Limit exposed go2rtc api to bare minimum (blakeblackshear#8762)

* only permit GET requests to go2rtc

* bare minimum go2rtc passthrough

* support frigate card

* expose go2rtc streams data only

docker/main/rootfs/usr/local/nginx/conf/nginx.conf

@@ -164,19 +164,38 @@ http {
  include proxy.conf;
  }
 
- location /live/mse/ {
- proxy_pass https://go2rtc/;
+ # frigate lovelace card uses this path
+ location /live/mse/api/ws {
+ limit_except GET {
+ deny  all;
+ }
+ proxy_pass https://go2rtc/api/ws;
  include proxy.conf;
  }
 
- location /live/webrtc/ {
- proxy_pass https://go2rtc/;
+ location /live/webrtc/api/ws {
+ limit_except GET {
+ deny  all;
+ }
+ proxy_pass https://go2rtc/api/ws;
  include proxy.conf;
  }
 
- location ~* /api/go2rtc([/]?.*)$ {
- proxy_pass https://go2rtc;
- rewrite ^/api/go2rtc(.*)$ /api$1 break;
+ # pass through go2rtc player
+ location /live/webrtc/webrtc.html {
+ limit_except GET {
+ deny  all;
+ }
+ proxy_pass https://go2rtc/webrtc.html;
+ include proxy.conf;
+ }
+
+ # frontend uses this to fetch the version
+ location /api/go2rtc/api {
+ limit_except GET {
+ deny  all;
+ }
+ proxy_pass https://go2rtc/api;
  include proxy.conf;
  }
 

frigate/http.py

@@ -16,6 +16,7 @@
 import cv2
 import numpy as np
 import pytz
+import requests
 from flask import (
  Blueprint,
  Flask,
@@ -1345,6 +1346,22 @@ def config_schema():
  )
 
 
+@bp.route("/go2rtc/streams")
+def go2rtc_streams():
+ r = requests.get("https://127.0.0.1:1984/api/streams")
+ if not r.ok:
+ logger.error("Failed to fetch streams from go2rtc")
+ return make_response(
+ jsonify({"success": False, "message": "Error fetching stream data"}),
+ 500,
+ )
+ stream_data = r.json()
+ for data in stream_data.values():
+ for producer in data["producers"]:
+ producer["url"] = clean_camera_user_pass(producer["url"])
+ return jsonify(stream_data)
+
+
 @bp.route("/version")
 def version():
  return VERSION

web/src/routes/System.jsx

@@ -41,7 +41,7 @@ export default function System() {
  const cameraNames = Object.keys(cameras || emptyObject);
  const processesNames = Object.keys(processes || emptyObject);
 
- const { data: go2rtc } = useSWR('go2rtc');
+ const { data: go2rtc } = useSWR('go2rtc/api');
 
  const onHandleFfprobe = async (camera, e) => {
  if (e) {
@@ -103,9 +103,9 @@ export default function System() {
  className="text-blue-500 hover:underline"
  target="_blank"
  rel="noopener noreferrer"
- href="/live/webrtc/"
+ href="/api/go2rtc/streams"
  >
- dashboard
+ streams info
  </Link>
  </span>
  )}
@@ -302,16 +302,16 @@ export default function System() {
  <Tr>
  <Th>GPU %</Th>
  <Th>Memory %</Th>
- {'dec' in gpu_usages[gpu] && (<Th>Decoder %</Th>)}
- {'enc' in gpu_usages[gpu] && (<Th>Encoder %</Th>)}
+ {'dec' in gpu_usages[gpu] && <Th>Decoder %</Th>}
+ {'enc' in gpu_usages[gpu] && <Th>Encoder %</Th>}
  </Tr>
  </Thead>
  <Tbody>
  <Tr>
  <Td>{gpu_usages[gpu]['gpu']}</Td>
  <Td>{gpu_usages[gpu]['mem']}</Td>
- {'dec' in gpu_usages[gpu] && (<Td>{gpu_usages[gpu]['dec']}</Td>)}
- {'enc' in gpu_usages[gpu] && (<Td>{gpu_usages[gpu]['enc']}</Td>)}
+ {'dec' in gpu_usages[gpu] && <Td>{gpu_usages[gpu]['dec']}</Td>}
+ {'enc' in gpu_usages[gpu] && <Td>{gpu_usages[gpu]['enc']}</Td>}
  </Tr>
  </Tbody>
  </Table>
@@ -350,14 +350,14 @@ export default function System() {
  <Link href={`/cameras/${camera}`}>{camera.replaceAll('_', ' ')}</Link>
  <div className="flex">
  {config.cameras[camera]['webui_url'] && (
- <Button 
- href={config.cameras[camera]['webui_url']}
- target="_blank"
- >
- Web UI<WebUI className="ml-1 h-4 w-4" fill="white" stroke="white" />
+ <Button href={config.cameras[camera]['webui_url']} target="_blank">
+ Web UI
+ <WebUI className="ml-1 h-4 w-4" fill="white" stroke="white" />
  </Button>
  )}
- <Button className="ml-2" onClick={(e) => onHandleFfprobe(camera, e)}>ffprobe</Button>
+ <Button className="ml-2" onClick={(e) => onHandleFfprobe(camera, e)}>
+ ffprobe
+ </Button>
  </div>
  </div>
  <div className="p-2">