webrtc: make HTTPS optional (#1312)

README.md

@@ -975,25 +975,10 @@ To decrease the latency, you can:
 
 ### General usage
 
-a TLS certificate is needed and can be generated with OpenSSL:
-
-```
-openssl genrsa -out server.key 2048
-openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
-```
-
-Set the `webrtc`, `webrtcServerKey` and `webrtcServerCert` parameters in the configuration file:
-
-```yml
-webrtc: yes
-webrtcServerKey: server.key
-webrtcServerCert: server.crt
-```
-
 Every stream published to the server can be read with WebRTC by visiting:
 
 ```
-https://localhost:8889/mystream
+http://localhost:8889/mystream
 ```
 
 ### TURN servers

internal/conf/conf.go

@@ -224,8 +224,9 @@ type Conf struct {
 	HLSTrustedProxies  IPsOrCIDRs     `json:"hlsTrustedProxies"`
 
 	// WebRTC
-	WebRTC               bool       `json:"webrtc"`
+	WebRTCDisable        bool       `json:"webrtcDisable"`
 	WebRTCAddress        string     `json:"webrtcAddress"`
+	WebRTCEncryption     bool       `json:"webrtcEncryption"`
 	WebRTCServerKey      string     `json:"webrtcServerKey"`
 	WebRTCServerCert     string     `json:"webrtcServerCert"`
 	WebRTCAllowOrigin    string     `json:"webrtcAllowOrigin"`

internal/core/core.go

@@ -397,12 +397,13 @@ func (p *Core) createResources(initial bool) error {
 		}
 	}
 
-	if p.conf.WebRTC {
+	if !p.conf.WebRTCDisable {
 		if p.webRTCServer == nil {
 			p.webRTCServer, err = newWebRTCServer(
 				p.ctx,
 				p.conf.ExternalAuthenticationURL,
 				p.conf.WebRTCAddress,
+				p.conf.WebRTCEncryption,
 				p.conf.WebRTCServerKey,
 				p.conf.WebRTCServerCert,
 				p.conf.WebRTCAllowOrigin,
@@ -562,9 +563,10 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) {
 		closeMetrics
 
 	closeWebrtcServer := newConf == nil ||
-		newConf.WebRTC != p.conf.WebRTC ||
+		newConf.WebRTCDisable != p.conf.WebRTCDisable ||
 		newConf.ExternalAuthenticationURL != p.conf.ExternalAuthenticationURL ||
 		newConf.WebRTCAddress != p.conf.WebRTCAddress ||
+		newConf.WebRTCEncryption != p.conf.WebRTCEncryption ||
 		newConf.WebRTCServerKey != p.conf.WebRTCServerKey ||
 		newConf.WebRTCServerCert != p.conf.WebRTCServerCert ||
 		newConf.WebRTCAllowOrigin != p.conf.WebRTCAllowOrigin ||

internal/core/core_test.go

@@ -241,6 +241,7 @@ func main() {
 
 			p1, ok := newInstance(fmt.Sprintf("rtmpDisable: yes\n"+
 				"hlsDisable: yes\n"+
+				"webrtcDisable: yes\n"+
 				"paths:\n"+
 				"  '~^(on)demand$':\n"+
 				"    runOnDemand: %s\n"+
@@ -320,6 +321,7 @@ func TestCorePathRunOnReady(t *testing.T) {
 
 	p, ok := newInstance(fmt.Sprintf("rtmpDisable: yes\n"+
 		"hlsDisable: yes\n"+
+		"webrtcDisable: yes\n"+
 		"paths:\n"+
 		"  test:\n"+
 		"    runOnReady: touch %s\n",

internal/core/hls_source_test.go

@@ -122,8 +122,9 @@ func TestHLSSource(t *testing.T) {
 	require.NoError(t, err)
 	defer ts.close()
 
-	p, ok := newInstance("hlsDisable: yes\n" +
-		"rtmpDisable: yes\n" +
+	p, ok := newInstance("rtmpDisable: yes\n" +
+		"hlsDisable: yes\n" +
+		"webrtcDisable: yes\n" +
 		"paths:\n" +
 		"  proxied:\n" +
 		"    source: http://localhost:5780/stream.m3u8\n" +

internal/core/metrics_test.go

@@ -27,7 +27,6 @@ func TestMetrics(t *testing.T) {
 	defer os.Remove(serverKeyFpath)
 
 	p, ok := newInstance("metrics: yes\n" +
-		"webrtc: yes\n" +
 		"webrtcServerCert: " + serverCertFpath + "\n" +
 		"webrtcServerKey: " + serverKeyFpath + "\n" +
 		"encryption: optional\n" +

internal/core/rtmp_server_test.go

@@ -43,6 +43,7 @@ func TestRTMPServerPublishRead(t *testing.T) {
 
 				p, ok := newInstance("rtspDisable: yes\n" +
 					"hlsDisable: yes\n" +
+					"webrtcDisable: yes\n" +
 					"rtmpEncryption: \"yes\"\n" +
 					"rtmpServerCert: " + serverCertFpath + "\n" +
 					"rtmpServerKey: " + serverKeyFpath + "\n" +
@@ -236,6 +237,7 @@ func TestRTMPServerAuthFail(t *testing.T) {
 	t.Run("publish", func(t *testing.T) { //nolint:dupl
 		p, ok := newInstance("rtspDisable: yes\n" +
 			"hlsDisable: yes\n" +
+			"webrtcDisable: yes\n" +
 			"paths:\n" +
 			"  all:\n" +
 			"    publishUser: testuser2\n" +
@@ -345,6 +347,7 @@ func TestRTMPServerAuthFail(t *testing.T) {
 	t.Run("read", func(t *testing.T) { //nolint:dupl
 		p, ok := newInstance("rtspDisable: yes\n" +
 			"hlsDisable: yes\n" +
+			"webrtcDisable: yes\n" +
 			"paths:\n" +
 			"  all:\n" +
 			"    readUser: testuser2\n" +

internal/core/rtsp_server_test.go

@@ -20,6 +20,7 @@ func TestRTSPServerAuth(t *testing.T) {
 			if ca == "internal" {
 				conf = "rtmpDisable: yes\n" +
 					"hlsDisable: yes\n" +
+					"webrtcDisable: yes\n" +
 					"paths:\n" +
 					"  all:\n" +
 					"    publishUser: testpublisher\n" +
@@ -86,6 +87,7 @@ func TestRTSPServerAuth(t *testing.T) {
 	t.Run("hashed", func(t *testing.T) {
 		p, ok := newInstance("rtmpDisable: yes\n" +
 			"hlsDisable: yes\n" +
+			"webrtcDisable: yes\n" +
 			"paths:\n" +
 			"  all:\n" +
 			"    publishUser: sha256:rl3rgi4NcZkpAEcacZnQ2VuOfJ0FxAqCRaKB/SwdZoQ=\n" +
@@ -130,6 +132,7 @@ func TestRTSPServerAuthFail(t *testing.T) {
 		t.Run("publish_"+ca.name, func(t *testing.T) {
 			p, ok := newInstance("rtmpDisable: yes\n" +
 				"hlsDisable: yes\n" +
+				"webrtcDisable: yes\n" +
 				"paths:\n" +
 				"  all:\n" +
 				"    publishUser: testuser\n" +
@@ -173,6 +176,7 @@ func TestRTSPServerAuthFail(t *testing.T) {
 		t.Run("read_"+ca.name, func(t *testing.T) {
 			p, ok := newInstance("rtmpDisable: yes\n" +
 				"hlsDisable: yes\n" +
+				"webrtcDisable: yes\n" +
 				"paths:\n" +
 				"  all:\n" +
 				"    readUser: testuser\n" +
@@ -197,6 +201,7 @@ func TestRTSPServerAuthFail(t *testing.T) {
 	t.Run("ip", func(t *testing.T) {
 		p, ok := newInstance("rtmpDisable: yes\n" +
 			"hlsDisable: yes\n" +
+			"webrtcDisable: yes\n" +
 			"paths:\n" +
 			"  all:\n" +
 			"    publishIPs: [128.0.0.1/32]\n")
@@ -355,6 +360,7 @@ func TestRTSPServerFallback(t *testing.T) {
 
 			p1, ok := newInstance("rtmpDisable: yes\n" +
 				"hlsDisable: yes\n" +
+				"webrtcDisable: yes\n" +
 				"paths:\n" +
 				"  path1:\n" +
 				"    fallback: " + val + "\n" +

internal/core/rtsp_source_test.go

@@ -226,6 +226,7 @@ func TestRTSPSourceNoPassword(t *testing.T) {
 
 	p, ok := newInstance("rtmpDisable: yes\n" +
 		"hlsDisable: yes\n" +
+		"webrtcDisable: yes\n" +
 		"paths:\n" +
 		"  proxied:\n" +
 		"    source: rtsp://testuser:@127.0.0.1:8555/teststream\n" +
@@ -293,6 +294,7 @@ func TestRTSPSourceDynamicH264Params(t *testing.T) {
 
 		p, ok := newInstance("rtmpDisable: yes\n" +
 			"hlsDisable: yes\n" +
+			"webrtcDisable: yes\n" +
 			"paths:\n" +
 			"  proxied:\n" +
 			"    source: rtsp://127.0.0.1:8555/teststream\n")
@@ -372,6 +374,7 @@ func TestRTSPSourceDynamicH264Params(t *testing.T) {
 
 		p, ok := newInstance("rtmpDisable: yes\n" +
 			"hlsDisable: yes\n" +
+			"webrtcDisable: yes\n" +
 			"paths:\n" +
 			"  proxied:\n" +
 			"    source: rtsp://127.0.0.1:8555/teststream\n")
@@ -454,6 +457,7 @@ func TestRTSPSourceRemovePadding(t *testing.T) {
 
 	p, ok := newInstance("rtmpDisable: yes\n" +
 		"hlsDisable: yes\n" +
+		"webrtcDisable: yes\n" +
 		"paths:\n" +
 		"  proxied:\n" +
 		"    source: rtsp://127.0.0.1:8555/teststream\n")
@@ -690,6 +694,7 @@ func TestRTSPSourceOversizedPackets(t *testing.T) {
 
 			p, ok := newInstance("rtmpDisable: yes\n" +
 				"hlsDisable: yes\n" +
+				"webrtcDisable: yes\n" +
 				"paths:\n" +
 				"  proxied:\n" +
 				"    source: rtsp://127.0.0.1:8555/teststream\n" +

internal/core/webrtc_server.go

@@ -95,6 +95,7 @@ func newWebRTCServer(
 	parentCtx context.Context,
 	externalAuthenticationURL string,
 	address string,
+	encryption bool,
 	serverKey string,
 	serverCert string,
 	allowOrigin string,
@@ -110,14 +111,17 @@ func newWebRTCServer(
 		return nil, err
 	}
 
-	crt, err := tls.LoadX509KeyPair(serverCert, serverKey)
-	if err != nil {
-		ln.Close()
-		return nil, err
-	}
+	var tlsConfig *tls.Config
+	if encryption {
+		crt, err := tls.LoadX509KeyPair(serverCert, serverKey)
+		if err != nil {
+			ln.Close()
+			return nil, err
+		}
 
-	tlsConfig := &tls.Config{
-		Certificates: []tls.Certificate{crt},
+		tlsConfig = &tls.Config{
+			Certificates: []tls.Certificate{crt},
+		}
 	}
 
 	ctx, ctxCancel := context.WithCancel(parentCtx)

internal/highleveltests/rtsp_server_test.go

@@ -44,6 +44,7 @@ func TestRTSPServerPublishRead(t *testing.T) {
 
 				p, ok := newInstance("rtmpDisable: yes\n" +
 					"hlsDisable: yes\n" +
+					"webrtcDisable: yes\n" +
 					"readTimeout: 20s\n" +
 					"paths:\n" +
 					"  all:\n")
@@ -63,6 +64,7 @@ func TestRTSPServerPublishRead(t *testing.T) {
 
 				p, ok := newInstance("rtmpDisable: yes\n" +
 					"hlsDisable: yes\n" +
+					"webrtcDisable: yes\n" +
 					"readTimeout: 20s\n" +
 					"protocols: [tcp]\n" +
 					"encryption: \"yes\"\n" +
@@ -199,6 +201,7 @@ func TestRTSPServerPublishRead(t *testing.T) {
 func TestRTSPServerRedirect(t *testing.T) {
 	p1, ok := newInstance("rtmpDisable: yes\n" +
 		"hlsDisable: yes\n" +
+		"webrtcDisable: yes\n" +
 		"paths:\n" +
 		"  path1:\n" +
 		"    source: redirect\n" +

rtsp-simple-server.yml

@@ -169,11 +169,13 @@ hlsTrustedProxies: []
 ###############################################
 # WebRTC parameters
 
-# Enable support for the WebRTC protocol.
-webrtc: no
+# Disable support for the WebRTC protocol.
+webrtcDisable: no
 # Address of the WebRTC listener.
 webrtcAddress: :8889
-# Path to the server key. This is mandatory since HTTPS is mandatory in order to use WebRTC.
+# Enable TLS/HTTPS on the WebRTC server.
+webrtcEncryption: no
+# Path to the server key.
 # This can be generated with:
 # openssl genrsa -out server.key 2048
 # openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650