From 4b6ed326c2647b7d06abf49fbced91affc93c1bf Mon Sep 17 00:00:00 2001 From: Elia Ravella Date: Tue, 7 Nov 2023 09:59:18 +0100 Subject: [PATCH] feat: added TLS encryption support to API calls --- internal/conf/conf.go | 3 +++ internal/core/api.go | 4 ++-- mediamtx.yml | 9 +++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/internal/conf/conf.go b/internal/conf/conf.go index 8e36efa0..673951fc 100644 --- a/internal/conf/conf.go +++ b/internal/conf/conf.go @@ -92,6 +92,9 @@ type Conf struct { ExternalAuthenticationURL string `json:"externalAuthenticationURL"` API bool `json:"api"` APIAddress string `json:"apiAddress"` + APIEncryption bool `json:"apiEncryption"` + APIServerKey string `json:"APIServerKey"` + APIServerCert string `json:"APIServerCert"` Metrics bool `json:"metrics"` MetricsAddress string `json:"metricsAddress"` PPROF bool `json:"pprof"` diff --git a/internal/core/api.go b/internal/core/api.go index 51e7a1c7..86da2c07 100644 --- a/internal/core/api.go +++ b/internal/core/api.go @@ -254,8 +254,8 @@ func newAPI( network, address, time.Duration(readTimeout), - "", - "", + conf.APIServerCert, + conf.APIServerKey, router, a, ) diff --git a/mediamtx.yml b/mediamtx.yml index af2a1751..b282d20e 100644 --- a/mediamtx.yml +++ b/mediamtx.yml @@ -45,6 +45,15 @@ externalAuthenticationURL: api: no # Address of the API listener. apiAddress: 127.0.0.1:9997 +# Encrypt the HTTP interface with TLS (HTTPS) +APIEncryption: no +# Path to the server key. This is needed only when encryption is enabled. +# This can be generated with: +# openssl genrsa -out server.key 2048 +# openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650 +APIServerKey: server.key +# Path to the server certificates (or optional chain of certificates) +APIServerCert: server.crt # Enable Prometheus-compatible metrics. metrics: no