Flussonic Media Server documentation

Securing Flussonic

Here you can read how to limit access to the Flussonic's administration panel.

Very important! If hackers get access to your Flussonic installation, they will be able to read and modify and file on disk.

Login and password Anchor Anchor x2

Flussonic allows you to set two types of access in config: view_auth и edit_auth.

  • view_auth user password; is used for access to readonly API Flussonic functions: getting streams info, status, and statistics.

  • edit_auth user password; is used for full access to Flussonic.

IP address banning Anchor Anchor x2

Tp restrict access by IP address, enable white list mode in configuration file:

api_allowed_from 10.0.0.0/8 192.168.4.15;

A separate IP port for HTTP API Anchor Anchor x2

You can assign a separate IP port for HTTP API:

admin_http 8090;
admin_http 127.0.0.1:8091;
admin_https 8092;

Now the administrator UI and HTTP API are available only through these ports.

In cluster configuration, for the node with admin_http(s) enabled, you must specify these ports in peer and source directives.

HTTPS certificates Anchor Anchor x2

If you add an HTTPS port to config, Flussonic will automatically redirect you from HTTP to HTTPS.

You will need to generate your own certificate. To do so, use the password flussonic for key and certificate generation and then put the files to /etc/flussonic/flussonic.crt and /etc/flussonic/flussonic.key.

Here you can read instructions for generating your own certificate. Do not forget to enter the password flussonic for the certificate.

openssl genrsa -des3 -out flussonic.key 1024
openssl req -new -key flussonic.key -out flussonic.csr -subj '/C=US/ST=TN/L=/CN=flussonic.local/O=Flussonic, LLC/Email=support@flussonic.com'
mv flussonic.key flussonic.key.org
openssl rsa -in flussonic.key.org -out flussonic.key
openssl x509 -req -days 365 -in flussonic.csr -signkey flussonic.key -out flussonic.crt

Intermediate and CA certificates will be taken from /etc/flussonic/flussonic-ca.crt.

LetsEncrypt certificates Anchor Anchor x2

LetsEncrypt is offering free SSL certificates with 1-month expiration since April 2016.

The certificate is issued in automatic mode. We have added the support for LetsEncrypt into Flussonic.

How to setup LetsEncrypt

Protecting configuration file Anchor Anchor x2

It is possible to prevent the configuration file from modifying via the API (web interface). Just create the file /etc/flussonic/flussonic.conf.locked:

touch /etc/flussonic/flussonic.conf.locked

Now no one will bw able to change settings via the Flussonic's web UI.

Running Flussonic as a non-privileged user Anchor Anchor x2

You can run Flussonic as a unprivileged user. Make following preparations:

adduser flussonic --home /var/lib/flussonic --disabled-password
chown -R flussonic /etc/flussonic/
chown -R flussonic /var/lib/flussonic/
echo flussonic > /etc/flussonic/run_as
chown root /etc/flussonic/run_as
chmod 0644 /etc/flussonic/run_as
chown -R flussonic /var/run/flussonic /var/log/flussonic /opt/flussonic/.erlang.cookie
setcap cap_net_bind_service=+ep /opt/flussonic/lib/erlang/erts-*/bin/beam.smp

To make Flussonic run as root again, delete file /etc/flussonic/run_as.

Activating Flussonic via SOCKS5 proxy Anchor Anchor x2

Flussonic can use the SOCKS5 proxy server to communacate with the license server. To enable it, use the systemd's override mechanism:

# systemctl edit flussonic

This command opens a text editor (nano by default). Then add these lines:

[Service]
Environment=PROXY="socks5://172.20.10.1:1080"

Press Ctrl-X, then Y to save and exit.

Restart Flussonic:

# /etc/init.d/flussonic restart`

Now Flussonic will use the configured proxy to communicate with the license server.

Protecting video from viewing by the administrator Anchor Anchor x2

By default, the users with Flussonic administrator rights can play back any stream by using the administration UI. The special administrator's authorization token is used for that.

You may want to prohibit viewing some streams by the administrator — streams protected by authorization.

To prevent the Flussonic administrator from playing back any stream that needs authorization:

  1. Edit Flussonic service unit file (/lib/systemd/system/flussonic.service) — do it by using the systemd's override mechanism.

    # systemctl edit flussonic
    

    This command opens a text editor (nano by default).

  2. Add these lines:

    [Service]
    `Environment=ADMIN_VIEW_DISABLE=true`
    

    Press Ctrl-X, then Y to save and exit.

  3. Restart Flussonic:

    # /etc/init.d/flussonic restart
    

Now if a stream requires authorization, the player in the Flussonic UI will return a 403 error at attempts to play the stream back with an administrator's token.

Streams without configured authorization will be played back as usual.