From b83adfecbee7a1462f9e3aaa16be47e86a3621ff Mon Sep 17 00:00:00 2001 From: Trysdyn Black Date: Fri, 20 Dec 2024 16:07:32 -0800 Subject: [PATCH] More README clarifications I wrote code better than docs... --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index cb3be63..cd1f790 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,9 @@ This project tries to be pretty lean. Requirements should be roughly... 1. WebRTC publishing 2. The API enabled with a user/password set 3. Some number of applications - 4. Applications configured with a producer webhook of `http://localhost:8080` + 4. Applications configured with a producer webhook of `http://localhost:8080/admission` 2. Extract or clone this repository somewhere -3. Configure your HTTP daemon/proxy/etc to proxy HTTPS to `http://localhost:8080/admission` +3. Configure your HTTP daemon/proxy/etc to proxy HTTPS to `http://localhost:8080` 4. Set up environment variables to your liking. The OvenMediaEngine API key and password are mandatory; see Configuration below 5. Start the management engine with either `python3 main.py` or a systemd unit as noted in `examples/` @@ -53,7 +53,7 @@ There's only a couple supported methods of customization at this time: # Security -For the moment, security is the responsibility of the HTTP proxy. The CherryPy app does not do any kind of authentication (and you want to do authentication). You *should not* simply proxy all HTTPS traffic to the app. You should add basic authentication for your `/management*` endpoints, and also add authentication to the endpoint named after your OvenMediaEngine apps if you want to secure them. +For the moment, security is the responsibility of the HTTP proxy. The CherryPy app does not do any kind of authentication (and you want to do authentication). You *should not* simply proxy all HTTPS traffic to the app. You should add basic authentication for your `/management*` endpoints, and also add authentication to the endpoint named after your OvenMediaEngine apps if you want to secure them. You also need `/assets*` proxied without auth to the app. Even still, someone who knows an exact stream key can currently get the Websocket for your WebRTC sessions and the RTMP URL to push. This is an inherited weakness from OvenMediaEngine and would be a 2.0 goal to add viewer authentication and passphrases to the Admission Webhook.