search

deepch / RTSPtoWeb

RTSP Stream to WebBrowser
MIT License
1.26k stars 300 forks source link

web GUI access without password #167

Open JacekKac opened 2 years ago

JacekKac commented 2 years ago

i can access RTSPtoWEB gui on port (default) : 8083 1/ config.json: 

"http_debug": false,
    "http_demo": true,
    "http_dir": "web",
    "http_login": "hycajaldsfier3293823",
    "http_password": "dfsljfopije489th98347hgeh5igoh5neioghhoirengoieno",
    "http_port": ":8083",

why is it accessible? you can see all parameters of streams incluiding ips and login/passwords to rstp source ;(

jenniferlee1818 commented 2 years ago

this is really bad. rtsptoweb gui is accessible by anyone even when http_login and http_password are set in config.json.

gabrielklein commented 2 years ago

My solution (for now).

I bind it to the local ip. I have an apache2 layer running on the same server. I use a "password" for all pages except the camera.

`<VirtualHost *:80>
ServerAdmin gabriel.klein@xxxxx.ch ServerName cam.xxxx.ch

<Location />
    AuthType Basic
    AuthName "Restricted Content"
    AuthUserFile /etc/apache2/htpasswd
    Require valid-user
    satisfy any
    deny from all
</Location>

<Location /stream/19c5065b-8904-4293-9fe3-87858b5c0a8d/channel/0/webrtc>
    Allow from All
    Satisfy Any
</Location>

<Location /stream/19c5065b-8904-4293-9fe3-87858b5c0a8d/channel/0/hls>
    Allow from All
    Satisfy Any
</Location>

ProxyRequests On
ProxyPreserveHost on
ProxyPass / http://localhost:8083/
ProxyPassReverse / http://localhost:8083/

ErrorLog /var/log/apache2/error-cam.xxxxx.ch.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access-cam.xxxx.ch.log combined
` It works like a charm. I then secure it with certbot -tvv --apache -m gabriel.klein@xxxx.ch --redirect --hsts --uir --reinstall -d cam.xxxx.ch
lyongdee commented 2 years ago

"http_demo": false,

huangyuan commented 2 years ago

vi apiHTTPRouter.go

if Storage.ServerHTTPDemo() { public.LoadHTMLGlob(Storage.ServerHTTPDir() + "/templates/*") //public.GET("/", HTTPAPIServerIndex) //public.GET("/pages/stream/list", HTTPAPIStreamList) //public.GET("/pages/stream/add", HTTPAPIAddStream) //public.GET("/pages/stream/edit/:uuid", HTTPAPIEditStream) //public.GET("/pages/player/hls/:uuid/:channel", HTTPAPIPlayHls) //public.GET("/pages/player/mse/:uuid/:channel", HTTPAPIPlayMse) //public.GET("/pages/player/webrtc/:uuid/:channel", HTTPAPIPlayWebrtc) //public.GET("/pages/multiview", HTTPAPIMultiview) //public.Any("/pages/multiview/full", HTTPAPIFullScreenMultiView) //public.GET("/pages/documentation", HTTPAPIServerDocumentation) //public.GET("/pages/player/all/:uuid/:channel", HTTPAPIPlayAll) public.StaticFS("/static", http.Dir(Storage.ServerHTTPDir()+"/static")) }

Thien223 commented 1 year ago

all above answers was wrong, at least they are wrong because the answerers posted without any explaination. keep http_demo = true, this is needed if you want to config streams in dashboard. in apiHTTPRouter.go file, change 

if Storage.ServerHTTPDemo() {
        public.LoadHTMLGlob(Storage.ServerHTTPDir() + "/templates/*")
        public.GET("/", HTTPAPIServerIndex)
        public.GET("/pages/stream/list", HTTPAPIStreamList)
        public.GET("/pages/stream/add", HTTPAPIAddStream)
        public.GET("/pages/stream/edit/:uuid", HTTPAPIEditStream)
        public.GET("/pages/player/hls/:uuid/:channel", HTTPAPIPlayHls)
        public.GET("/pages/player/mse/:uuid/:channel", HTTPAPIPlayMse)
        public.GET("/pages/player/webrtc/:uuid/:channel", HTTPAPIPlayWebrtc)
        public.GET("/pages/multiview", HTTPAPIMultiview)
        public.Any("/pages/multiview/full", HTTPAPIFullScreenMultiView)
        public.GET("/pages/documentation", HTTPAPIServerDocumentation)
        public.GET("/pages/player/all/:uuid/:channel", HTTPAPIPlayAll)
        public.StaticFS("/static", http.Dir(Storage.ServerHTTPDir()+"/static"))
    }

to

if Storage.ServerHTTPDemo() {
        public.LoadHTMLGlob(Storage.ServerHTTPDir() + "/templates/*")
        privat.GET("/", HTTPAPIServerIndex)
        privat.GET("/pages/stream/list", HTTPAPIStreamList)
        privat.GET("/pages/stream/add", HTTPAPIAddStream)
        privat.GET("/pages/stream/edit/:uuid", HTTPAPIEditStream)
        privat.GET("/pages/player/hls/:uuid/:channel", HTTPAPIPlayHls)
        privat.GET("/pages/player/mse/:uuid/:channel", HTTPAPIPlayMse)
        privat.GET("/pages/player/webrtc/:uuid/:channel", HTTPAPIPlayWebrtc)
        privat.GET("/pages/multiview", HTTPAPIMultiview)
        privat.Any("/pages/multiview/full", HTTPAPIFullScreenMultiView)
        privat.GET("/pages/documentation", HTTPAPIServerDocumentation)
        privat.GET("/pages/player/all/:uuid/:channel", HTTPAPIPlayAll)
        privat.StaticFS("/static", http.Dir(Storage.ServerHTTPDir()+"/static"))
    }

should solve the problem. Now, the dashboard loging in is required.

DanielJean007 commented 1 year ago

Hi all. This probably goes without saying, but on top of this reply you should remake the project for the changes to take effect on the apiHTTPRouter.go file, with make && ./RTSPtoWeb

beankylla commented 1 year ago

@DanielJean007 but should this be corrected in source code or should there be a more complicated logic to implement? (2 files and each one being used depending on the settings?