RTSPtoWeb icon indicating copy to clipboard operation
RTSPtoWeb copied to clipboard
verified publisher icon deepch

web GUI access without password

Open JacekKac opened this issue 3 years ago • 8 comments

i can access RTSPtoWEB gui on port (default) : 8083 1/ config.json: ``` "http_debug": false, "http_demo": true, "http_dir": "web", "http_login": "hycajaldsfier3293823", "http_password": "dfsljfopije489th98347hgeh5igoh5neioghhoirengoieno", "http_port": ":8083",

why is it accessible? you can see all parameters of streams incluiding ips and login/passwords to rstp source ;(

JacekKac avatar Jun 01 '22 09:06 JacekKac

this is really bad. rtsptoweb gui is accessible by anyone even when http_login and http_password are set in config.json.

jenniferlee1818 avatar Jun 03 '22 15:06 jenniferlee1818

My solution (for now).

I bind it to the local ip. I have an apache2 layer running on the same server. I use a "password" for all pages except the camera.

`<VirtualHost *:80>
ServerAdmin [email protected] ServerName cam.xxxx.ch

<Location />
    AuthType Basic
    AuthName "Restricted Content"
    AuthUserFile /etc/apache2/htpasswd
    Require valid-user
    satisfy any
    deny from all
</Location>

<Location /stream/19c5065b-8904-4293-9fe3-87858b5c0a8d/channel/0/webrtc>
    Allow from All
    Satisfy Any
</Location>

<Location /stream/19c5065b-8904-4293-9fe3-87858b5c0a8d/channel/0/hls>
    Allow from All
    Satisfy Any
</Location>

ProxyRequests On
ProxyPreserveHost on
ProxyPass / http://localhost:8083/
ProxyPassReverse / http://localhost:8083/


ErrorLog /var/log/apache2/error-cam.xxxxx.ch.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access-cam.xxxx.ch.log combined

<VirtualHost>`

It works like a charm.

I then secure it with certbot -tvv --apache -m [email protected] --redirect --hsts --uir --reinstall -d cam.xxxx.ch

gabrielklein avatar Jun 07 '22 12:06 gabrielklein

"http_demo": false,

lyongdee avatar Jun 22 '22 10:06 lyongdee

vi apiHTTPRouter.go

if Storage.ServerHTTPDemo() { public.LoadHTMLGlob(Storage.ServerHTTPDir() + "/templates/*") //public.GET("/", HTTPAPIServerIndex) //public.GET("/pages/stream/list", HTTPAPIStreamList) //public.GET("/pages/stream/add", HTTPAPIAddStream) //public.GET("/pages/stream/edit/:uuid", HTTPAPIEditStream) //public.GET("/pages/player/hls/:uuid/:channel", HTTPAPIPlayHls) //public.GET("/pages/player/mse/:uuid/:channel", HTTPAPIPlayMse) //public.GET("/pages/player/webrtc/:uuid/:channel", HTTPAPIPlayWebrtc) //public.GET("/pages/multiview", HTTPAPIMultiview) //public.Any("/pages/multiview/full", HTTPAPIFullScreenMultiView) //public.GET("/pages/documentation", HTTPAPIServerDocumentation) //public.GET("/pages/player/all/:uuid/:channel", HTTPAPIPlayAll) public.StaticFS("/static", http.Dir(Storage.ServerHTTPDir()+"/static")) }

huangyuan avatar Aug 31 '22 02:08 huangyuan

all above answers was wrong, at least they are wrong because the answerers posted without any explaination. keep http_demo = true, this is needed if you want to config streams in dashboard. in apiHTTPRouter.go file, change

if Storage.ServerHTTPDemo() {
		public.LoadHTMLGlob(Storage.ServerHTTPDir() + "/templates/*")
		public.GET("/", HTTPAPIServerIndex)
		public.GET("/pages/stream/list", HTTPAPIStreamList)
		public.GET("/pages/stream/add", HTTPAPIAddStream)
		public.GET("/pages/stream/edit/:uuid", HTTPAPIEditStream)
		public.GET("/pages/player/hls/:uuid/:channel", HTTPAPIPlayHls)
		public.GET("/pages/player/mse/:uuid/:channel", HTTPAPIPlayMse)
		public.GET("/pages/player/webrtc/:uuid/:channel", HTTPAPIPlayWebrtc)
		public.GET("/pages/multiview", HTTPAPIMultiview)
		public.Any("/pages/multiview/full", HTTPAPIFullScreenMultiView)
		public.GET("/pages/documentation", HTTPAPIServerDocumentation)
		public.GET("/pages/player/all/:uuid/:channel", HTTPAPIPlayAll)
		public.StaticFS("/static", http.Dir(Storage.ServerHTTPDir()+"/static"))
	}

to

if Storage.ServerHTTPDemo() {
		public.LoadHTMLGlob(Storage.ServerHTTPDir() + "/templates/*")
		privat.GET("/", HTTPAPIServerIndex)
		privat.GET("/pages/stream/list", HTTPAPIStreamList)
		privat.GET("/pages/stream/add", HTTPAPIAddStream)
		privat.GET("/pages/stream/edit/:uuid", HTTPAPIEditStream)
		privat.GET("/pages/player/hls/:uuid/:channel", HTTPAPIPlayHls)
		privat.GET("/pages/player/mse/:uuid/:channel", HTTPAPIPlayMse)
		privat.GET("/pages/player/webrtc/:uuid/:channel", HTTPAPIPlayWebrtc)
		privat.GET("/pages/multiview", HTTPAPIMultiview)
		privat.Any("/pages/multiview/full", HTTPAPIFullScreenMultiView)
		privat.GET("/pages/documentation", HTTPAPIServerDocumentation)
		privat.GET("/pages/player/all/:uuid/:channel", HTTPAPIPlayAll)
		privat.StaticFS("/static", http.Dir(Storage.ServerHTTPDir()+"/static"))
	}

should solve the problem. Now, the dashboard loging in is required.

Thien223 avatar Jan 02 '23 01:01 Thien223

Hi all. This probably goes without saying, but on top of this reply you should remake the project for the changes to take effect on the apiHTTPRouter.go file, with make && ./RTSPtoWeb

DanielJean007 avatar May 08 '23 16:05 DanielJean007

@DanielJean007 but should this be corrected in source code or should there be a more complicated logic to implement? (2 files and each one being used depending on the settings?

beankylla avatar Sep 09 '23 20:09 beankylla