api not working for ip addresses other than localhost

[rktr2009]

Which version are you using?

v1.6.0

Which operating system are you using?

• [ ] Linux amd64 standard
• [ ] Linux amd64 Docker
• [ ] Linux arm64 standard
• [ ] Linux arm64 Docker
• [ ] Linux arm7 standard
• [ ] Linux arm7 Docker
• [ ] Linux arm6 standard
• [ ] Linux arm6 Docker
• [x ] Windows amd64 standard
• [ ] Windows amd64 Docker (WSL backend)
• [ ] macOS amd64 standard
• [ ] macOS amd64 Docker
• [ ] Other (please describe)

Describe the issue

The new authentication method is introduced in this version and there is an issue when trying to access the api, where http://localhost:9997/v3/paths/list works but not from an external ip address. Say the server which mediamtx is running is 192.168.111.2, and the client is 192.168.111.3. I can't access the api from 192.168.111.3 as 192.168.111.2:9997/v3/paths/list Even with the setup described below, the client is being asked a password, but the browser shows a blank page, regardless of whatever user/pass combination I use. Shouldn't be asked for a password at first place does it?

Describe how to replicate the issue

I might be giving a wrong configuration, but I wanted the way it worked as pre v.1.6.0 versions did so I setup as,

authInternalUsers:
- user: any
  pass:
  ips: []
  permissions:
  - action: publish
    path:
  - action: read
    path:
  - action: playback
    path:
  - action: api
  - action: metrics
  - action: pprof

I have commented out,

#- user: any
#  pass:
#  ips: ['127.0.0.1', '::1']
#  permissions:
#  - action: api
#  - action: metrics
#  - action: pprof

By doing so above, I was hoping that I can access the api from any ip on the network, which was the behavior in previous versions.

Did you attach the server logs?

no It doesn't log anything in regards to this issue.

Did you attach a network dump?

no

[aler9]

Hello, i just tested the scenario you described and in my case everything worked perfectly. This is my configuration:

authInternalUsers:
  # Default unprivileged user.
  # Username. 'any' means any user, including anonymous ones.
- user: any
  # Password. Not used in case of 'any' user.
  pass:
  # IPs or networks allowed to use this user. An empty list means any IP.
  ips: []
  # List of permissions.
  permissions:
    # Available actions are: publish, read, playback, api, metrics, pprof.
  - action: publish
    # Paths can be set to further restrict access to a specific path.
    # An empty path means any path.
    # Regular expressions can be used by using a tilde as prefix.
    path:
  - action: read
    path:
  - action: playback
    path:
  - action: api
  - action: metrics
  - action: pprof

I am able to call the /v3/paths/list from another machine.

Please also check that you're not using the legacy readUser, readPass, publishUser, publishPass inside any path, since these trigger a legacy mode in which the API can be accessed by localhost only.

[aler9]

I noticed that when readUser, readPass, publishUser, publishPass are present but empty, the legacy mode gets triggered anyway. This will be changed.

[rktr2009]

Thank you. That was it, and it is working now.

[github-actions[bot]]

This issue is being locked automatically because it has been closed for more than 6 months. Please open a new issue in case you encounter a similar problem.