I'm trying to create a PHP webpage that allow the visitor to see a video stream or an image coming from a webcam without allowing the visitors to grab it's original URL/URI. In other words, I have an ip camera operating at a given address:port and I can see the stream embedding in a HTML body something like this:

    <img src="http://5.246.77.89:8080/videostream.cgi?user=myusername&amp;pwd=mypass&amp;resolution=32&amp;rate=15" alt="">

or alternatively if we want a static image:

    <img src="http://5.246.77.89:8080/snapshot.cgi?user=myusername&amp;pwd=mypass&amp" alt="">

Now the problem is that if anyone look at the HTML code behind the page will see the URL of the camera along with its user/password credentials, obviously. This allow the visitor to connect to the camera at any time even without having to go on the page that is hosting this service, they just need to type into any browser to the URL

http://myip:myport/videostream.cgi?user=admin&pwd=fewf2d53BVH&resolution=32&rate=15

I don't want that the user is able to do that. So I had an idea: If I'm able to wrap the stream into a php webpage acting as a 'man-in-the-middle' I can give the visitor the video without letting them know the original source. The original IP:PORT will be visible only from my server. Obviously they will always be able to use the URL of my webpage but they will never see the user/password of the camera and I can lock the service out at any time. Furthermore to improve security I can setup the router hosting the webcam to accept connections coming from my webserver only. This will act as a stealth against malicious users attempting to connect directly to the webcabm. What can I do on the server-side to obtain this behaviour?

Well, at least for images you could use curl... As I've pointed out in the comments, you may create a php file (say, my.php) containing something like the following:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://example.com/?password=4444&login=1111');
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_BINARYTRANSFER,1);
$picture = curl_exec($ch);
curl_close($ch);
//Display the image in the browser
header('Content-type: image/jpeg');
echo $picture;

and than just write:

 <img src='my.php'>

P.S. Although I believe it is NOT the best way to do things, it looks like it solves the problem. No more private data in img src. I have never anything alike with video formats, but as for images it seems quite easy. You can read more about curl here: http://php.net/manual/en/book.curl.php

Another solution using above mentioned passthru:

<?php 
Header("content-type:image/jpeg"); 
passthru("pic.jpg?login=11&pass=22"); 
?>

However, it is still only for images, because of the header... If you find anything that works with videos/video streaming, please, let me know!!