Jump to content


Photo

Openwebif key authentication instead of http auth

openwebif

  • Please log in to reply
14 replies to this topic

#1 pistacio

  • Senior Member
  • 67 posts

0
Neutral

Posted 29 March 2017 - 11:14

Since I haven't found an openweif official forum I'm posting this here.

 

Does anybody know how to stream from webtv in openwebif plugin securing the source but without http://root:password...0:820000:0:0:0:?

 

I'd like to use a stream key something like http://192.168.1.2:8...0000:0:0:0:/key.

 

User authentication sometimes doesn't work.

 

Thanks :)



Re: Openwebif key authentication instead of http auth #2 WanWizard

  • Forum Moderator
    PLi® Core member
  • 47,168 posts

+784
Excellent

Posted 29 March 2017 - 18:26

Disable stream authentication?

 

Note that you should NEVER open the box to the internet, your box will be hijacked in no-time.


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), SAB Alpha Triple HD (S2+T2), Zgemma H3.T2C (T/C), Zgemma H6 (fallback), VU+Zero (fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Openwebif key authentication instead of http auth #3 pistacio

  • Senior Member
  • 67 posts

0
Neutral

Posted 29 March 2017 - 18:53

I know, this is why I want to use a path key instead of basic http auth, like the tvheadend links. On some browsers http auth doesn't work always.



Re: Openwebif key authentication instead of http auth #4 WanWizard

  • Forum Moderator
    PLi® Core member
  • 47,168 posts

+784
Excellent

Posted 29 March 2017 - 18:56

What do you mean by "path key"?


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), SAB Alpha Triple HD (S2+T2), Zgemma H3.T2C (T/C), Zgemma H6 (fallback), VU+Zero (fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Openwebif key authentication instead of http auth #5 pistacio

  • Senior Member
  • 67 posts

0
Neutral

Posted 29 March 2017 - 19:11

http://192.168.1.2:8001/reference/path_key


Edited by pistacio, 29 March 2017 - 19:11.


Re: Openwebif key authentication instead of http auth #6 WanWizard

  • Forum Moderator
    PLi® Core member
  • 47,168 posts

+784
Excellent

Posted 29 March 2017 - 19:14

I saw that, but I still don't know what a "path key" is, where it comes from, what it should do, ...


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), SAB Alpha Triple HD (S2+T2), Zgemma H3.T2C (T/C), Zgemma H6 (fallback), VU+Zero (fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Openwebif key authentication instead of http auth #7 pistacio

  • Senior Member
  • 67 posts

0
Neutral

Posted 30 March 2017 - 06:40

Is a security key that secures public exposed streams. It is part of an URI, this is why is called PATH / key

 

From a menu item I guess.
It should prevent stream access without knowing the key.
 
Even twitch has one:

Edited by pistacio, 30 March 2017 - 06:41.


Re: Openwebif key authentication instead of http auth #8 WanWizard

  • Forum Moderator
    PLi® Core member
  • 47,168 posts

+784
Excellent

Posted 31 March 2017 - 12:54

You still need authentication, it is what creates and validates a session key.

 

Anyway, nothing like this exist, and it will be complex to implement, as it needs interaction between different components, some in python, some in C++, some written and maintained by us, some by third parties (like OpenWebif). So you need everyone to agree on a single new authentication architecture before you can even start thinking about implementing it.


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), SAB Alpha Triple HD (S2+T2), Zgemma H3.T2C (T/C), Zgemma H6 (fallback), VU+Zero (fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Openwebif key authentication instead of http auth #9 pistacio

  • Senior Member
  • 67 posts

0
Neutral

Posted 31 March 2017 - 17:05

I thought about a stream key implementation in enigma2, at least in the part of enigma2 that manages port 8001 and a small addon in openwebif plugin that adds the "stream key" argument. This way you get rid of http auth which is antiquated when it comes to http streaming.. I'm not arguing about http auth with webif enigma2 managing, in this case http auth is just fine.

 

I have to use a mipsel nginx binary in my openpli box that proxy passes an arbitrary URL to localhost on port 8001 like this: http://192.168.1.2:8080/stream_key --------> http://127.0.0.1:800...0:820000:0:0:0:

 

In this case nginx takes ~30% of CPU time and it's a pitty because it could take 0% if a stream key would be implemented in enigma2.

 

Thanks anyway for your answer



Re: Openwebif key authentication instead of http auth #10 WanWizard

  • Forum Moderator
    PLi® Core member
  • 47,168 posts

+784
Excellent

Posted 31 March 2017 - 17:50

Implementing a session key is not a problem, that is known and proven technology, something that I as developer use every day (it is the basis of session management in every web based application).

 

The challenge is to make absolutely sure that the session key is safe, is generated safely and sufficiently random, and that only trusted people can create a session key. Which means authentication and authorisation. Any other authenticated stream works the same. You log in on a website, and once you have established a valid login, the session key is generated and attached to the stream request to validate the request.

 

A big problem with your suggestion is that in a lot of cases, streaming from enigma is not interactive, but it is a request coming from another device or IPTV client. In which case the URI is the only way to provide authentication.

 

So back to my original question, what is "path_key" or "stream_key"? What makes it? Where does it come from? How does it determine it is me and not some other person it should not let in?


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), SAB Alpha Triple HD (S2+T2), Zgemma H3.T2C (T/C), Zgemma H6 (fallback), VU+Zero (fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Openwebif key authentication instead of http auth #11 pistacio

  • Senior Member
  • 67 posts

0
Neutral

Posted 3 April 2017 - 12:19

So back to my original question, what is "path_key" or "stream_key"? What makes it? Where does it come from? How does it determine it is me and not some other person it should not let in?

 

Just an alphanumeric string. The enigma2 user. It would be up to the user to enter a random string that represents the stream key inside the openwebif plugin. If the stream key attached to the stream URI is the same as the one entered previously by the user then open, otherwise show error 404.

 

No sessions !

 

Session are useless for streaming because it's about ONE request and ONE response that lasts the time client watches the stream. Sessions are very useful when it comes to web browsing otherwise the login window would popup at every link click or page refresh without a session.

But we're talking about streaming.


Edited by pistacio, 3 April 2017 - 12:22.


Re: Openwebif key authentication instead of http auth #12 WanWizard

  • Forum Moderator
    PLi® Core member
  • 47,168 posts

+784
Excellent

Posted 3 April 2017 - 12:53

You mean a fixed key? What is the added security in that?


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), SAB Alpha Triple HD (S2+T2), Zgemma H3.T2C (T/C), Zgemma H6 (fallback), VU+Zero (fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Openwebif key authentication instead of http auth #13 pistacio

  • Senior Member
  • 67 posts

0
Neutral

Posted 3 April 2017 - 14:11

You mean a fixed key? What is the added security in that?

 

"root" username with a digested plain password is more secure than a fixed key?


Edited by pistacio, 3 April 2017 - 14:13.


Re: Openwebif key authentication instead of http auth #14 WanWizard

  • Forum Moderator
    PLi® Core member
  • 47,168 posts

+784
Excellent

Posted 3 April 2017 - 14:15

I didn't say that.

 

The box and it's OS are insecure, and not hardened against the threats of the Internet. We (as in OpenPLi) are against any form of exposing the box to the internet. And this is no exception.  

 

Anyway, I suggest that you pitch your proposal to the WebIf developers, as it is a 3rd party product, and see what they think about it.


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), SAB Alpha Triple HD (S2+T2), Zgemma H3.T2C (T/C), Zgemma H6 (fallback), VU+Zero (fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Openwebif key authentication instead of http auth #15 malakudi

  • PLi® Core member
  • 1,447 posts

+66
Good

Posted 5 April 2017 - 15:21

The 8001 streaming port is enabled by code inside enigma2 so a change for a different type of security should be implemented in openwebif AND enigma2.







2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users