Add security notes to README
This commit is contained in:
parent
c83acbdcfe
commit
1558fd2f77
1 changed files with 9 additions and 0 deletions
|
|
@ -48,3 +48,12 @@ There's only a couple supported methods of customization at this time:
|
|||
1. `assets/webhook_avatars` can provide for a way to assign stream keys an avatar that the webhook will use when announcing that key has gone live
|
||||
2. `assets/errorlogo.gif` can be replaced to replace the throbber on any interface waiting for a stream to start
|
||||
3. Anything in `templates/` can be edited as desired but will likely be reverted in a future update
|
||||
|
||||
|
||||
# Security
|
||||
|
||||
For the moment, security is the responsibility of the HTTP proxy. The CherryPy app does not do any kind of authentication (and you want to do authentication). You *should not* simply proxy all HTTPS traffic to the app. You should add basic authentication for your `/management*` endpoints, and also add authentication to the endpoint named after your OvenMediaEngine apps if you want to secure them.
|
||||
|
||||
Even still, someone who knows an exact stream key can currently get the Websocket for your WebRTC sessions and the RTMP URL to push. This is an inherited weakness from OvenMediaEngine and would be a 2.0 goal to add viewer authentication and passphrases to the Admission Webhook.
|
||||
|
||||
tl;dr: This is no more or less secure than an RTMP server sitting on the open internet.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue