support HTTPS, Allow-Origin and trusted proxies in API, playback serv…

…er, metrics server and pprof server (#2658) (#2491) (#3235)
bluenviron · Apr 21, 2024 · f4629ac · f4629ac
1 parent 8d16091
commit f4629ac
Show file tree

Hide file tree

Showing 13 changed files with 423 additions and 251 deletions.
diff --git a/apidocs/openapi.yaml b/apidocs/openapi.yaml
@@ -43,14 +43,6 @@ components:
           type: integer
         externalAuthenticationURL:
           type: string
-        metrics:
-          type: boolean
-        metricsAddress:
-          type: string
-        pprof:
-          type: boolean
-        pprofAddress:
-          type: string
         runOnConnect:
           type: string
         runOnConnectRestart:
@@ -63,12 +55,72 @@ components:
           type: boolean
         apiAddress:
           type: string
+        apiEncryption:
+          type: boolean
+        apiServerKey:
+          type: string
+        apiServerCert:
+          type: string
+        apiAllowOrigin:
+          type: string
+        apiTrustedProxies:
+          type: array
+          items:
+            type: string
+
+        # Metrics
+        metrics:
+          type: boolean
+        metricsAddress:
+          type: string
+        metricsEncryption:
+          type: boolean
+        metricsServerKey:
+          type: string
+        metricsServerCert:
+          type: string
+        metricsAllowOrigin:
+          type: string
+        metricsTrustedProxies:
+          type: array
+          items:
+            type: string
+
+        # PPROF
+        pprof:
+          type: boolean
+        pprofAddress:
+          type: string
+        pprofEncryption:
+          type: boolean
+        pprofServerKey:
+          type: string
+        pprofServerCert:
+          type: string
+        pprofAllowOrigin:
+          type: string
+        pprofTrustedProxies:
+          type: array
+          items:
+            type: string
 
         # Playback server
         playback:
           type: boolean
         playbackAddress:
           type: string
+        playbackEncryption:
+          type: boolean
+        playbackServerKey:
+          type: string
+        playbackServerCert:
+          type: string
+        playbackAllowOrigin:
+          type: string
+        playbackTrustedProxies:
+          type: array
+          items:
+            type: string
 
         # RTSP server
         rtsp:

diff --git a/internal/api/api.go b/internal/api/api.go
@@ -162,19 +162,24 @@ type apiParent interface {
 
 // API is an API server.
 type API struct {
-	Address      string
-	ReadTimeout  conf.StringDuration
-	Conf         *conf.Conf
-	AuthManager  apiAuthManager
-	PathManager  PathManager
-	RTSPServer   RTSPServer
-	RTSPSServer  RTSPServer
-	RTMPServer   RTMPServer
-	RTMPSServer  RTMPServer
-	HLSServer    HLSServer
-	WebRTCServer WebRTCServer
-	SRTServer    SRTServer
-	Parent       apiParent
+	Address        string
+	Encryption     bool
+	ServerKey      string
+	ServerCert     string
+	AllowOrigin    string
+	TrustedProxies conf.IPNetworks
+	ReadTimeout    conf.StringDuration
+	Conf           *conf.Conf
+	AuthManager    apiAuthManager
+	PathManager    PathManager
+	RTSPServer     RTSPServer
+	RTSPSServer    RTSPServer
+	RTMPServer     RTMPServer
+	RTMPSServer    RTMPServer
+	HLSServer      HLSServer
+	WebRTCServer   WebRTCServer
+	SRTServer      SRTServer
+	Parent         apiParent
 
 	httpServer *httpp.WrappedServer
 	mutex      sync.RWMutex
@@ -183,9 +188,9 @@ type API struct {
 // Initialize initializes API.
 func (a *API) Initialize() error {
 	router := gin.New()
-	router.SetTrustedProxies(nil) //nolint:errcheck
+	router.SetTrustedProxies(a.TrustedProxies.ToTrustedProxies()) //nolint:errcheck
 
-	group := router.Group("/", a.mwAuth)
+	group := router.Group("/", a.middlewareOrigin, a.middlewareAuth)
 
 	group.GET("/v3/config/global/get", a.onConfigGlobalGet)
 	group.PATCH("/v3/config/global/patch", a.onConfigGlobalPatch)
@@ -254,16 +259,17 @@ func (a *API) Initialize() error {
 
 	network, address := restrictnetwork.Restrict("tcp", a.Address)
 
-	var err error
-	a.httpServer, err = httpp.NewWrappedServer(
-		network,
-		address,
-		time.Duration(a.ReadTimeout),
-		"",
-		"",
-		router,
-		a,
-	)
+	a.httpServer = &httpp.WrappedServer{
+		Network:     network,
+		Address:     address,
+		ReadTimeout: time.Duration(a.ReadTimeout),
+		Encryption:  a.Encryption,
+		ServerCert:  a.ServerCert,
+		ServerKey:   a.ServerKey,
+		Handler:     router,
+		Parent:      a,
+	}
+	err := a.httpServer.Initialize()
 	if err != nil {
 		return err
 	}
@@ -294,7 +300,12 @@ func (a *API) writeError(ctx *gin.Context, status int, err error) {
 	})
 }
 
-func (a *API) mwAuth(ctx *gin.Context) {
+func (a *API) middlewareOrigin(ctx *gin.Context) {
+	ctx.Writer.Header().Set("Access-Control-Allow-Origin", a.AllowOrigin)
+	ctx.Writer.Header().Set("Access-Control-Allow-Credentials", "true")
+}
+
+func (a *API) middlewareAuth(ctx *gin.Context) {
 	user, pass, hasCredentials := ctx.Request.BasicAuth()
 
 	err := a.AuthManager.Authenticate(&auth.Request{

diff --git a/internal/conf/conf.go b/internal/conf/conf.go
@@ -130,10 +130,6 @@ type Conf struct {
 	ReadBufferCount     *int            `json:"readBufferCount,omitempty"` // deprecated
 	WriteQueueSize      int             `json:"writeQueueSize"`
 	UDPMaxPayloadSize   int             `json:"udpMaxPayloadSize"`
-	Metrics             bool            `json:"metrics"`
-	MetricsAddress      string          `json:"metricsAddress"`
-	PPROF               bool            `json:"pprof"`
-	PPROFAddress        string          `json:"pprofAddress"`
 	RunOnConnect        string          `json:"runOnConnect"`
 	RunOnConnectRestart bool            `json:"runOnConnectRestart"`
 	RunOnDisconnect     string          `json:"runOnDisconnect"`
@@ -147,12 +143,40 @@ type Conf struct {
 	AuthJWTJWKS               string                       `json:"authJWTJWKS"`
 
 	// API
-	API        bool   `json:"api"`
-	APIAddress string `json:"apiAddress"`
+	API               bool       `json:"api"`
+	APIAddress        string     `json:"apiAddress"`
+	APIEncryption     bool       `json:"apiEncryption"`
+	APIServerKey      string     `json:"apiServerKey"`
+	APIServerCert     string     `json:"apiServerCert"`
+	APIAllowOrigin    string     `json:"apiAllowOrigin"`
+	APITrustedProxies IPNetworks `json:"apiTrustedProxies"`
+
+	// Metrics
+	Metrics               bool       `json:"metrics"`
+	MetricsAddress        string     `json:"metricsAddress"`
+	MetricsEncryption     bool       `json:"metricsEncryption"`
+	MetricsServerKey      string     `json:"metricsServerKey"`
+	MetricsServerCert     string     `json:"metricsServerCert"`
+	MetricsAllowOrigin    string     `json:"metricsAllowOrigin"`
+	MetricsTrustedProxies IPNetworks `json:"metricsTrustedProxies"`
+
+	// PPROF
+	PPROF               bool       `json:"pprof"`
+	PPROFAddress        string     `json:"pprofAddress"`
+	PPROFEncryption     bool       `json:"pprofEncryption"`
+	PPROFServerKey      string     `json:"pprofServerKey"`
+	PPROFServerCert     string     `json:"pprofServerCert"`
+	PPROFAllowOrigin    string     `json:"pprofAllowOrigin"`
+	PPROFTrustedProxies IPNetworks `json:"pprofTrustedProxies"`
 
 	// Playback
-	Playback        bool   `json:"playback"`
-	PlaybackAddress string `json:"playbackAddress"`
+	Playback               bool       `json:"playback"`
+	PlaybackAddress        string     `json:"playbackAddress"`
+	PlaybackEncryption     bool       `json:"playbackEncryption"`
+	PlaybackServerKey      string     `json:"playbackServerKey"`
+	PlaybackServerCert     string     `json:"playbackServerCert"`
+	PlaybackAllowOrigin    string     `json:"playbackAllowOrigin"`
+	PlaybackTrustedProxies IPNetworks `json:"playbackTrustedProxies"`
 
 	// RTSP server
 	RTSP              bool             `json:"rtsp"`
@@ -246,8 +270,6 @@ func (conf *Conf) setDefaults() {
 	conf.WriteTimeout = 10 * StringDuration(time.Second)
 	conf.WriteQueueSize = 512
 	conf.UDPMaxPayloadSize = 1472
-	conf.MetricsAddress = ":9998"
-	conf.PPROFAddress = ":9999"
 
 	// Authentication
 	conf.AuthInternalUsers = []AuthInternalUser{
@@ -297,9 +319,27 @@ func (conf *Conf) setDefaults() {
 
 	// API
 	conf.APIAddress = ":9997"
+	conf.APIServerKey = "server.key"
+	conf.APIServerCert = "server.crt"
+	conf.APIAllowOrigin = "*"
+
+	// Metrics
+	conf.MetricsAddress = ":9998"
+	conf.MetricsServerKey = "server.key"
+	conf.MetricsServerCert = "server.crt"
+	conf.MetricsAllowOrigin = "*"
+
+	// PPROF
+	conf.PPROFAddress = ":9999"
+	conf.PPROFServerKey = "server.key"
+	conf.PPROFServerCert = "server.crt"
+	conf.PPROFAllowOrigin = "*"
 
 	// Playback server
 	conf.PlaybackAddress = ":9996"
+	conf.PlaybackServerKey = "server.key"
+	conf.PlaybackServerCert = "server.crt"
+	conf.PlaybackAllowOrigin = "*"
 
 	// RTSP server
 	conf.RTSP = true