Artifact repo for iocage zoneminder plugin.
This version of the Zoneminder plugin allows for customisation of SSL/TLS options. It also automatically generates a self-signed SSL certificate and a private key during its first installation so that the initial connection can be secured. As this is a self-signed certificate it will cause security warnings to be thrown by the browser. Ideally, you would provide your own certificate and key using the plugin settings to avoid the warnings, as soon as possible. The self-signed certificate will expire after 366 days.
A possible scheme to do that efficiently on a host such as FreeNAS is to copy a
valid certificate and private key file from the host's
/etc/certificates/mycert.pem
into the plugin at
/mnt/YourDataset/iocage/jails/YourJail/root/usr/local/etc/ssl/mycert.pem
directory and specify /usr/local/etc/ssl/mycert.pem
for the plug in to use. You
need to do that for the private key, too. You can set-up a Tasks/Cron Job on the
FreeNAS host to copy them regularly, especially if using an automated certificate
renewal tool like ACME LetsEncrypt. This way there is no need for the plugin to
have to manage its certificate renewal and you will achieve a reasonable level of
network security.
All the configurable settings are configured in settings.json. They are:
httpport
httpsport
sslcert
sslkey
Assuming your plugin jail is called "zoneminder" you can set them by calling something along the lines of:
iocage set -P httpport=8349 zoneminder
iocage set -P sslcert=/usr/local/etc/ssl/mycert.pem zoneminder
Bear in mind if you are setting the value of sslcert and sslkey you will get
an error once you have set the first parameter but before the second one. This
error, which you can ignore, simply states that the just-changed file does not
match the other one. Once the key and certificate match each other all is good.
A way to avoid that would be for iocage not to call the servicerestart
command
when setting multiple values, but it does not do that at present. Another way would
be to only make one of the two settings require a restart, but that would be
error-prone in other ways.
Please note that the Manage admin UI defaults to HTTPS on the default port (443) because of a bug in iocage (see iocage/iocage#1163) that prevents the adminportal URL from being formed correctly using custom values. Once that bug has been fixed it will be possible to replace the ui.json with the below one to make it work automatically:
{
"adminportal": "%%S%%://%%IP%%%%P%%/zm",
"adminportal_placeholders": {
"%%S%%": "adminprotocol",
"%%P%%": "adminport"
},
"docurl": "https://github.com/freenas/iocage-plugin-zoneminder"
}
By default the montage view will only work with something like 4 cameras at a time. This is because of the limits placed on the configuration of the software. More processes are needed in order for the software to work, so it would be adviseable to enter into the jail and make changes to the following files, with the following advice:
Edit:
/etc/rc.conf
And increase fcgiwrap_flags -c 4 to something that matches your configuration. IIRC one is needed per camera stream. Please make sure to note that this may have an impact on local resources.
All major browsers (because they all use the same engines now) limit the number of connections to each server, so you need to also enable a setting in zone minder called multiport, that was added to zoneminder recently. Before you do so you MUST add more ports to the nginx config.
Edit:
/usr/local/etc/nginx/conf.d/zoneminder.conf
And add an additional listen directive, for the additional ports that zoneminder can use. Since nginx can take multiple ports per directive you could add something like this:
listen 30000-30025;
Right under:
listen 80;
You must then go to the zoneminder GUI config, and edit MIN_STREAMING_PORT and set it at the starting port (in this example): 30000
At some point, the author that wrote these montage instructions, also edited this file:
/usr/local/etc/php-fpm.d/zoneminder.conf
And modified pm.max_childern to be:
pm.max_childern = 50
The author does not know if this matters, and did not have time to look up the setting, and test the config mod. Sorry.