Flussonic Media Server documentation

Contents

Authorization Configurator

Starting from Flussonic 18.05 you can declare complicated authorization settings right in the configuration file.

You can specify black and white lists of IP addresses, tokens, User-Agents, and countries, and include multiple parallel authorization HTTP backends. You don't need to write your own scripts.

Setting up authorization

Add these lines to /etc/flussonic/flussonic.conf:

auth_backend main {
  allow ip 127.0.0.1;
  allow ip 192.168.0.1;
  allow ip 172.16/24;
  deny ip 8.8.8.8;
  allow country RU US;
  deny country GB;
  allow token test_token1;
  deny ua "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10)";
  backend http://stalker-1.iptv.net/auth.php;
  backend http://stalker-2.iptv.net/auth.php;
}
  • allow – declares the white list.
  • deny – declares the black list.

Flussonic applies the rules in the following order:

  • allow token
  • deny token
  • allow ip
  • deny ip
  • allow country
  • deny country
  • allow useragent
  • deny useragent
  • Makes requests to parallel backends
  • If allow default was not specified, then denies access.

The rule priority matters. Rules with a higher priority are applied immediately, and then rules with a lower priority are no longer taken into account. For example, if you allow the client's IP address but the client's token is in the black list — the access will be denied because the token has a higher priority.

By the client we mean a client application or device that receives video from the Flussonic server.

To apply this auth backend to a stream, specify auth://main:

stream ort {
  url udp://239.255.0.1:1234;
  auth auth://main;
}

Rules will be applied after you reload the configuration.

The 'allow default' option

The option allow default allows access to video to all client apllications or devices except those listed in thedeny option. If this option is not specified, then access to the stream is denied for all clients, not only for those that you explicitly denied access through deny.

Starting from version 19.02, this option allows access to a stream when the backend or the server itself are not responding because of an error. In this way, the allow default option gives you the opportunity to access the content in case the backend is not working.

Let's see how Flussonic deals with different responses from the backend and how the option allow default affects the decision to grant access to a video stream.

Allow default option in case of one backend

If the authorization backend denies access (responds with an error code, such as 403 Forbidden), Flussonic doesn't allow access to the content, even if you specified 'allow default' in stream settings.

But if the backend is down (not responding due to an error) or there is a server error on the server where the backend script runs, Flussonic allows access to the content to all clients (recipients).

Allow default option in case of multiple backends

If there are multiple parallel backends, the rules are similar.

If at least one of backends allows access, access will be granted, even if other backends deny it or are not responding.

If at least one of backends denies access, and all other backends are not responding (no one allows it), access will be denied.

However, if all backends are down (not responding), Flussonic allows access to the content to all clients (if the option allow default was included in stream settings).

This table illustrates the logic of authorization in case of using multiple authorization backends on a stream:

Backend 1 Backend 2 Backend 3 Resulting answer
allow allow allow Allow
ban ban ban Ban
ban allow ban Allow
not responding not responding not responding Allow
not responding allow not responding Allow
not responding ban not responding Ban

Examples

Multiauth HTTP and access from a local network

auth_backend multi_local {
  allow ip 192.168.0/24;
  backend http://127.0.0.1/tv/auth; # iptv plugin
  backend http://<HOSTNAME>/stalker_portal/server/api/chk_flussonic_tmp_link.php;
}

Ban some IP addresses

auth_backend blacklist {
  deny ip 1.1.1.1;
  deny ip 2.2.2.2;
  deny ip 10.10/16;
  allow default;
}

Use an HTTP backend and allow video to clients with the specified tokens

auth_backend myauth {
  allow token friend_token1;
  allow token friend_token2;
  backend http://<HOSTNAME>/stalker_portal/server/api/chk_flussonic_tmp_link.php;
}

Allow some User-Agents (certain set-top-boxes), block others

auth_backend agents {
  allow ua MAG;
  allow ua TVIP;
}