Embedded web server

Description

DSOS players feature an embedded web server offering access to different player applications such as:

• Player web interface

  Offers access to the full management of the player through Control Center (for making configuration changes and requesting information from the device) and a built-in content management application. This interface is loaded by default when using the player address.

• Player content server (Doesn't apply to DiVA players)

  This is dedicated to external content storage, where Elementi, HMD or other clients can publish content onto it using the WebDAV protocol. The content retrieved by the player from external servers through Scheduled Download or Pull Mode is also stored here.

  This interface is available using the player address followed by "/content" or ":81" port for HTTP or ":9802" for secure HTTP.

• Player APIs
  • Status API for getting the current status of the player (operating status, device stats, screen display settings, storage details etc.) or snapshot of the content being rendered. This interface is available using the player address followed by "/status".
  • RPC API for remote management and monitoring. This interface is available using the player address followed by "/rpc".
  • Web Storage REST API to allow reading and writing variables (i.e., localStorage data) onto the player from external clients through HTTP(S) calls. This interface is available using the player address followed by "/webstorage".
  • Shared Variables Network API to remotely update shared data or trigger UI events. This interface is available using the player address followed by ":1234/update" (the default port 1234 can be changed if needed).

Security

 

See also the Security page.

The access to the player embedded web server can / must be protected with strong passwords, configurable from User manager tool.

• For HMP200, HMP130, and HMP100 devices, see Security settings 3.x page.

Note:

If you want to set / change the passwords on multiple players in a centralized manner (for instance, to set a new admin password for all players every 30 days), you can use the set_password RPC command.

HTTPS access

DSOS players can be accessed using a secured URL (HTTPS).

• The player web interface is reachable via https://Player_address on the standard HTTPS port 443.
• The player content server is reachable via https://Player_address:9802 on standard WebDAV port 9802.
• Insecure HTTP can be disabled from Network → Server Security page.
• The player SSL/TLS certificate is an automatically generated self-signed certificate – you'll need to install this certificate on your PC. Alternatively, you can generate your own certificate and upload it to the player from Network → Server Certificates (requires firmware 4.x).
• Legacy players cannot be accessed using a secured URL (HTTPS).

Apache

The embedded web server is based on Apache HTTP Server ("httpd") – a robust, commercial-grade, feature-full, and freely-available source code implementation of an HTTP (Web) server. The version of httpd varies depending on the player firmware, so make sure to use the latest firmware on your players to prevent any security vulnerabilities.

Note:

Sometimes, network security scans might reveal potential vulnerabilities affecting the version of Apache being used, however only a limited set of modules are actually implemented / used, so most of them do not actually apply.