Clarify security scope in README
This commit is contained in:
parent
80dea5fd69
commit
8179023cb8
1 changed files with 12 additions and 1 deletions
13
README.md
13
README.md
|
|
@ -57,4 +57,15 @@ For the moment, security is the responsibility of the HTTP proxy. The CherryPy a
|
|||
|
||||
Even still, someone who knows an exact stream key can currently get the Websocket for your WebRTC sessions and the RTMP URL to push. This is an inherited weakness from OvenMediaEngine and would be a 2.0 goal to add viewer authentication and passphrases to the Admission Webhook.
|
||||
|
||||
tl;dr: This is no more or less secure than an RTMP server sitting on the open internet.
|
||||
In addition, OvenMediaEngine has been known to have a recurring bug where its API endpoint will listen on all IP addresses even if configured not to do so. It is recommended you use a firewall to block all ports except and use your HTTP proxy for most traffic. The recommended setup:
|
||||
|
||||
- OvenMediaEngine API port on localhost:8081 and firewalled
|
||||
- OvenMediaEngine TCP Relay at :3478 and open
|
||||
- ICE Candidates set to UDP 10000-10004 and open
|
||||
- WHIP Signaling at :3333 and firewalled
|
||||
- OvenEmprex at :8080 and firewalled
|
||||
- HTTP proxy set to listen on :443 and proxy all HTTP traffic to localhost:8080
|
||||
- HTTP proxy also listening on :3334 and proxying all HTTP traffic to localhost:3333
|
||||
- HTTP proxy applying basic auth of some form to `/management*`
|
||||
|
||||
tl;dr: This is no more or less secure than an RTMP server sitting on the open internet if you firewall stuff.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue