How to provide HTTPS access to a webserver that doesn't support SSL?
Install Apache with a relevant vhost, and use ProxyPass
(and probably ProxyPassReverse
) to do the proxying to your webcam. Client certificate authentication is a touch trickier, but not much; surprisingly enough, Google search results for "apache client certificate authentication" are very useful.
Womble's suggestion of an Apache reverse proxy is an excellent suggestion. An alternate solution would be to configure stunnel to wrap it. Stunnel will be more lightweight than Apache if you aren't looking for any of the added benefits of having a full web server in front of your camera.
Edit 2016: It's been a long time, but this question still gets traffic. I now recommend hitch. Hitch is designed for scalability, while stunnel is not. If HTTP headers or content need to be modified by the proxy then I recommend Nginx.
Most all-purpose webservers also have a proxy module, that includes Apache with mod_proxy, as well as Nginx and lighttpd for a more lightweight solution.
If you just want an SSL proxy, meaning a component which only receives SSL traffic, unpacks it, transfers it to a backend service and re-encrypts the answer, you should have a look at either stunnel or stud. As these tools do only that, they are easier to setup and generally faster and less resource-consuming than the alternatives (esp. Apache)
Another option that you may already have available to you is VPN. Depending on the firewall you have in front of the Web cam machine/DVR, you could setup mobile IPSec VPN and dial into the firewall first, then access the camera via it's internal IP (assuming again that the camera machine is NAT'ed behind the firewall).
Most "business" firewall/routers offer VPN capabilities now.
With this option, you could completely disable port forwarding so that your camera machine is not listening on the outside anymore and would only be accessible after establishing a VPN connection.
This would provide you with encryption and authentication with potentially less learning curve than setting up Apache as a reverse proxy and no additional cost in hardware (again, this depends on what you have).
Downside is that you'd need to configure a VPN client on each machine where you'd want to view the cameras, but there would be some additional admin overhead with client certificates as well.
It should also be mentioned that, depending on encryption/protocol, VPN does add overhead, which may factor into network throughput, but this shouldn't be an issue with the number of users you're expecting and the likelihood that the camera won't be viewed concurrently very often.
If you only plan on accessing the camera from one remote location*, you could also setup an IPSec tunnel between the remote location's and the camera location's firewalls (called a site-to-site IPSec VPN tunnel). This way, you wouldn't need to configure VPN clients on each machine where you're planning on viewing the cameras: you could just pull up the camera's Web interface in any browser on any machine at that remote location (depending on firewall rules of course).
If you provide us with the firewall make/model, we can suggest a configuration that's best.
*you could most certainly setup additional site-to-site VPN tunnels. But if the 5 users are all at different Internet locations, it's a bit overkill going through the process of setting up IPSec tunnels, so VPN clients would be more practical (or a combination of the two: i.e. if 4 of the 5 users are at one Internet location, setup an IPSec tunnel there; the 5th user could use a VPN client).
What you describe is do-able, yes. I imagine there are a number of tools that can do this, but I'm pretty confident that apache can do this. You're describing a 'reverse proxy' (something to google) and certificate based authentication. For the first, you probably want mod_rewrite, but I don't have a great deal of experience with the latter.
I wouldn't be surprised if a few other tools could do this, e.g. squid or an SSL accelerating appliance.