How to access your mobile phone camera in node-red dashboard without opening your LAN to the internet?


I have created a node-red dashboard using a template node that is able to scan a QR code.
When I access the dashboard in chrome from my iphone (connected to the same LAN) and clicking on button "Request Camera Permissions" it gives the error "unable to query supported devices" (see screenshot).

The problem is that for mobile devices it seems that browsers are not allowed to access the camera for http sites.

I was able to fix this problem by accessing the dashboard via an https site as follows:

  1. setup https access to my node-red using traefik (reverse proxy) but the https certificate stuff only works if the URL is a public URL. (so a LAN ). So for this I had to
  2. Create a public domain name that routes to my home router
  3. open port 443 on my home router and map them to my traefik service.

Is there actually an easier way to get access to my camera on a mobile device (connected to the same home LAN) without requiring me to open my home network (steps 2 and 3) ?

You need a trusted CA cert to sign a cert for what ever is hosting the dashboard.

  1. Use letsencrypt with the DNS challenge to issue a certificate for a hostname. The DNS can return a private IP address so even though the hostname is public access to the machine will not be. This is complicated to do without hosting your own DNS server (it may be possible with DNS hosting services that have APIs, but they may not let you assign RFC1918 IP addresses to public hostnames)

  2. Install a custom profile on the iPhone that contains a private CA certificate that you use to sign the a certificate for the dashboard host.

1 Like

Thanks a lot @hardillb,

Regarding option 1: DNS is returning a private IP address for an existing public

My home modem is pretty locked. up I have only a user password for it (not an admin) and have no way to configure its DNS server or specify which DNS server IP address the DHCP server should return.

... and of course if I could do this: I admit that it is a bit too complicated setup for me for just being able to access my camera :wink:

Regarding option 2: using private CA

For me the biggest issue with this is that a custom profile containing private CA needs to be installed on all mobile devices (which is not a fixed list) that I want to access the dashboard .
... maybe I need to check if there is an easy way to do this (e.g. by downloading it from a site that is also provisioned by node-red).

Option 1:
It's not a case of which DNS server your network (probably supplied by your router) uses to look up IP addresses, it's a case of needing access to the DNS that hosts a domain you own.

Option 2:
I would be very surprised if Apple don't insist on any site serving up a profile would have to also be over a trusted HTTPS connection, which is a chicken/egg problem

1 Like

thanks @hardillb

Option 1 is maybe not that complicated. So, I need to look for a free dynamic DNS provider that allows me to specify a private IP address for a public hostname.

The following link seems also to cover my use case but it is unclear if there is any solution for these use cases:

Dyn-DNS will not work for using DNS-01 Letsencrypt challenges, you need a to buy a domain and have it hosted somewhere that will let you create TXT records via an API allows me to specify a private IP address for a public hostname without a cost
... but I cannot create TXT records - is it really needed that a TXT record must be created ?

Yes, you need to be able to create a TXT record to use the DNS-01 challenge to get a letsencrypt certificate.

Otherwise you have to use the HTTP-01 challenge, but this requires you to open up the host to the internet which was the point you were trying to avoid.

Just tested my above change (= using private IP address instead of my public IP address of my home modem) and accessing dashboard via https is working from my macbook but not from my iphone (ERR_NAME_NOT_RESOLVED) also http access from iphone was not working with same error.

It seems that my iphone is not accepting that a public hostname is resolved to private IP address.

I now you are not looking for this but I use this alot and maybe it can help you too
with using siri shortcuts you can scan and get scanned code with http get node
here is the shortcuts flow

and here is thelink if you want to try it.

Hi, im doing exactly the same i have a ui and want to be able to scan QR codes from it but i couldn't get it to work on devices on the same LAN.

Yes, the node-red dashboard opened on your iphone (I guess same for android phone) is not allowed to access its camera for a http site. The site you are accessing must be secure (https) if you want to access your camera.

It is not easy but with a reverse proxy, using a free public hostname, some router (= your home modem that is connecting to the internet) mapping you can secure acces (= https) to the node-red UI.

Just checked it for and I could download this CA using my safari browser on my iphone which I then can install (I didn't do that) via my iphones settings menu as is also described on that site.

Does Apple even allow installing private root CA certs? It's a hassle even on Android, if you haven't rooted your phone.

I have been using my own root CA for my intranet stuff for ages, but I also run an internal DNS server for my own private top-level domain. So no external services are required. The root CA is installed on all devices, works like a charm.

If you want to manage your own root CA, I can recommend XCA.

I didn't go as far as actually installing the root CA but the instructions on seem to be working fine. It also describes the instructions for installing the CA for android device (no need to root it).

I know that you can install it into the user's root certificate store on Android, but that has implications. It forces you to setup a lock screen with pin or password on most devices. For tablets/phones solely used at home for control/dashboard purposes, this is annoying.
And on restrictive devices like Amazon Fire Tabs it doesn't seem to be working reliably at all. But that is another story. :sweat_smile:

1 Like

with that solution, internet connection would be required to acces even thru the LAN, right?

My only concern is that I dont want to rely on a internet connection to be abble to use it

i think that I already got a solution. i readed something aout self signed ssl certificates that i think it coul d work.:

but since i want to focus on another things, in the mean time this was a quick fix that worked for me:

Enabling the Microphone/Camera in Chrome for (Local) Unsecure Origins | by Scott Carmichael | Medium

just added the addres as an insecure origin on the device and its workin now... i know it is not the best way tio go, but i preffer to skip the security on the device so, i can finish the other features that i am workin on, and take care of the ssl cert in the future

This quick fix is not available for IOS (iphone). Just tried it. :sob: