From a490c375f41077fd63df79d754a7815c2016233e Mon Sep 17 00:00:00 2001 From: Blake Blackshear Date: Tue, 28 Nov 2023 00:25:47 +0000 Subject: [PATCH] Limit exposed go2rtc api to bare minimum (#8762) * only permit GET requests to go2rtc * bare minimum go2rtc passthrough * support frigate card * expose go2rtc streams data only --- .../rootfs/usr/local/nginx/conf/nginx.conf | 33 +++++++++++++++---- frigate/http.py | 17 ++++++++++ web/src/routes/System.jsx | 26 +++++++-------- 3 files changed, 56 insertions(+), 20 deletions(-) diff --git a/docker/main/rootfs/usr/local/nginx/conf/nginx.conf b/docker/main/rootfs/usr/local/nginx/conf/nginx.conf index 1d3b80de3..b25c9897d 100644 --- a/docker/main/rootfs/usr/local/nginx/conf/nginx.conf +++ b/docker/main/rootfs/usr/local/nginx/conf/nginx.conf @@ -164,19 +164,38 @@ http { include proxy.conf; } - location /live/mse/ { - proxy_pass http://go2rtc/; + # frigate lovelace card uses this path + location /live/mse/api/ws { + limit_except GET { + deny all; + } + proxy_pass http://go2rtc/api/ws; include proxy.conf; } - location /live/webrtc/ { - proxy_pass http://go2rtc/; + location /live/webrtc/api/ws { + limit_except GET { + deny all; + } + proxy_pass http://go2rtc/api/ws; include proxy.conf; } - location ~* /api/go2rtc([/]?.*)$ { - proxy_pass http://go2rtc; - rewrite ^/api/go2rtc(.*)$ /api$1 break; + # pass through go2rtc player + location /live/webrtc/webrtc.html { + limit_except GET { + deny all; + } + proxy_pass http://go2rtc/webrtc.html; + include proxy.conf; + } + + # frontend uses this to fetch the version + location /api/go2rtc/api { + limit_except GET { + deny all; + } + proxy_pass http://go2rtc/api; include proxy.conf; } diff --git a/frigate/http.py b/frigate/http.py index 498f0d380..190ae4703 100644 --- a/frigate/http.py +++ b/frigate/http.py @@ -16,6 +16,7 @@ from urllib.parse import unquote import cv2 import numpy as np import pytz +import requests from flask import ( Blueprint, Flask, @@ -1345,6 +1346,22 @@ def config_schema(): ) +@bp.route("/go2rtc/streams") +def go2rtc_streams(): + r = requests.get("http://127.0.0.1:1984/api/streams") + if not r.ok: + logger.error("Failed to fetch streams from go2rtc") + return make_response( + jsonify({"success": False, "message": "Error fetching stream data"}), + 500, + ) + stream_data = r.json() + for data in stream_data.values(): + for producer in data["producers"]: + producer["url"] = clean_camera_user_pass(producer["url"]) + return jsonify(stream_data) + + @bp.route("/version") def version(): return VERSION diff --git a/web/src/routes/System.jsx b/web/src/routes/System.jsx index eb094faa2..77b37686f 100644 --- a/web/src/routes/System.jsx +++ b/web/src/routes/System.jsx @@ -41,7 +41,7 @@ export default function System() { const cameraNames = Object.keys(cameras || emptyObject); const processesNames = Object.keys(processes || emptyObject); - const { data: go2rtc } = useSWR('go2rtc'); + const { data: go2rtc } = useSWR('go2rtc/api'); const onHandleFfprobe = async (camera, e) => { if (e) { @@ -103,9 +103,9 @@ export default function System() { className="text-blue-500 hover:underline" target="_blank" rel="noopener noreferrer" - href="/live/webrtc/" + href="/api/go2rtc/streams" > - dashboard + streams info )} @@ -302,16 +302,16 @@ export default function System() { GPU % Memory % - {'dec' in gpu_usages[gpu] && (Decoder %)} - {'enc' in gpu_usages[gpu] && (Encoder %)} + {'dec' in gpu_usages[gpu] && Decoder %} + {'enc' in gpu_usages[gpu] && Encoder %} {gpu_usages[gpu]['gpu']} {gpu_usages[gpu]['mem']} - {'dec' in gpu_usages[gpu] && ({gpu_usages[gpu]['dec']})} - {'enc' in gpu_usages[gpu] && ({gpu_usages[gpu]['enc']})} + {'dec' in gpu_usages[gpu] && {gpu_usages[gpu]['dec']}} + {'enc' in gpu_usages[gpu] && {gpu_usages[gpu]['enc']}} @@ -350,14 +350,14 @@ export default function System() { {camera.replaceAll('_', ' ')}
{config.cameras[camera]['webui_url'] && ( - )} - +