Hi there, I couldn't find anywhere if the "Virtual Host" Feature supports HTTPS ? I can't find it anywhere on the internet nor in the documentation. I can't imagine that nobody is actually using HTTPS when cameras (e.g ColorVu G2) are connected to NVR (DS-7608NI-I2 / 8P - V4.40.016 build 200803)? I enabled "Enable HTTPS Browsing" on the camera and it is no longer accessible via the Virtual Host feature. Or is there are a way Virtual Host uses some hidden port for HTTPS ?
Secure remote (off-site) access to a Hikvision camera?
- Thread starter dusan_h
- Start date
- Messages
- 4,424
- Points
- 113
Hi @dusan_h
When cameras are directly connected to the PoE ports on a Hikvision NVR they are connected to the NVRs subnet IP range (192.168.254.xxx) which is not accessible from outside the NVR, either on your local network or remote networks. This is why Virtual Host is required to log in directly to individual cameras and why HTTPS is not required because you need access to the NVR to access those virtual host links.
When cameras are directly connected to the PoE ports on a Hikvision NVR they are connected to the NVRs subnet IP range (192.168.254.xxx) which is not accessible from outside the NVR, either on your local network or remote networks. This is why Virtual Host is required to log in directly to individual cameras and why HTTPS is not required because you need access to the NVR to access those virtual host links.
- Thread starter
- #3
Thank you @Dan for a quick response.
I was trying to control a camera via web browser UI outside my local network, by port forward 65001 port on my router to my NVR, but then if the HTTP protocol is only allowed then I am not going to do it
I can get to 192.168.254.xxx network a when a Virtual Host is running on NVR (when I make a route on my router from 192.168.1.0 network to 192.168.254.0 network via NVR as a gateway) so I can access cameras - but again, just via HTTP. If HTTPS is enabled, NVR will not route it, unless Virtual Host start supporting HTTPS.
Even on local networks HTTP should not be used as anyone can see unencrypted passwords.
When I SSH to NVR, I can see when Virtual Host is enabled port 80 is hardcoded, so it should not be that difficult to make the protocols selectable when enabling Virtual Host.... not sure if Hikvision could implement such feature ?
Enabling Virtual Host :
=iptables_add_nat dnat [iptables -t nat -A PREROUTING -p tcp --dport 65001 -j DNAT --to-destination 192.168.254.10:80]=
=iptables_add_nat snat [iptables -t nat -A POSTROUTING -p tcp -d 192.168.254.10 --dport 80 -o eth0 -j MASQUERADE]=
Disabling Virtual Host :
=iptables_del_nat dnat [iptables -t nat -D PREROUTING -p tcp --dport 65001 -j DNAT --to-destination 192.168.254.10:80]=
=iptables_del_nat snat [iptables -t nat -D POSTROUTING -p tcp -d 192.168.254.10 --dport 80 -o eth0 -j MASQUERADE]=
How do people access WebUI of the cameras then to get all the features ? Only via VPN - which is the most sensible/secure I think ? Or they connect cameras to a switch/different LAN rather than connecting directly to NVR ?
I was trying to control a camera via web browser UI outside my local network, by port forward 65001 port on my router to my NVR, but then if the HTTP protocol is only allowed then I am not going to do it
I can get to 192.168.254.xxx network a when a Virtual Host is running on NVR (when I make a route on my router from 192.168.1.0 network to 192.168.254.0 network via NVR as a gateway) so I can access cameras - but again, just via HTTP. If HTTPS is enabled, NVR will not route it, unless Virtual Host start supporting HTTPS.
Even on local networks HTTP should not be used as anyone can see unencrypted passwords.
When I SSH to NVR, I can see when Virtual Host is enabled port 80 is hardcoded, so it should not be that difficult to make the protocols selectable when enabling Virtual Host.... not sure if Hikvision could implement such feature ?
Enabling Virtual Host :
=iptables_add_nat dnat [iptables -t nat -A PREROUTING -p tcp --dport 65001 -j DNAT --to-destination 192.168.254.10:80]=
=iptables_add_nat snat [iptables -t nat -A POSTROUTING -p tcp -d 192.168.254.10 --dport 80 -o eth0 -j MASQUERADE]=
Disabling Virtual Host :
=iptables_del_nat dnat [iptables -t nat -D PREROUTING -p tcp --dport 65001 -j DNAT --to-destination 192.168.254.10:80]=
=iptables_del_nat snat [iptables -t nat -D POSTROUTING -p tcp -d 192.168.254.10 --dport 80 -o eth0 -j MASQUERADE]=
How do people access WebUI of the cameras then to get all the features ? Only via VPN - which is the most sensible/secure I think ? Or they connect cameras to a switch/different LAN rather than connecting directly to NVR ?
Similar threads
- Sticky
- Article
- Locked
- Sticky
- Article