soyMAIL 2.1.0 requires JavaScript
soyMAIL @ wasd.vsm.com.au
       info-WASD Mailing List 2024 

Sun 12:03:02 Message "2024 / 0007" opened.  MIME.  utf-8.  10 kbytes.    JavaScript

Subject:Wrangling Disparate Systems - a recent exercise0007 / 0000
From:mark.daniel@wasd.vsm.com.au
Date:Thu, 16 May 2024 13:39:30 +0930  [16-MAY-2024 13:39]
To:info-WASD@vsm.com.au

TL;DR  Needed a facility to provide access to a security camera
       for our small residential group ... used a WASD tunnel.

Background
~~~~~~~~~~
Having relocated from a family-size to smaller home (in a group of six) with
resident parking undercover but outside our gate, four years ago I installed
a security camera at least to allow after-the-fact analysis of any incident
involving our vehicle.  Fellow owners agreed this has proved useful on
occasion but provided only a limited view of the target area.  It was
suggested installing a second camera specifically to surveil the parking.
While the first camera incorporated partial views of our private yard the
second would overlook community space only.  This would allow an additional
facility -- a web-accessible portal to the camera for fellow owners.

Obtaining the first POE UHD camera I wanted a minimum fuss, motion-detect
recording capability, without supplementing my existing systems.  I chose an
affordably priced Mac application that has worked flawlessly for four years.
The application uses networked data from the camera(s) while presenting live
and recorded video in useful resolutions (across Mac Spaces if desired).
Occasionally I used the web interface when travelling, which coincidentally
had just been upgraded, lending itself perfectly to sharing access.

User Interface
~~~~~~~~~~~~~~
The web portal needs to be turnkey for non-technical folk.  HTTPS secured
with browser-accepted CA.  Click, credentials, view.  The authorised party
just accesses https://mgdcam.example.net and is presented with a page

  |                     *Authorised Access Only*                         |
  |   By using this facility you consent to the 'terms and conditions'↗  |
  |             Remember to logout before closing the page.              |
  |            *You:* 192.168.1.2 / gort.lan / private range             |
  |                                                                      |
  |                    +------------------------+                        |
  |                    | Security Camera Banner |                        |
  |                    |   {Username........}   |                        |
  |                    |   {Password........}   |                        |
  |                    |   [Login]              |                        |
  |                    +------------------------+                        |
  |                                                                      |

** An image would provide better illustration but not used here for privacy.
   Obviously 'mgdcam.example.net' host name for this explanation only.

Implementation
~~~~~~~~~~~~~~
The Mac application developer is understandably reluctant to host custom
HTML/JavaScript/CSS etc. on the web interface, and even does not provide for
plain-text announcements (already suggested it should).  I felt the facility
needed integrated announcements and so 'wrapped' the application in a simple
page using <iframe> to transparently partition the independent elements.

While the application web interface supports HTTPS, browser accepted
certificates are the perennial issue.  Fortunately Let's Encrypt (LE) has
largely addressed that problem, if available.  WASD has solved the
provisioning of LE using wuCME.  It could be arranged for a wuCME LE cert to
be transferred onto the Mac for the application to use.  Or just install an
LE agent on the Mac.

But why not just use WASD as the front-end?  Tunnel to the Mac application
HTTP port on the private network.  Certified HTTPS presented to the Internet.
Also provides some logical isolation of an internal facility (the Mac
application) as well as a very familiar (to me) set of controls (mapping,
reject rules) to provision capabilities and otherwise control access.

               100/20Mbps   --------    1Gbps    ----------
  (broadband)---------------|router|------+------|  WASD  |
                            --------      |      ----------
                                          |      ----------
                                          +------|   Mac  |
                            ~~~~~~~~      |      ----------
                            >camera|------+
                            ~~~~~~~~

** The following snippets have been edited for privacy.
   Router rules not shown but important to functionality and security.

# WASD_CONFIG_SERVICE

Need a cleartext port for LE purposes.

  [[http://mgdcam.example.net:80]]
  [ServiceBind] 192.168.1.86

HTTPS port (primary service) includes LE certificate.

  [[https://mgdcam.example.net:443]]
  [ServiceBind] 192.168.1.86
  [ServiceSSLcert] wasd_root:[local]wucme_c_mgdcam_example_net.pem

The HTTPS port to be tunnelled to the security camera application.

  [[https://mgdcam.example.net:4891]]
  [ServiceBind] 192.168.1.86
  [ServiceSSLcert] wasd_root:[local]wucme_c_mgdcam_example_net.pem
  [ServiceProxy]  enabled
  [ServiceProxyTunnel]  RAW

# WASD_CONFIG_MAP

Redirect HTTP to HTTPS port (includes required LE mappings).

  [[mgdcam.example.net:80]]
  redirect /.well-known/acme-challenge/* \
           /cgi-bin/wucme/.well-known/acme-challenge/*
  if (request-method: || request-uri:/cgi-bin/wucme/*)
     exec /cgi-bin/* /cgi-bin/* map=once
  endif
  redirect / https://mgdcam.example.net:443
  pass * 403

Primary service connected to by external party.
Includes some specific mapping and a default fail.

  [[mgdcam.example.net:443]]
  script /ann /mgdcam/ann.com
  redirect /cam https://mgdcam.example.net:4891
  pass /tandc /mgdcam/tandc.html
  pass / /mgdcam/mgdcam.html
  pass * 403

Tunnel to security camera application.

  [[mgdcam.example.net:4891]]
  set * alert=map
  if (request-method:connect)
     pass *:0 http://192.168.1.2:4891 notimeout proxy=forwarded=address
  endif
  pass * 403

CONTENT:

The following HTML is returned when accessing the / URI.

  X86VMS$ type mgdcam.html
  <!DOCTYPE html>
  <html>
  <head>
  <title>MGDcam Facility</title>
  </head>
  <body style="margin:0px;padding:0px;overflow:hidden;
               font-family:arial;font-size:12pt;">
  <iframe src="https://mgdcam.example.net/ann" frameborder="0"
          sandbox="allow-same-origin allow-popups"
          style="overflow:hidden;overflow-x:hidden;overflow-y:hidden;
          position:absolute;top:0px;left:0px;right:0px;bottom:0px"
          height="100%" width="100%">
  </iframe>
  <iframe src="https://mgdcam.example.net/cam" frameborder="0"
          sandbox="allow-same-origin allow-scripts allow-forms"
          style="overflow:hidden;overflow-x:hidden;overflow-y:hidden;
          position:absolute;top:7em;left:0px;right:0px;bottom:0px"
          height="80%" width="100%">
  </iframe>
  </body>
  </html>

A small script for announcement (including 'we know where *You:* live' :-)

  X86VMS$ type ann.com
  $ mcr cgi-bin:[000000]geolocate 'WWW_REMOTE_ADDR'
  $ you = "<br><b>You:</b> " + GEOLOCATE_ADDR
  $ if GEOLOCATE_HOST .nes. "" then you = you + " / " + GEOLOCATE_HOST
  $ if GEOLOCATE_COUNTRY .nes. "" then you = you + " / " + GEOLOCATE_COUNTRY
  $ if GEOLOCATE_REGION .nes. "" then you = you + " / " + GEOLOCATE_REGION
  $ if GEOLOCATE_CITY .nes. "" then you = you + " / " + GEOLOCATE_CITY
  $ type sys$input:
  Content-Type: text/html
  ⏎ 
  <!DOCTYPE html>
  <html>
  <body style="text-align:center;font-family:arial;font-size:12pt;">
  <b style="font-size:200%;">Authorised Access Only</b>
  <br>By using this facility you consent to the
  <a target="_blank" href="/tandc">terms and conditions</a>.
  <br>Remember to <i>logout</i> before closing the page.
  $ write sys$output you
  $ type sys$input:
  </body>
  </html>

Terms and Conditions may contain anything applicable.

  X86VMS$ type tandc.html
  <!DOCTYPE html>
  <html>
  <head>
  <title>MGDcam Terms and Conditions of Use</title>
  8< snip 8<

X86 WASD Performance
~~~~~~~~~~~~~~~~~~~~
On the (recently upgraded) x86-64 development system:

  |X86VMS$ @vups
  |innotek GmbH VirtualBox with 3 CPU and 7936MB running VMS V9.2-2
  |Approximate System VUPs Rating : 630.1 ( min: 625.6 max: 639.2 )

A camera live stream comprising approximately 7.8Mbps (25fps H.264)
tunnelling into and out of WASD consumes:

  |            +-----+         TIME IN PROCESSOR MODES
  |            | CUR |              on node X86VMS
  |            +-----+         16-MAY-2024 10:38:07.11
  |
  |Combined for  3 CPUs                 0         75        150       225      300
  |                                     + - - - - + - - - - + - - - - + - - - - +
  | Interrupt State                   8 |▒
  |                                     |         |         |         |         |
  | MP Synchronization                  |
  |                                     |         |         |         |         |
  | Kernel Mode                       2 |
  |                                     |         |         |         |         |
  | Executive Mode                      |
  |                                     |         |         |         |         |
  | Supervisor Mode                     |
  |                                     |         |         |         |         |
  | User Mode                         1 |
  |                                     |         |         |         |         |
  | Compatibility Mode                  |
  |                                     |         |         |         |         |
  | Idle Time                       289 |▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒   
  |                                     + - - - - + - - - - + - - - - + - - - - +

Excellent!

This item is one of a collection at
https://wasd.vsm.com.au/other/#occasional

  ¤¤¤       
  ¤¤¤