After you have built your SRS server, you can use HTTP API to access it by SRS console or other HTTP clients. However, you should secure your HTTP API to prevent unauthorized access. This article describes how to secure your HTTP API.
First of all, please upgrade SRS to 5.0.152+ or 6.0.40+, which supports HTTP API security.
Then, please enable the HTTP basic authentication by configuration
Now, start SRS with the config:
./objs/srs -c conf/http.api.auth.conf
Or set up the username and password by environment variables:
env SRS_HTTP_API_ENABLED=on SRS_HTTP_SERVER_ENABLED=on \
SRS_HTTP_API_AUTH_ENABLED=on SRS_HTTP_API_AUTH_USERNAME=admin SRS_HTTP_API_AUTH_PASSWORD=admin \
Now, you can access the following urls to verify it:
- Prompt for username and password: http://localhost:1985/api/v1/versions
- URL with authentication: http://admin:admin@localhost:1985/api/v1/versions
To clean up the username and password, you can access the HTTP API with the username only:
Note: Please note that we only secure the HTTP API, neither the HTTP server nor the WebRTC HTTP apis.
SRS console is a web application to manage your SRS server. When SRS server started, you can access the SRS console by the URL: http://localhost:8080/console/
If you enable the HTTP API authentication, you should use URL with username and password to access the SRS console: http://admin:admin@localhost:8080/console/
Or, the browser will prompt for username and password.
For SRS 4.0
SRS 4.0 does not support HTTP API authentication, however there is a workaround to secure your HTTP API. You can use the nginx to proxy the HTTP API, and enable the HTTP basic authentication by nginx. Or write a Go HTTP proxy for SRS HTTP API.
Browser ---HTTP-with-Authentication---> Nginx ---HTTP---> SRS 4.0
In this solution, you should also change the listen of SRS HTTP API to lo:
So that the HTTP API is only accessible by the localhost proxy server.
About WebRTC API Security
SRS doesn't support HTTP API authentication for WebRTC, instead, you should use the HTTP callback to verify the client.
GitHub Copilot and I wrote this article.
The code of this feature was written by SRS developers and GitHub Copilot.