API: Exposed for WebRTC without any access control

[streamthing]

With WebRTC we need to expose http_api to public.
Why there isn't any access control for http_api?
User can send HTTP to /rtc/v1/play/ - which is OK.
But... there is also /api/v1/streams/ /api/v1/clients/ accessible for everyone in internet...

We need to setup reverse-proxy between client and SRS server?

[streamthing]

And... everyone can publish?

vhost __defaultVhost__ {
    rtc {
        enabled     on;
        rtmp_to_rtc on;
        rtc_to_rtmp off;
    }
    security {
        enabled on;
        allow publish 1.2.3.4;
        allow play all;
    }
}

[duiniuluantanqin]

fixed by #3458