Embedded web server

Description

DSOS players feature an embedded web server offering access to different player applications such as:

• Player web interface

  

  This interface is loaded by default when entering the player address in your browser and offers access to the full management of the player. Its main component is Control Center, used for making configuration changes and requesting information from the device.

• Player content server

  This is dedicated to external content storage, where Elementi or other clients can publish content onto it using the WebDAV protocol. The content retrieved by the player from external servers through Scheduled Download or Pull Mode is also stored here. This interface doesn't apply to DiVA players.

• Player APIs
  • Status API for getting the current status of the player (operating status, device stats, screen display settings, storage details etc.) or snapshot of the content being rendered. This interface is available using the player address followed by "/status".
  • RPC API for remote management and monitoring. This interface is available using the player address followed by "/rpc".
  • Web Storage REST API to allow reading and writing variables (i.e., localStorage data) onto the player from external clients through HTTP(S) calls. This interface is available using the player address followed by "/webstorage".
  • Shared Variables Network API to remotely update shared data or trigger UI events.

Security

 

See also the Security page.

The access to the player embedded web server can / must be protected with strong passwords, configurable from the User manager tool of Control Center, with a configuration file, or using RPC API.

Note:

If you want to set / change the passwords on multiple players in a centralized manner (for instance, to set a new admin password for all players every 30 days), you can use the set_password RPC command.

HTTPS access

DSOS players can be accessed using a secured URL (HTTPS).

• The player web interface is reachable via https://Player_address on the standard HTTPS port 443.
• The player content server is reachable via https://Player_address:9802 on standard WebDAV port 9802.
• Insecure HTTP can be disabled from Network → Server Security page.
• The player SSL/TLS certificate is an automatically generated self-signed certificate – you'll need to install this certificate on your PC. Alternatively, you can generate your own certificate and upload it to the player from Network → Server Certificates (requires firmware 4.x).
• Legacy players cannot be accessed using a secured URL (HTTPS).

Apache

The embedded web server is based on Apache HTTP Server ("httpd") – a robust, commercial-grade, feature-full, and freely-available source code implementation of an HTTP (Web) server. The version of httpd varies depending on the player firmware, so make sure to use the latest firmware on your players to prevent any security vulnerabilities.

Note:

Sometimes, network security scans might reveal potential vulnerabilities affecting the version of Apache being used, however only a limited set of modules are actually implemented / used, so most of them do not actually apply.