Skip to main content

SRS Server - How to Secure Your HTTP API

· 2 min read

After you have built your SRS server, you can use HTTP API to access it by SRS console or other HTTP clients. However, you should secure your HTTP API to prevent unauthorized access. This article describes how to secure your HTTP API.

Usage​

First of all, please upgrade SRS to 5.0.152+ or 6.0.40+, which supports HTTP API security.

Then, please enable the HTTP basic authentication by configuration http_api.auth:

# conf/http.api.auth.conf
http_api {
enabled on;
listen 1985;
auth {
enabled on;
username admin;
password admin;
}
}

Now, start SRS with the config:

./objs/srs -c conf/http.api.auth.conf

Or set up the username and password by environment variables:

env SRS_HTTP_API_ENABLED=on SRS_HTTP_SERVER_ENABLED=on \
SRS_HTTP_API_AUTH_ENABLED=on SRS_HTTP_API_AUTH_USERNAME=admin SRS_HTTP_API_AUTH_PASSWORD=admin \
./objs/srs -e

Now, you can access the following urls to verify it:

To clean up the username and password, you can access the HTTP API with the username only:

Note: Please note that we only secure the HTTP API, neither the HTTP server nor the WebRTC HTTP apis.

SRS Console​

SRS console is a web application to manage your SRS server. When SRS server started, you can access the SRS console by the URL: http://localhost:8080/console/

If you enable the HTTP API authentication, you should use URL with username and password to access the SRS console: http://admin:admin@localhost:8080/console/

Or, the browser will prompt for username and password.

For SRS 4.0​

SRS 4.0 does not support HTTP API authentication, however there is a workaround to secure your HTTP API. You can use the nginx to proxy the HTTP API, and enable the HTTP basic authentication by nginx. Or write a Go HTTP proxy for SRS HTTP API.

Browser ---HTTP-with-Authentication---> Nginx ---HTTP---> SRS 4.0

In this solution, you should also change the listen of SRS HTTP API to lo:

http_api {
enabled on;
listen 127.0.0.1:1985;
}

So that the HTTP API is only accessible by the localhost proxy server.

About WebRTC API Security​

SRS doesn't support HTTP API authentication for WebRTC, instead, you should use the HTTP callback to verify the client.

Please see WebRTC HTTP Callback and Token Authentication for more details.

Conclusion​

GitHub Copilot and I wrote this article.

The code of this feature was written by SRS developers and GitHub Copilot.