Embedded web server
From SpinetiX Support Wiki
Contents
Description
SpinetiX players feature an embedded web server offering access to different player applications such as:
- Player web interface
- Offers access to the full management of the player through Control Center (for making configuration changes and requesting information from the device) and a built-in content management application - Content creation tool, Content scheduling tool for DiVA, HMP300 and HMP350, respectively Fusion for older players.
- This interface is loaded by default when using the player address.
- Player content server (HMP only)
- This is dedicated to external content storage, where Elementi, HMD or other clients can publish content onto it using the WebDAV protocol. The content retrieved by the player from external servers through Scheduled Download or Pull Mode is also stored here.
- This interface is available using the player address followed by "/content" or ":81" port for HTTP or ":9802" for secure HTTP.
- Player APIs
- Status API for getting the current status of the player (operating status, device stats, screen display settings, storage details etc.) or snapshot of the content being rendered. This interface is available using the player address followed by "/status".
- RPC API for remote management and monitoring. This interface is available using the player address followed by "/rpc".
- Web Storage REST API to allow reading and writing variables (i.e. localStorage data) onto the player from external clients through HTTP(S) calls. This interface is available using the player address followed by "/webstorage".
- Shared Variables Network API to remotely update shared data or trigger UI events. This interface is available using the player address followed by ":1234/update" (the default port 1234 can be changed if needed).
Security
See also the Security page.
The access to the player embedded web server can / must be protected with strong passwords, configurable from Control Center.
- For HMP400, HMP400W, HMP350, HMP300, and DiVA players, see User manager tool page.
- For HMP200, HMP130, and HMP100 devices, see Security settings 3.x page.
Note:
If you want to set / change the passwords on multiple players in a centralized manner (for instance to set a new admin password for all players every 30 days), you can use the
set_password
RPC command.HTTPS access
HMP400, HMP400W, HMP350, HMP300, and DiVA players can be accessed using a secured URL (HTTPS).
- The player web interface is reachable via
https://Player_address
on the standard HTTPS port 443. - The player content server is reachable via
https://HMP_address:9802
on standard WebDAV port 9802. - Insecure HTTP can be disabled from Network > Server Security page.
- The player SSL/TLS certificate is an automatically generated self-signed certificate - you'll need to install this certificate on your PC. Alternatively, you can generate your own certificate and upload it on the player from Network > Server Certificates (requires firmware 4.x).
- Legacy players cannot be accessed using a secured URL (HTTPS).
Apache
The embedded web server is based on Apache HTTP Server ("httpd") - a robust, commercial-grade, feature-full, and freely-available source code implementation of an HTTP (Web) server. The version of httpd varies depending of the player firmware, so make sure to use the latest firmware on your players to prevent any security vulnerabilities.
Note:
Sometimes, network security scans might reveal potential vulnerabilities affecting the version of Apache being used, however only a limited set of modules are actually implemented / used, so most of them do not actually apply.