Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API: Secure HTTP API for Authentication. Port 1985 does not have any security authentication. #1640

Closed
caijian76 opened this issue Mar 16, 2020 · 2 comments · Fixed by #3458
Closed

API: Secure HTTP API for Authentication. Port 1985 does not have any security authentication. #1640

caijian76 opened this issue Mar 16, 2020 · 2 comments · Fixed by #3458
Assignees
@duiniuluantanqin
Labels
API HTTP-API, HTTP-Callback, etc. Enhancement Improvement or enhancement. Feature It's a new feature. TransByAI Translated by AI/GPT.
Milestone
6.0

Comments

@caijian76
Copy link

caijian76 commented Mar 16, 2020
edited by winlinvip

Description'

Please ensure that the markdown structure is maintained.

Currently, the program is used to kick out timed-out streaming clients through the API. However, it has been observed that anyone with a basic understanding of SRS can view and even kick out legitimate clients. Is there any way to avoid this issue?
I saw a post earlier that mentioned listening to port 1985 on 127.0.0.1 and then using another HTTP proxy to achieve this. Could you please explain how to implement the above method in a Docker deployment environment?

  1. SRS version: v3
  2. Deployment method: k8s

TRANS_BY_GPT3
@winlinvip
Copy link
Member

winlinvip commented Mar 21, 2020
edited

CN

Due to the fact that authentication issues are business-related, the authentication methods designed for different business systems are completely different. Therefore, the API of SRS itself is not suitable for authentication capabilities.

The most suitable approach is to have SRS listen on 127.0.0.1:1985, isolated from the network to prevent external user access. Then, use Go or Nodejs to write an API server that reverse proxies to SRS's API. This way, you can implement authentication according to your own business requirements.

Similarly, this approach also supports HTTPS API. For example, you can use Nginx or Go to proxy once and support HTTPS API. Then, this proxy can access SRS's API. Please refer to #2881 for more information.

EM

SRS won't support HTTP API authentication, or token verify, because authentication is defined by your business system. Different user has different business system, so it's impossible for SRS to verify the user for HTTP API.

The best solution is to config SRS to listen at 127.0.0.1:1985, which force the HTTP API to listen at lo or internal network. Then, use Go or Nodejs server to verify the user and proxy to SRS HTTP API.

And this also works for HTTPS API, for example, to use NGINX or Go to covert HTTPS to HTTP, see #2881

TRANS_BY_GPT3

@winlinvip winlinvip reopened this Mar 21, 2020
@winlinvip winlinvip mentioned this issue Mar 21, 2020
Closed
@winlinvip winlinvip self-assigned this Sep 4, 2021
@winlinvip winlinvip added API HTTP-API, HTTP-Callback, etc. Won't fix We won't fix it. labels Sep 4, 2021
@winlinvip winlinvip added this to the 3.0 milestone Sep 4, 2021
@winlinvip winlinvip changed the title 1985端口没有任何安全认证 API: Secure HTTP API. 1985端口没有任何安全认证 Jun 15, 2022
@winlinvip winlinvip changed the title API: Secure HTTP API. 1985端口没有任何安全认证 API: Secure HTTP API for Authentication. 1985端口没有任何安全认证 Jun 15, 2022
@winlinvip winlinvip added Enhancement Improvement or enhancement. Feature It's a new feature. and removed Won't fix We won't fix it. labels Feb 23, 2023
@winlinvip winlinvip modified the milestones: 3.0, 6.0 Feb 23, 2023
@winlinvip
Copy link
Member

winlinvip commented Feb 23, 2023
edited

Besides listening at localhost, we should support a Go proxy with authenticatino and some basic authentication.

Go proxy:

Client ---HTTP------> Go HTTP API ---HTTP-------> SRS HTTP API
                             (listen at public with auth)        (listen at localhost without auth)

SRS HTTP API with basic authentication:

Client ----HTTP-----> SRS HTTP API
                                      (with basic authentication)

See grafana Authentication API

@winlinvip winlinvip reopened this Feb 23, 2023
This was linked to pull requests Mar 8, 2023
[deprecated]API: add basic auth for http api #3456
Closed
API: Support HTTP basic authentication for API. v6.0.4, v5.0.152 #3458
Merged
@winlinvip winlinvip changed the title API: Secure HTTP API for Authentication. 1985端口没有任何安全认证 API: Secure HTTP API for Authentication. Port 1985 does not have any security authentication. Jul 29, 2023
@winlinvip winlinvip added the TransByAI Translated by AI/GPT. label Jul 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@duiniuluantanqin duiniuluantanqin

Labels
API HTTP-API, HTTP-Callback, etc. Enhancement Improvement or enhancement. Feature It's a new feature. TransByAI Translated by AI/GPT.
Projects
None yet
Milestone
6.0
3 participants
@winlinvip @duiniuluantanqin @caijian76