OpenALPR Webhook Processor for IP Cameras

[mindboggle]

Quick follow-up to my previous post. Since I don't like the idea of port forwarding, I decided to work around it by using a secure tunnel via Cloudflare. This is a free service that opens a tunnel to your local machine via a specified port. The only downside is that you need a domain name in Cloudflare, so that's around $10 a year. I already have a domain, so it's no big deal to me.

Once I created the tunnel, I added a WAF rule for the subdomain serving the tunnel to block any traffic without the token in the URL. Then I gave cloud.openalpr.com the webhook URL with the verification token, effectively making that service the only one that can access the tunnel. All other attempts to access the subdomain without the token are blocked.

To access the webhook processor locally, I continue to use my internal IP address. And since I already run a VPN on my devices, I can access that IP address wherever I need to.

At some point I may see if I can get cloud.openalpr.com running locally (it doesn't seem to work in Docker), but until then, I think this is a good security option.

Here are the steps I took. Thought it might be helpful to someone else out there.

• Setup a Cloudflare account and associate a domain with it.
• Install cloudflared: Downloads · Cloudflare Zero Trust docs
• Setup a tunnel using this command:
  • cloudflared tunnel create your-tunnel-name
  • cloudflared tunnel route dns your-tunnel-name yoursubdomain.yourdomain.com
  • cloudflared tunnel run --url http://localhost:YOURPORT your-tunnel-name
    • Make sure you put in the port for your webhook processor server.
• Run in background:
  • Append to the shell script in my previous post: nohup cloudflared tunnel run --url http://localhost:YOURPORT your-tunnel-name &
  • For Mac, you can also run as a service: Run as a service on macOS · Cloudflare Zero Trust docs
• Check to make sure everything is running with this command “cloudflared tunnel info your-tunnel-name” or in the Cloudflare dashboard.
• Next, go to your domain in Cloudflare and setup a WAF rule with this expression:
  • (http.host eq "yoursubdomain.yourdomain.com" and http.request.uri.query ne "verify=put_a_long_token_here”)
  • Have the action set to “Block”
• Go to Login - OpenALPR by Rekor and change your webhook link to:
  https://yoursubdomain.yourdomain.com/webhook?verify=put_a_long_token_here
• Now get something like Tailscale (Tailscale · Best VPN Service for Secure Networks) running. This will allow you to continue going to your localhost (via your internal IP) on any device running Tailscale without getting blocked.
• Final step is to remove the port forwarding on your router.

 

[mlapaglia]

v5.2.0 is released upgrading to .net8. you'll need to change your docker container port to 8080 since .net8 changed it Breaking change: Default ASP.NET Core port changed from 80 to 8080 - .NET

 

[brianegge]

Thank you. I've updated my container to the latest and it's running fine after changing my port to 8080.

I'm very happy with the project! I have a few questions...

1) Others have commented it would be helpful to have the images stored separately. I would like to keep my plates database on NVME, but move the images to SMR. Again, eventually we may want separate retention of the images, though I guess we can run a sqlite command once a year. If I have 14TB SMR and 1TB NVME, I would hope I could keep both for a long time.
2) The text overlay is great! I wish we could see something other than 'processing time' though. If it could be replaced with 'visits this week', it would be more useful. This of course depends on being able to run that sql query fast.
3) At night it usually can't determine the make / model, but it would be possible to look up in the DB to see if it has a match from a daytime plate. I know this can be done manually later of course.

 

[mindboggle]

Thanks for the update. Everything works fine on macOS. All I had to do was pull in the changes and upgrade to .NET 8.0 here: Download .NET 8.0 (Linux, macOS, and Windows)

 

[tomas21]

Solid work on your webhook setup... I recently noticed my long running OpenALPR webhook setup was pegging my Docker container platform so I am attempting to update the container to the newer version... pounding my head.. thoughts?

Curious what other did to get the latest OpenALPR webhook to work with the latest Rekor agent in docker? I ran the command below but for some reason can't get the Rekor setup to get files to Webhook anymore... thoughts?

Steps
1 - Deleted old container
2 - Pulled down latest image of webhook: sudo docker pull mlapaglia/openalprwebhookprocessor:v5.3.0
3 - Created new container: sudo docker run -d --name=openalprwebhookprocessor3 --net=bridge -v /var/services/homes/administrator/webhook_alpr/app3/config/:/app/config/ -p 3859:8080 mlapaglia/openalprwebhookprocessor:v5.3.0
4 - Coped over my processor.db & user.db into the ...app3/config folder

5 - Tried to test webhooks from Rekor site but getting 405
6 - Looked at config on webhooks and everything is the same from pervious config that worked so not sure..

Considering..
5. Deleted Rekor agent container
6. Pulled down the latest image: sudo docker pull openalpr/agent:4.1.8
7. Created new container: sudo docker run -P -v /var/services/homes/administrator/openalpr/config:/etc/openalpr/ -v /var/services/homes/administrator/openalpr/images:/var/lib/openalpr/ -it openalpr/agent:4.1.8 openalpr-licenseregister
8. Reconfig alprd.conf

    country = us
    site_id = unspecified-docker
    store_plates = 1
    store_plates_location = /var/lib/openalpr/plateimages/
    store_plates_maxsize_mb = 8000
    upload_address = https://cloud.openalpr.com/push/
    upload_data = 1
    websockets_enabled = 1
    web_server_enabled = 1
    web_server_debug = 1