several steps, including installing the WireGuard package, configuring the interface, and setting up the necessary keys. Here’s a basic guide to help you set up WireGuard on Debian using the command line:

    Install WireGuard:

    Update the package list and install wireguard:

    sudo apt updatesudo apt install wireguard

    Generate WireGuard Keys:

    Generate a private and public key pair for the server:

    wg genkey | sudo tee /etc/wireguard/privatekey-server | wg pubkey | sudo tee /etc/wireguard/publickey-server

    Generate a private and public key pair for the client:

    wg genkey | sudo tee /etc/wireguard/privatekey-client | wg pubkey | sudo tee /etc/wireguard/publickey-client

    Confirm that your keys are only available for the root user by checking the file permissions (chmod 600).

    Configure WireGuard Server:

    Create a configuration file for the WireGuard interface (e.g., /etc/wireguard/wg0.conf) and edit it with your preferred text editor:

    sudo nano /etc/wireguard/wg0-server.conf

    Add the following configuration, replacing placeholders with your actual IP addresses, private keys, and port numbers:

    [Interface]
Address = 10.0.0.1/24 # Server IP address
PrivateKey = SERVER_PRIVATE_KEY
ListenPort = 51820 

[Peer]PublicKey = CLIENT_A_PUBLIC_KEY 
AllowedIPs = 10.0.0.2/32 # Client A IP address 
PersistentKeepalive = 25
[Peer]PublicKey = CLIENT_B_PUBLIC_KEY 
AllowedIPs = 10.0.0.3/32 # Client B IP address 
PersistentKeepalive = 25

    Replace SERVER_PRIVATE_KEY and CLIENT_PUBLIC_KEY with the corresponding keys generated earlier.

    Start the WireGuard Server Interface:

    Start the WireGuard interface:

    sudo wg-quick up wg0-server

    Enable the interface to start on boot:

    sudo systemctl enable wg-quick@wg0-server

    Client Configuration:

    Create a configuration file for the client (e.g., /etc/wireguard/wg0-client.conf):

    [Interface] Address = 10.0.0.2/32 # Client IP address (As assigned by the server) 
PrivateKey = CLIENT_PRIVATE_KEY 

[Peer] 
PublicKey = SERVER_PUBLIC_KEY 
Endpoint = SERVER_PUBLIC_IP:51820 # A domain name can be setup here as well
AllowedIPs = 10.0.0.0/24 # Allow traffic for the assigned subnet

    Replace CLIENT_PRIVATE_KEY, SERVER_PUBLIC_KEY, and SERVER_PUBLIC_IP with the corresponding keys and server’s public IP or domain name.

    Import the client configuration into the WireGuard client.

    Start the WireGuard Client Interface:

    Start the WireGuard interface:

    sudo wg-quick up wg0-client

    Enable the interface to start on boot:

    sudo systemctl enable wg-quick@wg0-server

    Notes:

    • Adjust firewall settings to allow traffic on the WireGuard port (default is 51820).
    • Adjust routing and forwarding if you want the server to act as a gateway.
    • Always consider security best practices, especially when handling private keys.

    This is a basic setup, and you may need to customize it based on your specific requirements and network topology. Always refer to the official WireGuard documentation for comprehensive details and updates.

  • sshuttle – Transparent proxy server for VPN over SSH

    To create a hassle-free vpn connection to a remote server you need to expose port 22 in the target device. In these examples It is assumed that the remote server is either your edge device, directly connected to an edge device (like a main router) and in a DMZ or or receiving forwarded ssh traffic from your edge device.

    First, start a ssh tunnel session with the edge machine:

    sshuttle -r [user@ipaddress(edge-device)] [192.168.5.0/24 (internal server's subnet)) --dns

    For ssh port other than the default 22 type:

    sshuttle -r [user@ipaddress(edge-device):port] [192.168.5.0/24 (internal server's subnet)) --dns

    You will be asked for your local user’s password and then the password of the user of the edge device to create the vpn connection. Once that’s done, the message “Connected to server” should be shown. From here on, you can open a web browser and type the local ip address of an internal device that belongs to the subnet you specified in the previous command. For example a Proxmox administration webUI behind the router can be accessible without having to configure port forward in the router (edge device). You can log in securely without having to expose this internal server to the internet. The —dns flag is to avoid leaking your dns requests to your ISP and instead forcing it to go through the created tunnel.

    The --dns option in sshuttle is used to capture and forward DNS traffic through the SSH tunnel. When you include the --dns option in your sshuttle command, it means that DNS queries originating from your local machine will also be routed through the established SSH tunnel.

    Here is another variant which allows you to specify a desired network interface.

    sshuttle -r user@ssh_server_ip_or_hostname 192.168.5.0/24 -i enp9s0 --dns
    • -r user@ssh_server_ip_or_hostname: Specifies the remote SSH server.
    • 192.168.5.0/24: Specifies the target subnet you want to route through the SSH tunnel.
    • -i enp9s0: Specifies the network interface you want to capture traffic from.
    • --dns: Specifies that DNS traffic should also be routed through the tunnel.

    Including the --dns option is particularly useful if you want to ensure that DNS queries are encrypted and go through the same secure connection as your other network traffic. This can be relevant for privacy and security considerations.

    Keep in mind that when using --dns, it may affect your ability to resolve DNS queries locally if the DNS server on the remote network is not reachable or not configured correctly. Ensure that the DNS server specified in the remote network is accessible and properly configured.

  • Haproxy.cfg configuration for acme challenge – openwrt

    Updated configuration file for haproxy in openwrt. The acme-challenge was improved by having dedicated acls for each webserver containing a list of their own domains to redirect certbot traffic to another dedicated backend where those domains get their ssl certificates. Normal https traffic is redirected to individual backends.

    global
        daemon
        nosplice

defaults
        log global
        mode http
        option httplog
        log 127.0.0.1:514 local0
        log /var/log/haproxy.log local0
        timeout client 30s
        timeout connect 30s
        timeout server 30s

frontend stats
        bind *:9000  # You can choose any port you prefer
        mode http
        stats enable
        stats uri /haproxy  # You can customize the URI path
        stats realm HAProxy\ Statistics
        stats auth username:password  # Choose a secure username and password

frontend http_in
        mode http
        option httplog
        bind *:80

        # Rate limiting
        stick-table type ip size 1m expire 10m store gpc0
        http-request track-sc0 src
        http-request deny if { src_conn_cur gt 100 }  # Limit to 100 requests per IP

        # Allow ACME challenge requests to bypass redirect
        acl acme_challenge path_beg /.well-known/acme-challenge/
        acl webserver_A_hosts hdr(host) -i site.one site.two
        acl webserver_B_hosts hdr(host) -i site.three site.four

        http-request redirect scheme https unless acme_challenge
        use_backend acme_backend_A if acme_challenge webservers_A_hosts
        use_backend acme_backend_B if acme_challenge webservers_B_hosts

        option forwardfor
        # Enhanced security headers
        http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
        http-response add-header Content-Security-Policy default-src\ 'self'
        http-response add-header X-Content-Type-Options nosniff
        http-response add-header X-Frame-Options DENY
        http-response add-header X-XSS-Protection "1; mode=block"

frontend https_in
        mode tcp
        option tcplog
        bind *:443
        acl tls req.ssl_hello_type 1
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

        # Track session data for rate limiting
        stick-table type ip size 100k expire 30m
        tcp-request content track-sc0 src
        # Use backend based on SNI
        use_backend %[req_ssl_sni,lower,word(1,:)]_tls

# Backend for ACME challenges
backend acme_backend_A
        mode http
        option httpchk
        default-server inter 3s fall 3 rise 2
        server webserver_A 192.168.1.10:80 check

backend acme_backend_B
        mode http
        option httpchk
        default-server inter 3s fall 3 rise 2
        server webserver_B 192.168.3.10:80 check

# Normal HTTPS traffic to backends

backend site.one_tls
        mode tcp
        option ssl-hello-chk
        server site.one 192.168.1.154:443 check

backend site.two_tls
        mode tcp
        option ssl-hello-chk
        server site.two 192.168.1.55:443 check

backend site.three_tls
        mode tcp
        option ssl-hello-chk
        server site.three 192.168.3.77:443 check

    Explanation of Configuration:

    • Global Section: Configures global parameters for HAProxy. daemon allows HAProxy to run in the background, while nosplice prevents it from splicing connections, which can help with HTTP processing.
    • Defaults Section: Sets default logging options, timeout settings for client connections, server responses, and logs to both a remote syslog server and a local log file.
    • Frontend stats: Provides a web interface for HAProxy statistics, requiring a username and password for access. This helps administrators monitor traffic and performance.
    • Frontend http_in: Handles incoming HTTP requests, implements rate limiting to prevent abuse, and manages redirects to HTTPS while allowing certain paths (like ACME challenges) to bypass this redirection.
    • Frontend https_in: Manages incoming HTTPS traffic in TCP mode, utilizing SSL/TLS features. It inspects SSL handshakes to route requests based on the SNI field, allowing flexibility for multiple domains.
    • Backends: Each backend corresponds to a specific service or site. Health checks are configured to ensure that requests are only routed to healthy servers, and different backends are used based on the requested hostname or path.
    • Security Headers: Adding security headers helps to protect against various web vulnerabilities, such as clickjacking and XSS, enhancing the security of the web applications served.
    • Forwarding Client IPs: The option forwardfor directive, when uncommented, allows HAProxy to append the original client’s IP address to the X-Forwarded-For header. This preserves client visibility for backend servers, enhancing logging, analytics, and functionalities that rely on the original client IP. Consider enabling this if your backend services require access to client IP information.

  • TOR Relay

    Recently I installed debian on a raspberrypi using a very minimalist version to maximize the usability of the raspberry pi 3B+ as it\’s limited in resources with only 1 Gb of RAM.
    as a good test for this board and also give a hand to the tor project.

    Install packges

    sudo apt install wget gpg apt-transport-https apt-config-auto-update unattended-upgrades apt-listchanges

    Configure unattended upgrades

    Edit file /etc/apt/apt.conf.d/50unattended-upgrades. Comment with // every line starting like this from:
    //Unattended-Upgrade::Origins-Pattern {
    to its end curly bracket
    //}
    Then add these lines following the commented section:

    Unattended-Upgrade::Allowed-Origins {\n \"${distro_id}:${distro_codename}-security\";\n \"TorProject:${distro_codename}\";\n };\n Unattended-Upgrade::Package-Blacklist {\n };

    Edit file /etc/apt/apt.conf.d/20auto-upgrades and add:

    APT::Periodic::Update-Package-Lists \"1\";
APT::Periodic::Unattended-Upgrade \"1\";
APT::Periodic::Autocleaninterval \"5\";
APT::Periodic::verbose \"1\";

    Test the unattended upgrades:

    sudo unattended-upgrades -d

    Configure Tor repositories

    2. Create a new file in /etc/apt/sources.list.d/ named tor.list. Add the following entries:

    deb     [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main\ndeb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main

    Then add the gpg key used to sign the packages
    Must be executed with root account as sudo might not work. Type exit once the command has finished working.

    su -
    sudo wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

    Install Tor

    sudo apt install tor deb.torproject.org-keyring

    Edit Tor configuration by editing the /etc/tor/torrc file and add the following lines:
    To test Tor for 1 month I\’ll assign 500 GB/month and check daily how its behaving the tor relay on my raspberry pi.

    Nickname    myNiceRelay  # Change \"myNiceRelay\" to something you like\nContactInfo your@e-mail  # Write your e-mail and be aware it will be published\nORPort      443          # You might use a different port, should you want to\nExitRelay   0\nSocksPort   0\n\n## BANDWIDTH\n## The config below has a maximum of 500GB (up/down) per month, starting on the 1st at midnight\nAccountingMax 500 GB\nAccountingStart month 1 0:00\n\n## MONITORING\nControlPort 9051\nCookieAuthentication 1\n
    sudo systemctl enable tor && sudo systemctl restart tor

    Verify it\’s running and enabled

    sudo systemctl status tor

    htop shows overall little resources consumption

    Optional

    Install nyx (sudo apt install nyx) to have a visual depiction of what\’s happening in your recently installed Tor relay.

    Sources

    https://support.torproject.org/apt/tor-deb-repo/

    https://community.torproject.org/relay/setup/guard/debian-ubuntu/updates/

    https://www.youtube.com/watch?v=tBnJRraXDc0\n

  • Editing image files

    So I decided to start adding images to this blog and I found two probably the best (prove me wrong) website for ai generated images and two (or three) pretty neat commands in my debian that are probably going to be the only ones I will ever use from now on when working with images.

    I’m no expert so I need easy to use tools just to get the job done quickly to upload images to this website and with minimum effort (I am shameless).

    https://zoo.replicate.dev

    Thanks to this website and the geniuses behind this open source project.

    So as a test, i will upload an image previously downloaded from their website. But before that, I will modify it to reduce its size to save space and make it more suitable as featured image.

    The first tool is exiftool that shows the metadata of the image.

    :~/server_images$ exiftool creepypplonajet.png

    ExifTool Version Number         : 12.16
File Name                       : creepypiconajet.png
Directory                       : .
File Size                       : 879 KiB
File Modification Date/Time     : 2023:11:04 04:49:15-04:00
File Access Date/Time           : 2023:11:04 04:49:15-04:00
File Inode Change Date/Time     : 2023:11:04 04:49:15-04:00
File Permissions                : rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 768
Image Height                    : 768
Bit Depth                       : 8
Color Type                      : RGB
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Image Size                      : 768x768
Megapixels                      : 0.590

    Then we have identify and convert… yep pretty simple named commands. Both identify and convert commands are part of the ImageMagick package and it’s supposed to be widely used and very popular.

    identify well.. identifies the images and convert well… converts them! I love the straightforwardness

    :~/server_images$ identify creepyppplonajet.png  
creepyppplonajet.png PNG 768x768 768x768+0+0 8-bit sRGB 900046B 0.000u 0:00.000

    ls -lh

    -rw-r–r– 1 root root 879K Nov  4 04:49 creepypplonajet.png

    It’s a 768×768 image and 879 kilobytes. lets shrink it with convert by setting the pixel size.

    :~/server_images$ convert image.png -resize 200x200 image_small.png

    Your can also reduce (change) the size by choosing a percentage. In this case the image is reduced by 50%.

    :~/server_images$ convert image.png -resize 50% image_small.png
    After
    Before

    From 2.2 MB to 540 Kb

    Not bad at all and the possibilities are many in terms of efficiency managing large volumes of images and the capabilities of these tools.

    I’m juts going to make a brief pause to this post here and keep editing in the near feature to post more functionalities of the convert tool. In the meantime I’m publishing this post anyways!

    New edit: https://zoo.replicate.dev is not working as open as it was before. A good alternative is https://deepai.org.

  • Install Nextcloud – Apache

    1. Prerequisites

    In this example we assume that there is already a webserver with ssl enabled running on your server and you have configured a subdomain to be used by nextcloud in your DNS service provider. If your site is example.com, you can create a subdomain nc.example.com to access to it. If you prefer not to have a subdomain, you will have to point the nextcloud’s root folder in the configuration file of your main site.

    • Server: You need a server (VPS, dedicated server, or local server) running a Linux distribution (e.g., Ubuntu, CentOS, Debian).
    • Web Server: Apache should be installed and running.
    • PHP: Ensure PHP is installed (Nextcloud requires PHP 7.1 or higher) and php-gd, php-curl, php-xml, php-mbstring, php-zip.
    • Other optional but very useful packages, fail2ban and a front end firewall manager like ufw.
    sudo apt install certbot python3-certbot-apache wget

    Apache modules for enhanced security and for php integration

    sudo apt install libapache2-mod-php libapache2-mod-security2

    Certbot will provide the certificate for your website’s subdomain while python3-certbot-apache will facilitate the installation of the certificate in your system by integrating apache in the installation process. It will add the necessary lines where the certificates can be accessed into the nc.examle.conf file in folder sites-available and deploy the certificate, among other things

    2. Install Nextcloud Server Community edition

    https://download.nextcloud.com/server/releases/latest.zip

    Step 1: Unzip latest.zip to /var/www. I like to name those kind of folders as the name of the website they are holding in so you should rename it as example.com.

    Step 2: Set the correct permissions:

    sudo chown -R www-data:www-data /var/www/html/nc.example.com

    OPTIONAL INSTALL

    Alternatively, you can download the zip file and decompress the folder named nextcloud into your /var/www folder like so:

    Download the zip file to your home folder:

    wget https://download.nextcloud.com/server/releases/latest.zip

    Decompress:

    sudo unzip latest.zip -d /var/www/

    Rename folder according to the settings in your web server:

    mv /var/www/nextcloud /var/www/nc.example.com

    Set permissions to the www-data user

    Go to your ip address or domain setup for nextcloud after you had created an database user and the database itself.

    sudo chown -R www-data:www-data /var/www/nc.example.com

    3. Configure Apache for Nextcloud

    • Step 1: Enable necessary Apache modules:
    sudo a2enmod rewrite headers env dir mime ssl
    sudo systemctl restart apache2

    Step 2: Create a new Apache configuration file for Nextcloud:

    sudo nano /etc/apache2/sites-available/nc.example.com.conf

    Add the following configuration (modify paths if necessary):

    apache

    <VirtualHost *:80>
    ServerName nc.example.com
    Redirect permanent / https://nc.example.com/
</VirtualHost>

#########################################################

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerName nc.RootDomain
                DocumentRoot /var/www/nc.example.com

# NextCloud folder directives
                <Directory /var/www/nc.example.com/>
                        Options +FollowSymlinks
                        AllowOverride All
                        Require all granted
                        Satisfy Any
                </Directory>

# Certificates
                SSLEngine on
                SSLCertificateFile /etc/letsencrypt/live/nc.example.com/cert.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/nc.example.com/privkey.pem

# logging
                ErrorLog ${APACHE_LOG_DIR}/nc.example.com_error.log
                CustomLog ${APACHE_LOG_DIR}/nc.example.com_access.log combined

# Reverse Proxy Directives. End edit appropriately before uncommenting.
#               <Location />
#                       ProxyPass http://localhost:50000/
#                       ProxyPassReverse http://localhost:50000/
#                       ProxyPreserveHost On
#                       RequestHeader set X-Forwarded-Proto "https"
#                       RequestHeader set X-Forwarded-Port "443"
#               </Location>

        </VirtualHost>
</IfModule>

    I’ve left some reverse proxy directives in the config file. Those are not going to be executed as long as they have the # at the beginning of the line. Remove them if you want.

    Once the config file is done and you are planing to have the nextcloud website in a subdomain, get the appropriate certificate with this command:

    sudo certbot certonly --webroot -w /var/www/example.com -d nc.example.com

    Step 3: Enable the Nextcloud site and restart Apache:

    sudo a2ensite nc.example.com
    sudo systemctl restart apache2

    4. If your plan is to use it for LAN only…

    <VirtualHost LAN_IP_ADDRESS:80>
    ServerAdmin admin@example.com
    ServerName nextcloud.example.com

    DocumentRoot /var/www/nextcloud

    <Directory /var/www/nextcloud>
        Options +FollowSymlinks
        AllowOverride All

        Require local
        # If you want to allow access from specific LAN IP ranges, use:
        # Require ip 192.168.1.0/24
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/nextcloud_error.log
    CustomLog ${APACHE_LOG_DIR}/nextcloud_access.log combined
</VirtualHost>

    5. Using MySQL/MariaDB Command Line:

    The pre final step is to create a database for nextcloud. Download the appropriate packages if you dont have them already installed on your system. A secure installation of mariadb must have been already performed. I also prefer to name the database the same as the website from whic it receives the data.

    1. Access MySQL/MariaDB:bash

    mysql -u root -p

    Create a Database:

    CREATE DATABASE nc.example.com;

    Replace nc.example.com with the name you want for your Nextcloud database.

    Create a Database User:

    CREATE USER 'nextcloud_user'@'localhost' IDENTIFIED BY 'your_password';

    Replace nextcloud_user with the desired username and your_password with a strong password.

    Grant Permissions:

    GRANT ALL PRIVILEGES ON nc.example.com.* TO 'nextcloud_user'@'localhost';

    FLUSH PRIVILEGES;

    EXIT;

    Ensure to replace nc.example.com and nextcloud_user with your actual database name and username.

    6. Finalize Installation

    • Step 1: Open your web browser and navigate to http://nc.example.com/
    • Step 2: Follow the on-screen instructions to complete the Nextcloud setup.

  • Motion – Video recording and stream

    Ensure that your camera is being recognized by the system.

    Install video4linux utilities

    sudo apt install v4l-utils

    List devices (cameras)

    v4l2-ctl --list-devices

    The output should be something like this:

    HD Web Camera: HD Web Camera (usb-0000:00:14.0-4): /dev/video0 /dev/video1 /dev/media0

    For detailed information on a specific device:

    v4l2-ctl -d /dev/video0 --all

    To list the resolutions supported by your camera (2 ways):

    v4l2-ctl --list-formats-ext

    Or

    ffmpeg -f v4l2 -list_formats all -i /dev/video0

    Another way is to list the video devices available in /dev

    ls /dev/video*

    If you have only one camera, the device should show up as /dev/video0 in your system.

    Or with dmesg (it will print errors if any are found):

    dmesg | grep -i camera

    If there is necessary to update the camera’s firmware run:

    sudo apt install fwupd
sudo fwupdmgr refresh
sudo fwupdmgr get-updates
sudo fwupdmgr update

    Install motion

    sudo apt-get install motion

    Test Mode should give a early hint if motion can handle your camera. Type the following command and if the output is suspended (active) then motion is getting video from the camera.

    sudo motion -s

    Configure Motion system files

    There is a chance that motion won’t create log and lib directories so verify if /var/log/motion and /var/bin/motion folders actually exist so you must create them and set change the directories and files ownership to the motion user:

    chown -R motion:motion /etc/motion
chown -R motion:motion /var/log/motion
chown -R motion:motion /var/lib/motion

    Configure /etc/motion/motion.conf

    Check the following github repo for the full motion.conf file if you wish all options. If not follow the next steps with the default config file.

    https://gist.github.com/richardhawthorn/72db3366d9824a3ed85de852bdb5ce0f

    sudo nano /etc/motion/motion.conf

    Depending on your system, the daemon mode should be off due to that motion would be running as a systemd service.

    daemon off 
# Restrict to localhost
webcontrol_localhost off
# HTTP control interface (default on port 8080)
webcontrol_port 8080
# Start streaming server on port 8081
stream_port 8081
# Stream quality and settings
stream_quality 100
stream_motion on
stream_maxrate 100
stream_localhost off
# IP camera configuration
stream_localhost off
stream_preview_scale 0.2
stream_preview_new_name on
video_device /dev/video0
target_dir /tmp/motion
output_pictures on

# Other motion configuration options
# See /usr/share/doc/motion/examples/motion-dist.conf.gz for additional options
# Set the settings as needed for your camera and network environment.

    Restart motion service:

    sudo systemctl restart motion

    You should be able to see the live stream at http://ip_address:8080. It’s good practice to use ports above 50000 so lets change that in the config file for both webcontrol and the stream.

    If not, you can check via “systemctl status motion” for errors or in the log at /var/log/motion/motion.log. You can also check if motion is running and listening on 8080 and 8081 with ss:

    sudo ss -tunap | grep motion
sudo ss -tunap | grep 51081

    If you find network problems, check your firewall configuration and open ports 8080 and 8081 if necessary.

    Setting up a password to the live stream

    Change the following options in /etc/motion/motion.conf. Type of configuration options to allow via the webcontrol (default port 8080). 2 is for advanced web configuration.

    webcontrol_parms 2

    The authentication method for the webcontrol. 1 is basic (user and password). Authentication string for the webcontrol. Syntax is username:password and you must remove the “;” (semicolon) to uncomment the line. Notice that the username is not a system user. Just make up a username to perform login inside the file.

    webcontrol_auth_method 1
webcontrol_authentication someuser:pass

    Let’s do the same for webstream

    stream_auth_method 1
stream_authentication someuser:pass
    sudo restart motion.service

    Your camera live feed should be available at your_local_ip:port and this time you will have to provide the user and password you have setup in the config file.

    Setup ssl-https with a self-signed certificate

    Install openssl if is not present on your system.

    sudo apt install openssl

    Create the key, csr, crt, and pem files. In the example below, the validity period is 2 years. Create a certs folder in /etc/motion. cd into the folder and type:

    sudo openssl genrsa -out /etc/motion/certs/motion.key 4096sudo openssl req -new -key /etc/motion/certs/motion.key -out /etc/motion/certs/motion.csr
sudo openssl x509 -req -in /etc/motion/certs/motion.csr -signkey /etc/motion/certs/motion.key -out /etc/motion/certs/motion.crt -days 730
sudo cat /etc/motion/certs/motion.crt /etc/motion/certs/motion.key > /etc/motion/certs/motion.pem

    Change ownership of the folder and all four created files to the motion user:

    sudo chown -R motion:motion /etc/motion/certs

    Configure motion.conf file again to add the paths to the crt and key files already created and don’t forget to remove the semicolons.

    # Use ssl / tls for the webcontrol
webcontrol_tls on
# Use ssl / tls for stream.
stream_tls on

# Full path and file name of the certificate file for tls
webcontrol_cert /etc/ssl/motion/certs/motion.crt

# Full path and file name of the key file for tls
webcontrol_key /etc/motion/certs/motion.key

# Use ssl / tls for stream.
stream_tls on
    sudo systemctl restart motion

    Remember to configure port forward in your router and to open the ports in your system to successfully receive connections. Your camera should be availabe at your_public_ip:port

    Optional configuration for apache server

    If you wish to have the live stream available over the internet you will have to setup a virtual host in apache. In this example the live feed is available in a subdomain of my main site.

    The following extra modules for a proxy pass configuration need to be enabled.

    sudo a2enmod headers proxy proxy_http

    Create a new file in /etc/apache/sites-available/cam.yoursite.com.conf. Make sure you already have the required certificates from lets encrypt to your subdomain. Motion will not handle the certificates but rather apache. You must comment the lines with the path to other certificate and private key if you have been using them in motion.conf. The example here is using port 51081.

    <VirtualHost *:443>
    ServerName cam.yoursite.

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/cam.yoursite.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/cam.yoursite.com/privkey.pem

    <Location />
        # Motion feed address
        ProxyPass http://localhost:51081/
        ProxyPassReverse http://localhost:51081/
        ProxyPreserveHost On
        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"
    </Location>
</VirtualHost>

    Enable the new site and restart apache.

    sudo a2ensite cam.yoursite.com.conf
sudo service apache2 restart

    You should be able to view the live video stream with SSL by typing https://cam.yoursite.com and to access. I’ve left webcontrol only available over the LAN. Ports redirection will be handled automatically.

    Example of a simple motion.conf file. 

    # Rename this distribution example file to motion.conf
#
# This config file was generated by motion 4.5.1
# Documentation:  /usr/share/doc/motion/motion_guide.html
#
# This file contains only the basic configuration options to get a
# system working.  There are many more options available.  Please
# consult the documentation for the complete list of all options.
#

############################################################
# System control configuration parameters
############################################################

# Start in daemon (background) mode and release terminal.
daemon off

# Start in Setup-Mode, daemon disabled.
setup_mode off

# File to store the process ID.
; pid_file value

# File to write logs messages into.  If not defined stderr and syslog is used.
log_file /var/log/motion/motion.log

# Level of log messages [1..9] (EMG, ALR, CRT, ERR, WRN, NTC, INF, DBG, ALL).
log_level 6

# Target directory for pictures, snapshots and movies
#target_dir /var/lib/motion 
target_dir  /PATH/TO/YOUR/DESIRED/FOLDER

# Video device (e.g. /dev/video0) to be used for capturing.
video_device /dev/video0

# Parameters to control video device.  See motion_guide.html
; video_params YUYV

# The full URL of the network camera stream.
; netcam_url value

# Name of mmal camera (e.g. vc.ril.camera for pi camera).
; mmalcam_name value

# Camera control parameters (see raspivid/raspistill tool documentation)
; mmalcam_params value

############################################################
# Image Processing configuration parameters
############################################################

# Image width in pixels.
width 800

# Image height in pixels.
height 600

# Maximum number of frames to be captured per second.
framerate 60

# Rotate image this number of degrees. The rotation affects all saved images as
# well as movies. Valid values: 0 (default = no rotation), 90, 180 and 270.
rotate 0

# Text to be overlayed in the lower left corner of images
text_left Camera_1

# Text to be overlayed in the lower right corner of images.
text_right %Y-%m-%d\n%T-%q

# v4l2_palette allows one to choose preferable palette to be use by motion
# to capture from those supported by your videodevice. (default: 17)
# E.g. if your videodevice supports both V4L2_PIX_FMT_SBGGR8 and
# V4L2_PIX_FMT_MJPEG then motion will by default use V4L2_PIX_FMT_MJPEG.
# Setting v4l2_palette to 2 forces motion to use V4L2_PIX_FMT_SBGGR8
# instead.
#
# Values :
# V4l2 Option   FOURCC  v4l2_palette option
# V4L2_PIX_FMT_SN9C10X  S910    0
# V4L2_PIX_FMT_SBGGR16  BYR2    1
# V4L2_PIX_FMT_SBGGR8   BA81    2
# V4L2_PIX_FMT_SPCA561  S561    3
# V4L2_PIX_FMT_SGBRG8   GBRG    4
# V4L2_PIX_FMT_SGRBG8   GRBG    5
# V4L2_PIX_FMT_PAC207   P207    6
# V4L2_PIX_FMT_PJPG     PJPG    7
# V4L2_PIX_FMT_MJPEG    MJPG    8
# V4L2_PIX_FMT_JPEG     JPEG    9
# V4L2_PIX_FMT_RGB24    RGB3    10
# V4L2_PIX_FMT_SPCA501  S501    11
# V4L2_PIX_FMT_SPCA505  S505    12
# V4L2_PIX_FMT_SPCA508  S508    13
# V4L2_PIX_FMT_UYVY     UYVY    14
# V4L2_PIX_FMT_YUYV     YUYV    15
# V4L2_PIX_FMT_YUV422P  422P    16
# V4L2_PIX_FMT_YUV420   YU12    17
# V4L2_PIX_FMT_Y10      Y10     18
# V4L2_PIX_FMT_Y12      Y12     19
# V4L2_PIX_FMT_GREY     GREY    20
# v4l2_palette 17

############################################################
# Motion detection configuration parameters
############################################################

# Always save pictures and movies even if there was no motion.
emulate_motion off

# Threshold for number of changed pixels that triggers motion.
threshold 1500

# Noise threshold for the motion detection.
; noise_level 32

# Despeckle the image using (E/e)rode or (D/d)ilate or (l)abel.
despeckle_filter EedDl

# Number of images that must contain motion to trigger an event.
minimum_motion_frames 1

# Gap in seconds of no motion detected that triggers the end of an event.
event_gap 30

# The number of pre-captured (buffered) pictures from before motion.
pre_capture 3

# Number of frames to capture after motion is no longer detected.
post_capture 90

############################################################
# Script execution configuration parameters
############################################################

# Command to be executed when an event starts.
; on_event_start value

# Command to be executed when an event ends.
; on_event_end value

# Command to be executed when a movie file is closed.
; on_movie_end value

############################################################
# Picture output configuration parameters
############################################################

# Output pictures when motion is detected
picture_output off

# File name(without extension) for pictures relative to target directory
picture_filename %Y%m%d%H%M%S-%q

############################################################
# Movie output configuration parameters
############################################################

# Create movies of motion events.
movie_output on

# Maximum length of movie in seconds.
movie_max_time 60

# The encoding quality of the movie. (0=use bitrate. 1=worst quality, 100=best)
movie_quality 45

# Container/Codec to used for the movie. See motion_guide.html
movie_codec mkv

# File name(without extension) for movies relative to target directory
movie_filename %t-%v-%Y%m%d%H%M%S

############################################################
# Webcontrol configuration parameters
############################################################

# Port number used for the webcontrol.
webcontrol_port 51080

# Restrict webcontrol connections to the localhost.
webcontrol_localhost off

# Type of configuration options to allow via the webcontrol.
webcontrol_parms 2

# Set the authentication method (default: 0)
# 0 = disabled
# 1 = Basic authentication (username:password)
# 2 = MD5 digest (the safer authentication)
webcontrol_auth_method 1

# Authentication for the http based control. Syntax username:password
# Default: not defined (Disabled)
webcontrol_authentication user:pass

############################################################
# Live stream configuration parameters
############################################################

# The port number for the live stream.
stream_port 51081

# Restrict stream connections to the localhost.
stream_localhost off

# Set the authentication method (default: 0)
# 0 = disabled
# 1 = Basic authentication
# 2 = MD5 digest (the safer authentication)
stream_auth_method 1

# Authentication for the stream. Syntax username:password
# Default: not defined (Disabled)
stream_authentication user:pass

##############################################################
# Camera config files - One for each camera.
##############################################################
; camera /usr/etc/motion/camera1.conf
; camera /usr/etc/motion/camera2.conf
; camera /usr/etc/motion/camera3.conf
; camera /usr/etc/motion/camera4.conf

##############################################################
# Directory to read '.conf' files for cameras.
##############################################################
; camera_dir /usr/etc/motion/conf.d