From ec864010374a9fac78933454ac2f6d341f00e534 Mon Sep 17 00:00:00 2001 From: aler9 <46489434+aler9@users.noreply.github.com> Date: Mon, 19 Dec 2022 23:26:07 +0100 Subject: [PATCH] webrtc: make HTTPS optional (#1312) --- README.md | 17 +---------------- internal/conf/conf.go | 3 ++- internal/core/core.go | 6 ++++-- internal/core/core_test.go | 2 ++ internal/core/hls_source_test.go | 5 +++-- internal/core/metrics_test.go | 1 - internal/core/rtmp_server_test.go | 3 +++ internal/core/rtsp_server_test.go | 6 ++++++ internal/core/rtsp_source_test.go | 5 +++++ internal/core/webrtc_server.go | 18 +++++++++++------- internal/highleveltests/rtsp_server_test.go | 3 +++ rtsp-simple-server.yml | 8 +++++--- 12 files changed, 45 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 889832d9..d14ab5a7 100644 --- a/README.md +++ b/README.md @@ -975,25 +975,10 @@ To decrease the latency, you can: ### General usage -a TLS certificate is needed and can be generated with OpenSSL: - -``` -openssl genrsa -out server.key 2048 -openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650 -``` - -Set the `webrtc`, `webrtcServerKey` and `webrtcServerCert` parameters in the configuration file: - -```yml -webrtc: yes -webrtcServerKey: server.key -webrtcServerCert: server.crt -``` - Every stream published to the server can be read with WebRTC by visiting: ``` -https://localhost:8889/mystream +http://localhost:8889/mystream ``` ### TURN servers diff --git a/internal/conf/conf.go b/internal/conf/conf.go index 830dc021..7a3aab02 100644 --- a/internal/conf/conf.go +++ b/internal/conf/conf.go @@ -224,8 +224,9 @@ type Conf struct { HLSTrustedProxies IPsOrCIDRs `json:"hlsTrustedProxies"` // WebRTC - WebRTC bool `json:"webrtc"` + WebRTCDisable bool `json:"webrtcDisable"` WebRTCAddress string `json:"webrtcAddress"` + WebRTCEncryption bool `json:"webrtcEncryption"` WebRTCServerKey string `json:"webrtcServerKey"` WebRTCServerCert string `json:"webrtcServerCert"` WebRTCAllowOrigin string `json:"webrtcAllowOrigin"` diff --git a/internal/core/core.go b/internal/core/core.go index 0ce3b751..51f3e58b 100644 --- a/internal/core/core.go +++ b/internal/core/core.go @@ -397,12 +397,13 @@ func (p *Core) createResources(initial bool) error { } } - if p.conf.WebRTC { + if !p.conf.WebRTCDisable { if p.webRTCServer == nil { p.webRTCServer, err = newWebRTCServer( p.ctx, p.conf.ExternalAuthenticationURL, p.conf.WebRTCAddress, + p.conf.WebRTCEncryption, p.conf.WebRTCServerKey, p.conf.WebRTCServerCert, p.conf.WebRTCAllowOrigin, @@ -562,9 +563,10 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) { closeMetrics closeWebrtcServer := newConf == nil || - newConf.WebRTC != p.conf.WebRTC || + newConf.WebRTCDisable != p.conf.WebRTCDisable || newConf.ExternalAuthenticationURL != p.conf.ExternalAuthenticationURL || newConf.WebRTCAddress != p.conf.WebRTCAddress || + newConf.WebRTCEncryption != p.conf.WebRTCEncryption || newConf.WebRTCServerKey != p.conf.WebRTCServerKey || newConf.WebRTCServerCert != p.conf.WebRTCServerCert || newConf.WebRTCAllowOrigin != p.conf.WebRTCAllowOrigin || diff --git a/internal/core/core_test.go b/internal/core/core_test.go index 183fed98..4b789f9b 100644 --- a/internal/core/core_test.go +++ b/internal/core/core_test.go @@ -241,6 +241,7 @@ func main() { p1, ok := newInstance(fmt.Sprintf("rtmpDisable: yes\n"+ "hlsDisable: yes\n"+ + "webrtcDisable: yes\n"+ "paths:\n"+ " '~^(on)demand$':\n"+ " runOnDemand: %s\n"+ @@ -320,6 +321,7 @@ func TestCorePathRunOnReady(t *testing.T) { p, ok := newInstance(fmt.Sprintf("rtmpDisable: yes\n"+ "hlsDisable: yes\n"+ + "webrtcDisable: yes\n"+ "paths:\n"+ " test:\n"+ " runOnReady: touch %s\n", diff --git a/internal/core/hls_source_test.go b/internal/core/hls_source_test.go index 6f8ca1e3..2cad56da 100644 --- a/internal/core/hls_source_test.go +++ b/internal/core/hls_source_test.go @@ -122,8 +122,9 @@ func TestHLSSource(t *testing.T) { require.NoError(t, err) defer ts.close() - p, ok := newInstance("hlsDisable: yes\n" + - "rtmpDisable: yes\n" + + p, ok := newInstance("rtmpDisable: yes\n" + + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " proxied:\n" + " source: http://localhost:5780/stream.m3u8\n" + diff --git a/internal/core/metrics_test.go b/internal/core/metrics_test.go index 7ee1eb50..2f4e33d8 100644 --- a/internal/core/metrics_test.go +++ b/internal/core/metrics_test.go @@ -27,7 +27,6 @@ func TestMetrics(t *testing.T) { defer os.Remove(serverKeyFpath) p, ok := newInstance("metrics: yes\n" + - "webrtc: yes\n" + "webrtcServerCert: " + serverCertFpath + "\n" + "webrtcServerKey: " + serverKeyFpath + "\n" + "encryption: optional\n" + diff --git a/internal/core/rtmp_server_test.go b/internal/core/rtmp_server_test.go index 87675888..9db29243 100644 --- a/internal/core/rtmp_server_test.go +++ b/internal/core/rtmp_server_test.go @@ -43,6 +43,7 @@ func TestRTMPServerPublishRead(t *testing.T) { p, ok := newInstance("rtspDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "rtmpEncryption: \"yes\"\n" + "rtmpServerCert: " + serverCertFpath + "\n" + "rtmpServerKey: " + serverKeyFpath + "\n" + @@ -236,6 +237,7 @@ func TestRTMPServerAuthFail(t *testing.T) { t.Run("publish", func(t *testing.T) { //nolint:dupl p, ok := newInstance("rtspDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " all:\n" + " publishUser: testuser2\n" + @@ -345,6 +347,7 @@ func TestRTMPServerAuthFail(t *testing.T) { t.Run("read", func(t *testing.T) { //nolint:dupl p, ok := newInstance("rtspDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " all:\n" + " readUser: testuser2\n" + diff --git a/internal/core/rtsp_server_test.go b/internal/core/rtsp_server_test.go index 41b6a33c..0cf3a85b 100644 --- a/internal/core/rtsp_server_test.go +++ b/internal/core/rtsp_server_test.go @@ -20,6 +20,7 @@ func TestRTSPServerAuth(t *testing.T) { if ca == "internal" { conf = "rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " all:\n" + " publishUser: testpublisher\n" + @@ -86,6 +87,7 @@ func TestRTSPServerAuth(t *testing.T) { t.Run("hashed", func(t *testing.T) { p, ok := newInstance("rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " all:\n" + " publishUser: sha256:rl3rgi4NcZkpAEcacZnQ2VuOfJ0FxAqCRaKB/SwdZoQ=\n" + @@ -130,6 +132,7 @@ func TestRTSPServerAuthFail(t *testing.T) { t.Run("publish_"+ca.name, func(t *testing.T) { p, ok := newInstance("rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " all:\n" + " publishUser: testuser\n" + @@ -173,6 +176,7 @@ func TestRTSPServerAuthFail(t *testing.T) { t.Run("read_"+ca.name, func(t *testing.T) { p, ok := newInstance("rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " all:\n" + " readUser: testuser\n" + @@ -197,6 +201,7 @@ func TestRTSPServerAuthFail(t *testing.T) { t.Run("ip", func(t *testing.T) { p, ok := newInstance("rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " all:\n" + " publishIPs: [128.0.0.1/32]\n") @@ -355,6 +360,7 @@ func TestRTSPServerFallback(t *testing.T) { p1, ok := newInstance("rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " path1:\n" + " fallback: " + val + "\n" + diff --git a/internal/core/rtsp_source_test.go b/internal/core/rtsp_source_test.go index 460cc422..52d68074 100644 --- a/internal/core/rtsp_source_test.go +++ b/internal/core/rtsp_source_test.go @@ -226,6 +226,7 @@ func TestRTSPSourceNoPassword(t *testing.T) { p, ok := newInstance("rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " proxied:\n" + " source: rtsp://testuser:@127.0.0.1:8555/teststream\n" + @@ -293,6 +294,7 @@ func TestRTSPSourceDynamicH264Params(t *testing.T) { p, ok := newInstance("rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " proxied:\n" + " source: rtsp://127.0.0.1:8555/teststream\n") @@ -372,6 +374,7 @@ func TestRTSPSourceDynamicH264Params(t *testing.T) { p, ok := newInstance("rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " proxied:\n" + " source: rtsp://127.0.0.1:8555/teststream\n") @@ -454,6 +457,7 @@ func TestRTSPSourceRemovePadding(t *testing.T) { p, ok := newInstance("rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " proxied:\n" + " source: rtsp://127.0.0.1:8555/teststream\n") @@ -690,6 +694,7 @@ func TestRTSPSourceOversizedPackets(t *testing.T) { p, ok := newInstance("rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " proxied:\n" + " source: rtsp://127.0.0.1:8555/teststream\n" + diff --git a/internal/core/webrtc_server.go b/internal/core/webrtc_server.go index c13d6e24..df9aac76 100644 --- a/internal/core/webrtc_server.go +++ b/internal/core/webrtc_server.go @@ -95,6 +95,7 @@ func newWebRTCServer( parentCtx context.Context, externalAuthenticationURL string, address string, + encryption bool, serverKey string, serverCert string, allowOrigin string, @@ -110,14 +111,17 @@ func newWebRTCServer( return nil, err } - crt, err := tls.LoadX509KeyPair(serverCert, serverKey) - if err != nil { - ln.Close() - return nil, err - } + var tlsConfig *tls.Config + if encryption { + crt, err := tls.LoadX509KeyPair(serverCert, serverKey) + if err != nil { + ln.Close() + return nil, err + } - tlsConfig := &tls.Config{ - Certificates: []tls.Certificate{crt}, + tlsConfig = &tls.Config{ + Certificates: []tls.Certificate{crt}, + } } ctx, ctxCancel := context.WithCancel(parentCtx) diff --git a/internal/highleveltests/rtsp_server_test.go b/internal/highleveltests/rtsp_server_test.go index 7481a6a7..3fd97833 100644 --- a/internal/highleveltests/rtsp_server_test.go +++ b/internal/highleveltests/rtsp_server_test.go @@ -44,6 +44,7 @@ func TestRTSPServerPublishRead(t *testing.T) { p, ok := newInstance("rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "readTimeout: 20s\n" + "paths:\n" + " all:\n") @@ -63,6 +64,7 @@ func TestRTSPServerPublishRead(t *testing.T) { p, ok := newInstance("rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "readTimeout: 20s\n" + "protocols: [tcp]\n" + "encryption: \"yes\"\n" + @@ -199,6 +201,7 @@ func TestRTSPServerPublishRead(t *testing.T) { func TestRTSPServerRedirect(t *testing.T) { p1, ok := newInstance("rtmpDisable: yes\n" + "hlsDisable: yes\n" + + "webrtcDisable: yes\n" + "paths:\n" + " path1:\n" + " source: redirect\n" + diff --git a/rtsp-simple-server.yml b/rtsp-simple-server.yml index 66c18096..aeb9ebbb 100644 --- a/rtsp-simple-server.yml +++ b/rtsp-simple-server.yml @@ -169,11 +169,13 @@ hlsTrustedProxies: [] ############################################### # WebRTC parameters -# Enable support for the WebRTC protocol. -webrtc: no +# Disable support for the WebRTC protocol. +webrtcDisable: no # Address of the WebRTC listener. webrtcAddress: :8889 -# Path to the server key. This is mandatory since HTTPS is mandatory in order to use WebRTC. +# Enable TLS/HTTPS on the WebRTC server. +webrtcEncryption: no +# Path to the server key. # This can be generated with: # openssl genrsa -out server.key 2048 # openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650