From d24dacd21f8145280e7af4c9598634a65e0588cd Mon Sep 17 00:00:00 2001 From: aler9 <46489434+aler9@users.noreply.github.com> Date: Thu, 20 Nov 2025 20:55:45 +0100 Subject: [PATCH] extend multiple origin support to every HTTP-based service --- internal/conf/conf.go | 87 ++++++++++++++++++++++---- internal/core/core.go | 20 +++--- internal/metrics/metrics.go | 4 +- internal/metrics/metrics_test.go | 8 +-- internal/playback/server.go | 4 +- internal/playback/server_test.go | 2 +- internal/pprof/pprof.go | 4 +- internal/pprof/pprof_test.go | 6 +- internal/servers/hls/http_server.go | 4 +- internal/servers/hls/server.go | 4 +- internal/servers/hls/server_test.go | 4 +- internal/servers/webrtc/http_server.go | 4 +- internal/servers/webrtc/server.go | 4 +- internal/servers/webrtc/server_test.go | 2 +- mediamtx.yml | 31 ++++----- 15 files changed, 125 insertions(+), 63 deletions(-) diff --git a/internal/conf/conf.go b/internal/conf/conf.go index 1a64b4cb..ba39ce99 100644 --- a/internal/conf/conf.go +++ b/internal/conf/conf.go @@ -183,7 +183,7 @@ type Conf struct { APIServerKey string `json:"apiServerKey"` APIServerCert string `json:"apiServerCert"` APIAllowOrigin *string `json:"apiAllowOrigin,omitempty"` // deprecated - APIAllowOrigins []string `json:"apiAllowOrigins"` + APIAllowOrigins []string `json:"apiAllowOrigins"` // TODO: move in alias APITrustedProxies IPNetworks `json:"apiTrustedProxies"` // Metrics @@ -192,7 +192,8 @@ type Conf struct { MetricsEncryption bool `json:"metricsEncryption"` MetricsServerKey string `json:"metricsServerKey"` MetricsServerCert string `json:"metricsServerCert"` - MetricsAllowOrigin string `json:"metricsAllowOrigin"` + MetricsAllowOrigin *string `json:"metricsAllowOrigin,omitempty"` // deprecated + MetricsAllowOrigins []string `json:"metricsAllowOrigins"` MetricsTrustedProxies IPNetworks `json:"metricsTrustedProxies"` // PPROF @@ -201,7 +202,8 @@ type Conf struct { PPROFEncryption bool `json:"pprofEncryption"` PPROFServerKey string `json:"pprofServerKey"` PPROFServerCert string `json:"pprofServerCert"` - PPROFAllowOrigin string `json:"pprofAllowOrigin"` + PPROFAllowOrigin *string `json:"pprofAllowOrigin,omitempty"` // deprecated + PPROFAllowOrigins []string `json:"pprofAllowOrigins"` PPROFTrustedProxies IPNetworks `json:"pprofTrustedProxies"` // Playback @@ -210,7 +212,8 @@ type Conf struct { PlaybackEncryption bool `json:"playbackEncryption"` PlaybackServerKey string `json:"playbackServerKey"` PlaybackServerCert string `json:"playbackServerCert"` - PlaybackAllowOrigin string `json:"playbackAllowOrigin"` + PlaybackAllowOrigin *string `json:"playbackAllowOrigin,omitempty"` // deprecated + PlaybackAllowOrigins []string `json:"playbackAllowOrigins"` PlaybackTrustedProxies IPNetworks `json:"playbackTrustedProxies"` // RTSP server @@ -255,7 +258,8 @@ type Conf struct { HLSEncryption bool `json:"hlsEncryption"` HLSServerKey string `json:"hlsServerKey"` HLSServerCert string `json:"hlsServerCert"` - HLSAllowOrigin string `json:"hlsAllowOrigin"` + HLSAllowOrigin *string `json:"hlsAllowOrigin,omitempty"` // deprecated + HLSAllowOrigins []string `json:"hlsAllowOrigins"` HLSTrustedProxies IPNetworks `json:"hlsTrustedProxies"` HLSAlwaysRemux bool `json:"hlsAlwaysRemux"` HLSVariant HLSVariant `json:"hlsVariant"` @@ -273,7 +277,8 @@ type Conf struct { WebRTCEncryption bool `json:"webrtcEncryption"` WebRTCServerKey string `json:"webrtcServerKey"` WebRTCServerCert string `json:"webrtcServerCert"` - WebRTCAllowOrigin string `json:"webrtcAllowOrigin"` + WebRTCAllowOrigin *string `json:"webrtcAllowOrigin,omitempty"` // deprecated + WebRTCAllowOrigins []string `json:"webrtcAllowOrigins"` WebRTCTrustedProxies IPNetworks `json:"webrtcTrustedProxies"` WebRTCLocalUDPAddress string `json:"webrtcLocalUDPAddress"` WebRTCLocalTCPAddress string `json:"webrtcLocalTCPAddress"` @@ -347,19 +352,19 @@ func (conf *Conf) setDefaults() { conf.MetricsAddress = ":9998" conf.MetricsServerKey = "server.key" conf.MetricsServerCert = "server.crt" - conf.MetricsAllowOrigin = "*" + conf.MetricsAllowOrigins = []string{"*"} // PPROF conf.PPROFAddress = ":9999" conf.PPROFServerKey = "server.key" conf.PPROFServerCert = "server.crt" - conf.PPROFAllowOrigin = "*" + conf.PPROFAllowOrigins = []string{"*"} // Playback server conf.PlaybackAddress = ":9996" conf.PlaybackServerKey = "server.key" conf.PlaybackServerCert = "server.crt" - conf.PlaybackAllowOrigin = "*" + conf.PlaybackAllowOrigins = []string{"*"} // RTSP server conf.RTSP = true @@ -395,7 +400,7 @@ func (conf *Conf) setDefaults() { conf.HLSAddress = ":8888" conf.HLSServerKey = "server.key" conf.HLSServerCert = "server.crt" - conf.HLSAllowOrigin = "*" + conf.HLSAllowOrigins = []string{"*"} conf.HLSVariant = HLSVariant(gohlslib.MuxerVariantLowLatency) conf.HLSSegmentCount = 7 conf.HLSSegmentDuration = 1 * Duration(time.Second) @@ -408,7 +413,7 @@ func (conf *Conf) setDefaults() { conf.WebRTCAddress = ":8889" conf.WebRTCServerKey = "server.key" conf.WebRTCServerCert = "server.crt" - conf.WebRTCAllowOrigin = "*" + conf.WebRTCAllowOrigins = []string{"*"} conf.WebRTCLocalUDPAddress = ":8189" conf.WebRTCIPsFromInterfaces = true conf.WebRTCIPsFromInterfacesList = []string{} @@ -523,16 +528,20 @@ func (conf *Conf) Validate(l logger.Writer) error { if conf.ReadTimeout <= 0 { return fmt.Errorf("'readTimeout' must be greater than zero") } + if conf.WriteTimeout <= 0 { return fmt.Errorf("'writeTimeout' must be greater than zero") } + if conf.ReadBufferCount != nil { l.Log(logger.Warn, "parameter 'readBufferCount' is deprecated and has been replaced with 'writeQueueSize'") conf.WriteQueueSize = *conf.ReadBufferCount } + if (conf.WriteQueueSize & (conf.WriteQueueSize - 1)) != 0 { return fmt.Errorf("'writeQueueSize' must be a power of two") } + if conf.UDPMaxPayloadSize > 1472 { return fmt.Errorf("'udpMaxPayloadSize' must be less than 1472") } @@ -545,16 +554,19 @@ func (conf *Conf) Validate(l logger.Writer) error { conf.AuthMethod = AuthMethodHTTP conf.AuthHTTPAddress = *conf.ExternalAuthenticationURL } + if conf.AuthHTTPAddress != "" && !strings.HasPrefix(conf.AuthHTTPAddress, "http://") && !strings.HasPrefix(conf.AuthHTTPAddress, "https://") { return fmt.Errorf("'externalAuthenticationURL' must be a HTTP URL") } + if conf.AuthJWTJWKS != "" && !strings.HasPrefix(conf.AuthJWTJWKS, "http://") && !strings.HasPrefix(conf.AuthJWTJWKS, "https://") { return fmt.Errorf("'authJWTJWKS' must be a HTTP URL") } + deprecatedCredentialsMode := false if anyPathHasDeprecatedCredentials(conf.PathDefaults, conf.OptionalPaths) { l.Log(logger.Warn, "you are using one or more authentication-related deprecated parameters "+ @@ -593,6 +605,7 @@ func (conf *Conf) Validate(l logger.Writer) error { } deprecatedCredentialsMode = true } + switch conf.AuthMethod { case AuthMethodHTTP: if conf.AuthHTTPAddress == "" { @@ -615,24 +628,49 @@ func (conf *Conf) Validate(l logger.Writer) error { conf.APIAllowOrigins = []string{*conf.APIAllowOrigin} } - // RTSP + // Metrics + + if conf.MetricsAllowOrigin != nil { + l.Log(logger.Warn, "parameter 'metricsAllowOrigin' is deprecated and has been replaced with 'metricsAllowOrigins'") + conf.MetricsAllowOrigins = []string{*conf.MetricsAllowOrigin} + } + + // PPROF + + if conf.PPROFAllowOrigin != nil { + l.Log(logger.Warn, "parameter 'pprofAllowOrigin' is deprecated and has been replaced with 'pprofAllowOrigins'") + conf.PPROFAllowOrigins = []string{*conf.PPROFAllowOrigin} + } + + // Playback + + if conf.PlaybackAllowOrigin != nil { + l.Log(logger.Warn, "parameter 'playbackAllowOrigin' is deprecated and has been replaced with 'playbackAllowOrigins'") + conf.PlaybackAllowOrigins = []string{*conf.PlaybackAllowOrigin} + } + + // RTSP server if conf.RTSPDisable != nil { l.Log(logger.Warn, "parameter 'rtspDisabled' is deprecated and has been replaced with 'rtsp'") conf.RTSP = !*conf.RTSPDisable } + if conf.Protocols != nil { l.Log(logger.Warn, "parameter 'protocols' is deprecated and has been replaced with 'rtspTransports'") conf.RTSPTransports = *conf.Protocols } + if conf.Encryption != nil { l.Log(logger.Warn, "parameter 'encryption' is deprecated and has been replaced with 'rtspEncryption'") conf.RTSPEncryption = *conf.Encryption } + if conf.AuthMethods != nil { l.Log(logger.Warn, "parameter 'authMethods' is deprecated and has been replaced with 'rtspAuthMethods'") conf.RTSPAuthMethods = *conf.AuthMethods } + if slices.Contains(conf.RTSPAuthMethods, auth.VerifyMethodDigestMD5) { if conf.AuthMethod != AuthMethodInternal { return fmt.Errorf("when RTSP digest is enabled, the only supported auth method is 'internal'") @@ -643,14 +681,17 @@ func (conf *Conf) Validate(l logger.Writer) error { } } } + if conf.ServerCert != nil { l.Log(logger.Warn, "parameter 'serverCert' is deprecated and has been replaced with 'rtspServerCert'") conf.RTSPServerCert = *conf.ServerCert } + if conf.ServerKey != nil { l.Log(logger.Warn, "parameter 'serverKey' is deprecated and has been replaced with 'rtspServerKey'") conf.RTSPServerKey = *conf.ServerKey } + if len(conf.RTSPAuthMethods) == 0 { return fmt.Errorf("at least one 'rtspAuthMethods' must be provided") } @@ -669,27 +710,36 @@ func (conf *Conf) Validate(l logger.Writer) error { conf.HLS = !*conf.HLSDisable } + if conf.HLSAllowOrigin != nil { + l.Log(logger.Warn, "parameter 'hlsAllowOrigin' is deprecated and has been replaced with 'hlsAllowOrigins'") + conf.HLSAllowOrigins = []string{*conf.HLSAllowOrigin} + } + // WebRTC if conf.WebRTCDisable != nil { l.Log(logger.Warn, "parameter 'webrtcDisable' is deprecated and has been replaced with 'webrtc'") conf.WebRTC = !*conf.WebRTCDisable } + if conf.WebRTCICEUDPMuxAddress != nil { l.Log(logger.Warn, "parameter 'webrtcICEUDPMuxAdderss' is deprecated "+ "and has been replaced with 'webrtcLocalUDPAddress'") conf.WebRTCLocalUDPAddress = *conf.WebRTCICEUDPMuxAddress } + if conf.WebRTCICETCPMuxAddress != nil { l.Log(logger.Warn, "parameter 'webrtcICETCPMuxAddress' is deprecated "+ "and has been replaced with 'webrtcLocalTCPAddress'") conf.WebRTCLocalTCPAddress = *conf.WebRTCICETCPMuxAddress } + if conf.WebRTCICEHostNAT1To1IPs != nil { l.Log(logger.Warn, "parameter 'webrtcICEHostNAT1To1IPs' is deprecated "+ "and has been replaced with 'webrtcAdditionalHosts'") conf.WebRTCAdditionalHosts = *conf.WebRTCICEHostNAT1To1IPs } + if conf.WebRTCICEServers != nil { l.Log(logger.Warn, "parameter 'webrtcICEServers' is deprecated "+ "and has been replaced with 'webrtcICEServers2'") @@ -709,6 +759,7 @@ func (conf *Conf) Validate(l logger.Writer) error { } } } + for _, server := range conf.WebRTCICEServers2 { if !strings.HasPrefix(server.URL, "stun:") && !strings.HasPrefix(server.URL, "turn:") && @@ -716,18 +767,25 @@ func (conf *Conf) Validate(l logger.Writer) error { return fmt.Errorf("invalid ICE server: '%s'", server.URL) } } + if conf.WebRTCLocalUDPAddress == "" && conf.WebRTCLocalTCPAddress == "" && len(conf.WebRTCICEServers2) == 0 { return fmt.Errorf("at least one between 'webrtcLocalUDPAddress'," + " 'webrtcLocalTCPAddress' or 'webrtcICEServers2' must be filled") } + if conf.WebRTCLocalUDPAddress != "" || conf.WebRTCLocalTCPAddress != "" { if !conf.WebRTCIPsFromInterfaces && len(conf.WebRTCAdditionalHosts) == 0 { return fmt.Errorf("at least one between 'webrtcIPsFromInterfaces' or 'webrtcAdditionalHosts' must be filled") } } + if conf.WebRTCAllowOrigin != nil { + l.Log(logger.Warn, "parameter 'webrtcAllowOrigin' is deprecated and has been replaced with 'webrtcAllowOrigins'") + conf.WebRTCAllowOrigins = []string{*conf.WebRTCAllowOrigin} + } + // Record (deprecated) if conf.Record != nil { @@ -735,26 +793,31 @@ func (conf *Conf) Validate(l logger.Writer) error { "and has been replaced with 'pathDefaults.record'") conf.PathDefaults.Record = *conf.Record } + if conf.RecordPath != nil { l.Log(logger.Warn, "parameter 'recordPath' is deprecated "+ "and has been replaced with 'pathDefaults.recordPath'") conf.PathDefaults.RecordPath = *conf.RecordPath } + if conf.RecordFormat != nil { l.Log(logger.Warn, "parameter 'recordFormat' is deprecated "+ "and has been replaced with 'pathDefaults.recordFormat'") conf.PathDefaults.RecordFormat = *conf.RecordFormat } + if conf.RecordPartDuration != nil { l.Log(logger.Warn, "parameter 'recordPartDuration' is deprecated "+ "and has been replaced with 'pathDefaults.recordPartDuration'") conf.PathDefaults.RecordPartDuration = *conf.RecordPartDuration } + if conf.RecordSegmentDuration != nil { l.Log(logger.Warn, "parameter 'recordSegmentDuration' is deprecated "+ "and has been replaced with 'pathDefaults.recordSegmentDuration'") conf.PathDefaults.RecordSegmentDuration = *conf.RecordSegmentDuration } + if conf.RecordDeleteAfter != nil { l.Log(logger.Warn, "parameter 'recordDeleteAfter' is deprecated "+ "and has been replaced with 'pathDefaults.recordDeleteAfter'") diff --git a/internal/core/core.go b/internal/core/core.go index 1f37a81b..5c60fb1c 100644 --- a/internal/core/core.go +++ b/internal/core/core.go @@ -324,7 +324,7 @@ func (p *Core) createResources(initial bool) error { Encryption: p.conf.MetricsEncryption, ServerKey: p.conf.MetricsServerKey, ServerCert: p.conf.MetricsServerCert, - AllowOrigin: p.conf.MetricsAllowOrigin, + AllowOrigins: p.conf.MetricsAllowOrigins, TrustedProxies: p.conf.MetricsTrustedProxies, ReadTimeout: p.conf.ReadTimeout, WriteTimeout: p.conf.WriteTimeout, @@ -345,7 +345,7 @@ func (p *Core) createResources(initial bool) error { Encryption: p.conf.PPROFEncryption, ServerKey: p.conf.PPROFServerKey, ServerCert: p.conf.PPROFServerCert, - AllowOrigin: p.conf.PPROFAllowOrigin, + AllowOrigins: p.conf.PPROFAllowOrigins, TrustedProxies: p.conf.PPROFTrustedProxies, ReadTimeout: p.conf.ReadTimeout, WriteTimeout: p.conf.WriteTimeout, @@ -375,7 +375,7 @@ func (p *Core) createResources(initial bool) error { Encryption: p.conf.PlaybackEncryption, ServerKey: p.conf.PlaybackServerKey, ServerCert: p.conf.PlaybackServerCert, - AllowOrigin: p.conf.PlaybackAllowOrigin, + AllowOrigins: p.conf.PlaybackAllowOrigins, TrustedProxies: p.conf.PlaybackTrustedProxies, ReadTimeout: p.conf.ReadTimeout, WriteTimeout: p.conf.WriteTimeout, @@ -563,7 +563,7 @@ func (p *Core) createResources(initial bool) error { Encryption: p.conf.HLSEncryption, ServerKey: p.conf.HLSServerKey, ServerCert: p.conf.HLSServerCert, - AllowOrigin: p.conf.HLSAllowOrigin, + AllowOrigins: p.conf.HLSAllowOrigins, TrustedProxies: p.conf.HLSTrustedProxies, AlwaysRemux: p.conf.HLSAlwaysRemux, Variant: p.conf.HLSVariant, @@ -593,7 +593,7 @@ func (p *Core) createResources(initial bool) error { Encryption: p.conf.WebRTCEncryption, ServerKey: p.conf.WebRTCServerKey, ServerCert: p.conf.WebRTCServerCert, - AllowOrigin: p.conf.WebRTCAllowOrigin, + AllowOrigins: p.conf.WebRTCAllowOrigins, TrustedProxies: p.conf.WebRTCTrustedProxies, ReadTimeout: p.conf.ReadTimeout, WriteTimeout: p.conf.WriteTimeout, @@ -713,7 +713,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) { newConf.MetricsEncryption != p.conf.MetricsEncryption || newConf.MetricsServerKey != p.conf.MetricsServerKey || newConf.MetricsServerCert != p.conf.MetricsServerCert || - newConf.MetricsAllowOrigin != p.conf.MetricsAllowOrigin || + !slices.Equal(newConf.MetricsAllowOrigins, p.conf.MetricsAllowOrigins) || !reflect.DeepEqual(newConf.MetricsTrustedProxies, p.conf.MetricsTrustedProxies) || newConf.ReadTimeout != p.conf.ReadTimeout || newConf.WriteTimeout != p.conf.WriteTimeout || @@ -726,7 +726,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) { newConf.PPROFEncryption != p.conf.PPROFEncryption || newConf.PPROFServerKey != p.conf.PPROFServerKey || newConf.PPROFServerCert != p.conf.PPROFServerCert || - newConf.PPROFAllowOrigin != p.conf.PPROFAllowOrigin || + !slices.Equal(newConf.PPROFAllowOrigins, p.conf.PPROFAllowOrigins) || !reflect.DeepEqual(newConf.PPROFTrustedProxies, p.conf.PPROFTrustedProxies) || newConf.ReadTimeout != p.conf.ReadTimeout || newConf.WriteTimeout != p.conf.WriteTimeout || @@ -746,7 +746,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) { newConf.PlaybackEncryption != p.conf.PlaybackEncryption || newConf.PlaybackServerKey != p.conf.PlaybackServerKey || newConf.PlaybackServerCert != p.conf.PlaybackServerCert || - newConf.PlaybackAllowOrigin != p.conf.PlaybackAllowOrigin || + !slices.Equal(newConf.PlaybackAllowOrigins, p.conf.PlaybackAllowOrigins) || !reflect.DeepEqual(newConf.PlaybackTrustedProxies, p.conf.PlaybackTrustedProxies) || newConf.ReadTimeout != p.conf.ReadTimeout || newConf.WriteTimeout != p.conf.WriteTimeout || @@ -853,7 +853,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) { newConf.HLSEncryption != p.conf.HLSEncryption || newConf.HLSServerKey != p.conf.HLSServerKey || newConf.HLSServerCert != p.conf.HLSServerCert || - newConf.HLSAllowOrigin != p.conf.HLSAllowOrigin || + !slices.Equal(newConf.HLSAllowOrigins, p.conf.HLSAllowOrigins) || !reflect.DeepEqual(newConf.HLSTrustedProxies, p.conf.HLSTrustedProxies) || newConf.HLSAlwaysRemux != p.conf.HLSAlwaysRemux || newConf.HLSVariant != p.conf.HLSVariant || @@ -875,7 +875,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) { newConf.WebRTCEncryption != p.conf.WebRTCEncryption || newConf.WebRTCServerKey != p.conf.WebRTCServerKey || newConf.WebRTCServerCert != p.conf.WebRTCServerCert || - newConf.WebRTCAllowOrigin != p.conf.WebRTCAllowOrigin || + !slices.Equal(newConf.WebRTCAllowOrigins, p.conf.WebRTCAllowOrigins) || !reflect.DeepEqual(newConf.WebRTCTrustedProxies, p.conf.WebRTCTrustedProxies) || newConf.ReadTimeout != p.conf.ReadTimeout || newConf.WriteTimeout != p.conf.WriteTimeout || diff --git a/internal/metrics/metrics.go b/internal/metrics/metrics.go index 002fc3d3..0934870f 100644 --- a/internal/metrics/metrics.go +++ b/internal/metrics/metrics.go @@ -74,7 +74,7 @@ type Metrics struct { Encryption bool ServerKey string ServerCert string - AllowOrigin string + AllowOrigins []string TrustedProxies conf.IPNetworks ReadTimeout conf.Duration WriteTimeout conf.Duration @@ -105,7 +105,7 @@ func (m *Metrics) Initialize() error { m.httpServer = &httpp.Server{ Address: m.Address, - AllowOrigins: []string{m.AllowOrigin}, + AllowOrigins: m.AllowOrigins, ReadTimeout: time.Duration(m.ReadTimeout), WriteTimeout: time.Duration(m.WriteTimeout), Encryption: m.Encryption, diff --git a/internal/metrics/metrics_test.go b/internal/metrics/metrics_test.go index 45d9d4e4..9be2c982 100644 --- a/internal/metrics/metrics_test.go +++ b/internal/metrics/metrics_test.go @@ -192,7 +192,7 @@ func (dummyWebRTCServer) APISessionsKick(uuid.UUID) error { func TestPreflightRequest(t *testing.T) { m := Metrics{ Address: "localhost:9998", - AllowOrigin: "*", + AllowOrigins: []string{"*"}, ReadTimeout: conf.Duration(10 * time.Second), WriteTimeout: conf.Duration(10 * time.Second), AuthManager: test.NilAuthManager, @@ -232,7 +232,7 @@ func TestMetrics(t *testing.T) { m := Metrics{ Address: "localhost:9998", - AllowOrigin: "*", + AllowOrigins: []string{"*"}, ReadTimeout: conf.Duration(10 * time.Second), WriteTimeout: conf.Duration(10 * time.Second), AuthManager: &test.AuthManager{ @@ -368,7 +368,7 @@ func TestAuthError(t *testing.T) { m := Metrics{ Address: "localhost:9998", - AllowOrigin: "*", + AllowOrigins: []string{"*"}, ReadTimeout: conf.Duration(10 * time.Second), WriteTimeout: conf.Duration(10 * time.Second), AuthManager: &test.AuthManager{ @@ -428,7 +428,7 @@ func TestFilter(t *testing.T) { t.Run(ca, func(t *testing.T) { m := Metrics{ Address: "localhost:9998", - AllowOrigin: "*", + AllowOrigins: []string{"*"}, ReadTimeout: conf.Duration(10 * time.Second), WriteTimeout: conf.Duration(10 * time.Second), AuthManager: test.NilAuthManager, diff --git a/internal/playback/server.go b/internal/playback/server.go index cc922038..c5b7f391 100644 --- a/internal/playback/server.go +++ b/internal/playback/server.go @@ -24,7 +24,7 @@ type Server struct { Encryption bool ServerKey string ServerCert string - AllowOrigin string + AllowOrigins []string TrustedProxies conf.IPNetworks ReadTimeout conf.Duration WriteTimeout conf.Duration @@ -48,7 +48,7 @@ func (s *Server) Initialize() error { s.httpServer = &httpp.Server{ Address: s.Address, - AllowOrigins: []string{s.AllowOrigin}, + AllowOrigins: s.AllowOrigins, ReadTimeout: time.Duration(s.ReadTimeout), WriteTimeout: time.Duration(s.WriteTimeout), Encryption: s.Encryption, diff --git a/internal/playback/server_test.go b/internal/playback/server_test.go index aebcf119..7db52032 100644 --- a/internal/playback/server_test.go +++ b/internal/playback/server_test.go @@ -18,7 +18,7 @@ import ( func TestPreflightRequest(t *testing.T) { s := &Server{ Address: "127.0.0.1:9996", - AllowOrigin: "*", + AllowOrigins: []string{"*"}, ReadTimeout: conf.Duration(10 * time.Second), WriteTimeout: conf.Duration(10 * time.Second), Parent: test.NilLogger, diff --git a/internal/pprof/pprof.go b/internal/pprof/pprof.go index 7f5839b1..5b171935 100644 --- a/internal/pprof/pprof.go +++ b/internal/pprof/pprof.go @@ -29,7 +29,7 @@ type PPROF struct { Encryption bool ServerKey string ServerCert string - AllowOrigin string + AllowOrigins []string TrustedProxies conf.IPNetworks ReadTimeout conf.Duration WriteTimeout conf.Duration @@ -51,7 +51,7 @@ func (pp *PPROF) Initialize() error { pp.httpServer = &httpp.Server{ Address: pp.Address, - AllowOrigins: []string{pp.AllowOrigin}, + AllowOrigins: pp.AllowOrigins, ReadTimeout: time.Duration(pp.ReadTimeout), WriteTimeout: time.Duration(pp.WriteTimeout), Encryption: pp.Encryption, diff --git a/internal/pprof/pprof_test.go b/internal/pprof/pprof_test.go index 1d61c9e6..0a57bfdb 100644 --- a/internal/pprof/pprof_test.go +++ b/internal/pprof/pprof_test.go @@ -17,7 +17,7 @@ import ( func TestPreflightRequest(t *testing.T) { s := &PPROF{ Address: "127.0.0.1:9999", - AllowOrigin: "*", + AllowOrigins: []string{"*"}, ReadTimeout: conf.Duration(10 * time.Second), WriteTimeout: conf.Duration(10 * time.Second), Parent: test.NilLogger, @@ -56,7 +56,7 @@ func TestPprof(t *testing.T) { s := &PPROF{ Address: "127.0.0.1:9999", - AllowOrigin: "*", + AllowOrigins: []string{"*"}, ReadTimeout: conf.Duration(10 * time.Second), WriteTimeout: conf.Duration(10 * time.Second), AuthManager: &test.AuthManager{ @@ -99,7 +99,7 @@ func TestAuthError(t *testing.T) { s := &PPROF{ Address: "127.0.0.1:9999", - AllowOrigin: "*", + AllowOrigins: []string{"*"}, ReadTimeout: conf.Duration(10 * time.Second), WriteTimeout: conf.Duration(10 * time.Second), AuthManager: &test.AuthManager{ diff --git a/internal/servers/hls/http_server.go b/internal/servers/hls/http_server.go index 2f5a3f78..fcf429ec 100644 --- a/internal/servers/hls/http_server.go +++ b/internal/servers/hls/http_server.go @@ -39,7 +39,7 @@ type httpServer struct { encryption bool serverKey string serverCert string - allowOrigin string + allowOrigins []string trustedProxies conf.IPNetworks readTimeout conf.Duration writeTimeout conf.Duration @@ -59,7 +59,7 @@ func (s *httpServer) initialize() error { s.inner = &httpp.Server{ Address: s.address, - AllowOrigins: []string{s.allowOrigin}, + AllowOrigins: s.allowOrigins, ReadTimeout: time.Duration(s.readTimeout), WriteTimeout: time.Duration(s.writeTimeout), Encryption: s.encryption, diff --git a/internal/servers/hls/server.go b/internal/servers/hls/server.go index 74175af9..d4edffbe 100644 --- a/internal/servers/hls/server.go +++ b/internal/servers/hls/server.go @@ -74,7 +74,7 @@ type Server struct { Encryption bool ServerKey string ServerCert string - AllowOrigin string + AllowOrigins []string TrustedProxies conf.IPNetworks AlwaysRemux bool Variant conf.HLSVariant @@ -124,7 +124,7 @@ func (s *Server) Initialize() error { encryption: s.Encryption, serverKey: s.ServerKey, serverCert: s.ServerCert, - allowOrigin: s.AllowOrigin, + allowOrigins: s.AllowOrigins, trustedProxies: s.TrustedProxies, readTimeout: s.ReadTimeout, writeTimeout: s.WriteTimeout, diff --git a/internal/servers/hls/server_test.go b/internal/servers/hls/server_test.go index 356f0ace..d257df73 100644 --- a/internal/servers/hls/server_test.go +++ b/internal/servers/hls/server_test.go @@ -68,7 +68,7 @@ func (pa *dummyPath) RemoveReader(_ defs.PathRemoveReaderReq) { func TestServerPreflightRequest(t *testing.T) { s := &Server{ Address: "127.0.0.1:8888", - AllowOrigin: "*", + AllowOrigins: []string{"*"}, ReadTimeout: conf.Duration(10 * time.Second), WriteTimeout: conf.Duration(10 * time.Second), PathManager: &dummyPathManager{}, @@ -131,7 +131,6 @@ func TestServerNotFound(t *testing.T) { SegmentDuration: conf.Duration(1 * time.Second), PartDuration: conf.Duration(200 * time.Millisecond), SegmentMaxSize: 50 * 1024 * 1024, - AllowOrigin: "", TrustedProxies: conf.IPNetworks{}, Directory: "", ReadTimeout: conf.Duration(10 * time.Second), @@ -433,7 +432,6 @@ func TestServerDirectory(t *testing.T) { SegmentDuration: conf.Duration(1 * time.Second), PartDuration: conf.Duration(200 * time.Millisecond), SegmentMaxSize: 50 * 1024 * 1024, - AllowOrigin: "", TrustedProxies: conf.IPNetworks{}, Directory: filepath.Join(dir, "mydir"), ReadTimeout: conf.Duration(10 * time.Second), diff --git a/internal/servers/webrtc/http_server.go b/internal/servers/webrtc/http_server.go index 346d9080..f2b89c94 100644 --- a/internal/servers/webrtc/http_server.go +++ b/internal/servers/webrtc/http_server.go @@ -76,7 +76,7 @@ type httpServer struct { encryption bool serverKey string serverCert string - allowOrigin string + allowOrigins []string trustedProxies conf.IPNetworks readTimeout conf.Duration writeTimeout conf.Duration @@ -96,7 +96,7 @@ func (s *httpServer) initialize() error { s.inner = &httpp.Server{ Address: s.address, - AllowOrigins: []string{s.allowOrigin}, + AllowOrigins: s.allowOrigins, ReadTimeout: time.Duration(s.readTimeout), WriteTimeout: time.Duration(s.writeTimeout), Encryption: s.encryption, diff --git a/internal/servers/webrtc/server.go b/internal/servers/webrtc/server.go index 1851d12e..3711ac1e 100644 --- a/internal/servers/webrtc/server.go +++ b/internal/servers/webrtc/server.go @@ -190,7 +190,7 @@ type Server struct { Encryption bool ServerKey string ServerCert string - AllowOrigin string + AllowOrigins []string TrustedProxies conf.IPNetworks ReadTimeout conf.Duration WriteTimeout conf.Duration @@ -254,7 +254,7 @@ func (s *Server) Initialize() error { encryption: s.Encryption, serverKey: s.ServerKey, serverCert: s.ServerCert, - allowOrigin: s.AllowOrigin, + allowOrigins: s.AllowOrigins, trustedProxies: s.TrustedProxies, readTimeout: s.ReadTimeout, writeTimeout: s.WriteTimeout, diff --git a/internal/servers/webrtc/server_test.go b/internal/servers/webrtc/server_test.go index 63b02f43..0f12949c 100644 --- a/internal/servers/webrtc/server_test.go +++ b/internal/servers/webrtc/server_test.go @@ -66,7 +66,7 @@ func initializeTestServer(t *testing.T) *Server { s := &Server{ Address: "127.0.0.1:8886", - AllowOrigin: "*", + AllowOrigins: []string{"*"}, TrustedProxies: conf.IPNetworks{}, ReadTimeout: conf.Duration(10 * time.Second), WriteTimeout: conf.Duration(10 * time.Second), diff --git a/mediamtx.yml b/mediamtx.yml index ae020731..e244c40f 100644 --- a/mediamtx.yml +++ b/mediamtx.yml @@ -158,10 +158,8 @@ apiEncryption: no apiServerKey: server.key # Path to the server certificate. apiServerCert: server.crt -# List of allowed origins. +# Lis. # Supports wildcards: ['http://*.example.com'] -# If apiAllowOrigins is set to '*', the Access-Control-Allow-Origin response will be '*', -# even if no Origin was sent from the client. apiAllowOrigins: ['*'] # List of IPs or CIDRs of proxies placed before the HTTP server. # If the server receives a request from one of these entries, IP in logs @@ -184,8 +182,9 @@ metricsEncryption: no metricsServerKey: server.key # Path to the server certificate. metricsServerCert: server.crt -# Value of the Access-Control-Allow-Origin header provided in every HTTP response. -metricsAllowOrigin: '*' +# List of allowed HTTP Origins. +# Supports wildcards: ['http://*.example.com'] +metricsAllowOrigins: ['*'] # List of IPs or CIDRs of proxies placed before the HTTP server. # If the server receives a request from one of these entries, IP in logs # will be taken from the X-Forwarded-For header. @@ -207,8 +206,9 @@ pprofEncryption: no pprofServerKey: server.key # Path to the server certificate. pprofServerCert: server.crt -# Value of the Access-Control-Allow-Origin header provided in every HTTP response. -pprofAllowOrigin: '*' +# List of allowed HTTP Origins. +# Supports wildcards: ['http://*.example.com'] +pprofAllowOrigins: ['*'] # List of IPs or CIDRs of proxies placed before the HTTP server. # If the server receives a request from one of these entries, IP in logs # will be taken from the X-Forwarded-For header. @@ -230,8 +230,9 @@ playbackEncryption: no playbackServerKey: server.key # Path to the server certificate. playbackServerCert: server.crt -# Value of the Access-Control-Allow-Origin header provided in every HTTP response. -playbackAllowOrigin: '*' +# List of allowed HTTP Origins. +# Supports wildcards: ['http://*.example.com'] +playbackAllowOrigins: ['*'] # List of IPs or CIDRs of proxies placed before the HTTP server. # If the server receives a request from one of these entries, IP in logs # will be taken from the X-Forwarded-For header. @@ -322,9 +323,9 @@ hlsEncryption: no hlsServerKey: server.key # Path to the server certificate. hlsServerCert: server.crt -# Value of the Access-Control-Allow-Origin header provided in every HTTP response. -# This allows to play the HLS stream from an external website. -hlsAllowOrigin: '*' +# List of allowed HTTP Origins. +# Supports wildcards: ['http://*.example.com'] +hlsAllowOrigins: ['*'] # List of IPs or CIDRs of proxies placed before the HLS server. # If the server receives a request from one of these entries, IP in logs # will be taken from the X-Forwarded-For header. @@ -380,9 +381,9 @@ webrtcEncryption: no webrtcServerKey: server.key # Path to the server certificate. webrtcServerCert: server.crt -# Value of the Access-Control-Allow-Origin header provided in every HTTP response. -# This allows to play the WebRTC stream from an external website. -webrtcAllowOrigin: '*' +# List of allowed HTTP Origins. +# Supports wildcards: ['http://*.example.com'] +webrtcAllowOrigins: ['*'] # List of IPs or CIDRs of proxies placed before the WebRTC server. # If the server receives a request from one of these entries, IP in logs # will be taken from the X-Forwarded-For header.