GPT帮助SRS 5.0支持HTTP API鉴权

2023-04-02 11:40:28 浏览数 (1)

SRS 5.0的HTTP API支持鉴权了,感谢SRS开发者和GPT(GitHub Copilot)一起完成了代码、注释和双语文档。

How to Secure Your HTTP API

当你构建了SRS服务器后,你可以使用HTTP API来访问它,比如SRS控制台或者其他HTTP客户端。但是,你应该保护好你的HTTP API,防止未授权的访问。本文介绍如何保护你的HTTP API。

Usage

首先,请升级SRS到5.0.152 或者6.0.40 ,这些版本支持HTTP API鉴权。

然后,请通过配置http_api.auth来启用HTTP Basic Authentication:

代码语言:javascript复制
# conf/http.api.auth.conf
http_api {
    enabled on;
    listen 1985;
    auth {
        enabled on;
        username admin;
        password admin;
    }
}

接着,用这个配置启动SRS:

代码语言:javascript复制
./objs/srs -c conf/http.api.auth.conf

或者,通过环境变量设置用户名和密码:

代码语言:javascript复制
env SRS_HTTP_API_ENABLED=on SRS_HTTP_SERVER_ENABLED=on 
    SRS_HTTP_API_AUTH_ENABLED=on SRS_HTTP_API_AUTH_USERNAME=admin SRS_HTTP_API_AUTH_PASSWORD=admin 
    ./objs/srs -e

现在,你可以访问下面的地址来验证:

  • • 提示输入用户名和密码:http://localhost:1985/api/v1/versions
  • • 带用户名和密码的URL:http://admin:admin@localhost:1985/api/v1/versions

要清除用户名和密码,你可以通过用户名访问HTTP API:

  • • http://admin@localhost:1985/api/v1/versions

注意:请注意,我们只针对HTTP API开启了鉴权,不包括HTTP服务器和WebRTC HTTP API。

SRS Console

SRS控制台是一个基于SRS的HTTP API的Web应用,它可以让你方便的管理SRS服务器。当SRS启动后,你可以访问SRS控制台:http://localhost:8080/console/

如果你开启了HTTP API鉴权,你可以在访问控制台URL时带上用户名和密码:http://admin:admin@localhost:8080/console/

否则,浏览器会提示输入用户名和密码。

For SRS 4.0

SRS 4.0不支持HTTP API鉴权,有些可选的解决方案。你可以用Nginx来做反向代理,然后在Nginx中配置鉴权。或者用Go语言编写一个简单的HTTP代理。

代码语言:javascript复制
Browser ---HTTP-with-Authentication---> Nginx ---HTTP---> SRS 4.0

你需要修改HTTP API侦听的端口,比如:

代码语言:javascript复制
http_api {
    enabled on;
    listen 127.0.0.1:1985;
}

这样,HTTP API就只能被本机的代理访问了。

About WebRTC API Security

SRS不支持WebRTC相关的HTTP API的鉴权,因为WebRTC鉴权是通过HTTP回调来实现的。

请参考WebRTC回调和Token鉴权等文档。

Conclusion

这篇文章是我和GitHub Copilot一起写的。

代码实现是SRS开发者,和GitHub Copilot一起写的。

How to Secure Your HTTP API

After you have built your SRS server, you can use HTTP API to access it by SRS console or other HTTP clients. However, you should secure your HTTP API to prevent unauthorized access. This article describes how to secure your HTTP API.

Usage

First of all, please upgrade SRS to 5.0.152 or 6.0.40 , which supports HTTP API security.

Then, please enable the HTTP basic authentication by configuration http_api.auth:

代码语言:javascript复制
# conf/http.api.auth.conf
http_api {
    enabled on;
    listen 1985;
    auth {
        enabled on;
        username admin;
        password admin;
    }
}

Now, start SRS with the config:

代码语言:javascript复制
./objs/srs -c conf/http.api.auth.conf

Or set up the username and password by environment variables:

代码语言:javascript复制
env SRS_HTTP_API_ENABLED=on SRS_HTTP_SERVER_ENABLED=on 
    SRS_HTTP_API_AUTH_ENABLED=on SRS_HTTP_API_AUTH_USERNAME=admin SRS_HTTP_API_AUTH_PASSWORD=admin 
    ./objs/srs -e

Now, you can access the following urls to verify it:

  • • Prompt for username and password: http://localhost:1985/api/v1/versions
  • • URL with authentication: http://admin:admin@localhost:1985/api/v1/versions

To clean up the username and password, you can access the HTTP API with the username only:

  • • http://admin@localhost:1985/api/v1/versions

Note: Please note that we only secure the HTTP API, neither the HTTP server nor the WebRTC HTTP apis.

SRS Console

SRS console is a web application to manage your SRS server. When SRS server started, you can access the SRS console by the URL: http://localhost:8080/console/

If you enable the HTTP API authentication, you should use URL with username and password to access the SRS console: http://admin:admin@localhost:8080/console/

Or, the browser will prompt for username and password.

For SRS 4.0

SRS 4.0 does not support HTTP API authentication, however there is a workaround to secure your HTTP API. You can use the nginx to proxy the HTTP API, and enable the HTTP basic authentication by nginx. Or write a Go HTTP proxy for SRS HTTP API.

代码语言:javascript复制
Browser ---HTTP-with-Authentication---> Nginx ---HTTP---> SRS 4.0

In this solution, you should also change the listen of SRS HTTP API to lo:

代码语言:javascript复制
http_api {
    enabled on;
    listen 127.0.0.1:1985;
}

So that the HTTP API is only accessible by the localhost proxy server.

About WebRTC API Security

SRS doesn't support HTTP API authentication for WebRTC, instead, you should use the HTTP callback to verify the client.

Please see WebRTC HTTP Callback and Token Authentication for more details.

Conclusion

GitHub Copilot and I wrote this article.

The code of this feature was written by SRS developers and GitHub Copilot.

0 人点赞