Feature Request: Separate ONVIF server authentication from API HTTP Basic Auth

[Moonbesk]

Problem

Currently, go2rtc's ONVIF server shares the same port and HTTP Basic Auth as the Web API (api.username / api.password). This creates an authentication conflict:

• External ONVIF clients (e.g., Hikvision iSecure Center, NVRs, ONVIF Device Manager) authenticate using WS-Security (digest token in SOAP headers)
• go2rtc's API requires HTTP Basic Auth at the HTTP layer
• External ONVIF clients do not send Authorization: Basic headers, so they receive 401 Unauthorized and fail to connect

Reproduction

1. Configure api.username and api.password in go2rtc.yaml
2. Try to add go2rtc as an ONVIF device from an external ONVIF client (e.g., Hikvision iSecure Center or ONVIF Device Manager using external IP)
3. Connection fails with 401 Unauthorized

Note: Connecting via localhost works because go2rtc skips HTTP Basic Auth for loopback connections.

Expected Behavior

The ONVIF server should support WS-Security authentication independently from the API HTTP Basic Auth. Ideally, a dedicated config option like:

onvif:
  username: "admin"
  password: "pass"

Or alternatively, exclude ONVIF endpoints (/api/onvif/*) from HTTP Basic Auth enforcement so that ONVIF clients can authenticate purely via WS-Security tokens in their SOAP requests.

Workaround

Currently the only workaround is to remove api.username / api.password entirely, which leaves the Web UI unprotected. Users must then rely on external firewall rules or a reverse proxy to secure the Web UI.

Environment

• go2rtc version: v1.9.14
• ONVIF client: Hikvision iSecure Center V1.4.100
• Platform: Windows