Commit 2bcbff09 by xia-chu

web hook不再直接放行来自127.0.0.1播放鉴权请求

防止代理越过鉴权
parent 2c8a4686
...@@ -332,7 +332,7 @@ void installWebHook() { ...@@ -332,7 +332,7 @@ void installWebHook() {
NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastMediaPublish, [](BroadcastMediaPublishArgs) { NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastMediaPublish, [](BroadcastMediaPublishArgs) {
GET_CONFIG(string, hook_publish, Hook::kOnPublish); GET_CONFIG(string, hook_publish, Hook::kOnPublish);
if (!hook_enable || hook_publish.empty() || sender.get_peer_ip() == "127.0.0.1") { if (!hook_enable || hook_publish.empty()) {
invoker("", ProtocolOption()); invoker("", ProtocolOption());
return; return;
} }
...@@ -357,7 +357,7 @@ void installWebHook() { ...@@ -357,7 +357,7 @@ void installWebHook() {
NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastMediaPlayed, [](BroadcastMediaPlayedArgs) { NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastMediaPlayed, [](BroadcastMediaPlayedArgs) {
GET_CONFIG(string, hook_play, Hook::kOnPlay); GET_CONFIG(string, hook_play, Hook::kOnPlay);
if (!hook_enable || hook_play.empty() || sender.get_peer_ip() == "127.0.0.1") { if (!hook_enable || hook_play.empty()) {
invoker(""); invoker("");
return; return;
} }
...@@ -371,7 +371,7 @@ void installWebHook() { ...@@ -371,7 +371,7 @@ void installWebHook() {
NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastFlowReport, [](BroadcastFlowReportArgs) { NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastFlowReport, [](BroadcastFlowReportArgs) {
GET_CONFIG(string, hook_flowreport, Hook::kOnFlowReport); GET_CONFIG(string, hook_flowreport, Hook::kOnFlowReport);
if (!hook_enable || hook_flowreport.empty() || sender.get_peer_ip() == "127.0.0.1") { if (!hook_enable || hook_flowreport.empty()) {
return; return;
} }
auto body = make_json(args); auto body = make_json(args);
...@@ -390,7 +390,7 @@ void installWebHook() { ...@@ -390,7 +390,7 @@ void installWebHook() {
// 监听kBroadcastOnGetRtspRealm事件决定rtsp链接是否需要鉴权(传统的rtsp鉴权方案)才能访问 // 监听kBroadcastOnGetRtspRealm事件决定rtsp链接是否需要鉴权(传统的rtsp鉴权方案)才能访问
NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastOnGetRtspRealm, [](BroadcastOnGetRtspRealmArgs) { NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastOnGetRtspRealm, [](BroadcastOnGetRtspRealmArgs) {
GET_CONFIG(string, hook_rtsp_realm, Hook::kOnRtspRealm); GET_CONFIG(string, hook_rtsp_realm, Hook::kOnRtspRealm);
if (!hook_enable || hook_rtsp_realm.empty() || sender.get_peer_ip() == "127.0.0.1") { if (!hook_enable || hook_rtsp_realm.empty()) {
// 无需认证 // 无需认证
invoker(""); invoker("");
return; return;
...@@ -539,7 +539,7 @@ void installWebHook() { ...@@ -539,7 +539,7 @@ void installWebHook() {
NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastShellLogin, [](BroadcastShellLoginArgs) { NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastShellLogin, [](BroadcastShellLoginArgs) {
GET_CONFIG(string, hook_shell_login, Hook::kOnShellLogin); GET_CONFIG(string, hook_shell_login, Hook::kOnShellLogin);
if (!hook_enable || hook_shell_login.empty() || sender.get_peer_ip() == "127.0.0.1") { if (!hook_enable || hook_shell_login.empty()) {
invoker(""); invoker("");
return; return;
} }
...@@ -617,11 +617,6 @@ void installWebHook() { ...@@ -617,11 +617,6 @@ void installWebHook() {
// 追踪用户的目的是为了缓存上次鉴权结果,减少鉴权次数,提高性能 // 追踪用户的目的是为了缓存上次鉴权结果,减少鉴权次数,提高性能
NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastHttpAccess, [](BroadcastHttpAccessArgs) { NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastHttpAccess, [](BroadcastHttpAccessArgs) {
GET_CONFIG(string, hook_http_access, Hook::kOnHttpAccess); GET_CONFIG(string, hook_http_access, Hook::kOnHttpAccess);
if (sender.get_peer_ip() == "127.0.0.1") {
// 如果是本机或超级管理员访问,那么不做访问鉴权;权限有效期1个小时
invoker("", "", 60 * 60);
return;
}
if (!hook_enable || hook_http_access.empty()) { if (!hook_enable || hook_http_access.empty()) {
// 未开启http文件访问鉴权,那么允许访问,但是每次访问都要鉴权; // 未开启http文件访问鉴权,那么允许访问,但是每次访问都要鉴权;
// 因为后续随时都可能开启鉴权(重载配置文件后可能重新开启鉴权) // 因为后续随时都可能开启鉴权(重载配置文件后可能重新开启鉴权)
......
Markdown 格式
0%
您添加了 0 到此讨论。请谨慎行事。
请先完成此评论的编辑!
注册 或者 后发表评论