From 524dafd8009bfcc433bff715951d0cc350f5ebd6 Mon Sep 17 00:00:00 2001 From: Rob Watson Date: Fri, 11 Apr 2025 09:28:30 +0200 Subject: [PATCH] security(mediaserver): bind to 127.0.0.1 --- internal/mediaserver/actor.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/internal/mediaserver/actor.go b/internal/mediaserver/actor.go index 86e09df..1cff252 100644 --- a/internal/mediaserver/actor.go +++ b/internal/mediaserver/actor.go @@ -104,8 +104,10 @@ func NewActor(ctx context.Context, params NewActorParams) (_ *Actor, err error) } func (a *Actor) Start(ctx context.Context) error { - apiPortSpec := nat.Port(strconv.Itoa(a.apiPort) + ":9997") - rtmpPortSpec := nat.Port(strconv.Itoa(+a.rtmpPort) + ":1935") + // Exposed ports are bound to 127.0.0.1 for security. + // TODO: configurable RTMP bind address + apiPortSpec := nat.Port("127.0.0.1:" + strconv.Itoa(a.apiPort) + ":9997") + rtmpPortSpec := nat.Port("127.0.0.1:" + strconv.Itoa(+a.rtmpPort) + ":1935") exposedPorts, portBindings, _ := nat.ParsePortSpecs([]string{string(apiPortSpec), string(rtmpPortSpec)}) // The RTMP URL is passed to the UI via the state.