Flussonic Media Server documentation

Securing Flussonic

Here you can read how to limit access to Flussonic administration panel.

Very important! if hacker will get access to your flussonic installation, he will be able to modify and read any file on disk.

Login and password Anchor Anchor x2

Flussonic allows to edit two types of access in config: view_auth и edit_auth.

view_auth user password; is controlling access to readonly API Flussonic functions: find out config, status, stats.

edit_auth user password; is used for full access to Flussonic.

IP limitations Anchor Anchor x2

You can enable white list IP control in config: api_allowed_from;

Separate IP port for HTTP API Anchor Anchor x2

You can assign separate IP port for HTTP API:

admin_http 8090;
admin_https 8092;

Now admin web UI and HTTP API are available only through these ports. In cluster configuration in peer and source directives for the node with admin_http(s) enabled, you must specify these ports.

HTTPS certificates Anchor Anchor x2

If you add https port to config, Flussonic will automatically redirect you from http to https.

After installation flussonic is shipped with invalid SSL certificate, but you can install your own certificate.

You can generate your own certificate. Use password flussonic for key and put files to /etc/flussonic/flussonic.crt and /etc/flussonic/flussonic.key Here you can read instructions for generating your own certificate.

openssl genrsa -des3 -out flussonic.key 1024
openssl req -new -key flussonic.key -out flussonic.csr -subj '/C=US/ST=TN/L=/CN=flussonic.local/O=Flussonic, LLC/Email=support@flussonic.com'
mv flussonic.key flussonic.key.org
openssl rsa -in flussonic.key.org -out flussonic.key
openssl x509 -req -days 365 -in flussonic.csr -signkey flussonic.key -out flussonic.crt

Intermediate and CA certificates will be taken from /etc/flussonic/flussonic-ca.crt.

Letsencrypt certificates Anchor Anchor x2

Letsencrypt company is offering free SSL certificates with 1 month expiration since april 2016.

Certificate issuing is made in automatic mode and we have added support for it into Flussonic.

To enable letsencrypt certificate you need to visit admin web interface via domain name. Not IP address, but domain name that will be used in certificate.

After this you need to add https port unless it is done and press on "issue letsencrypt".

Flussonic will automatically speak with Letsencrypt service and create certificate.

Protecting config file from overwriting Anchor Anchor x2

It is possible to prevent config file from modifying via API. Just create file /etc/flussonic/flussonic.conf.locked:

touch /etc/flussonic/flussonic.conf.locked

Now one cannot change settings via web UI.

Running as non-privileged user Anchor Anchor x2

You can run Flussonic as a unprivileged user. Make following preparations:

adduser flussonic --home /var/lib/flussonic --disabled-password
chown flussonic /etc/flussonic/*
echo flussonic > /etc/flussonic/run_as
chown root /etc/flussonic/run_as
chmod 0644 /etc/flussonic/run_as
chown -R flussonic /var/run/flussonic /var/log/flussonic /opt/flussonic/.erlang.cookie
setcap cap_net_bind_service=+ep /opt/flussonic/lib/erlang/erts-*/bin/beam.smp

To make Flussonic run as root again, delete file /etc/flussonic/run_as.