Skip to content

Authorization configurator

You can declare complicated authorization settings right in the Flussonic configuration file.

You can specify black and white lists of IP addresses, tokens, User-Agents, and countries, and include multiple parallel authorization HTTP backends. You don't need to write your own scripts.

Setting up authorization

Add these lines to /etc/flussonic/flussonic.conf:

auth_backend myauth1 {
  allow ip;
  allow ip;
  allow ip 172.16/24;
  deny ip;
  allow country RU US;
  deny country GB;
  allow token test_token1;
  deny ua "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:";
  • allow – declares the white list.
  • deny – declares the black list.

Flussonic applies the rules in the following order:

  • allow token
  • deny token
  • allow ip
  • deny ip
  • allow country
  • deny country
  • allow useragent
  • deny useragent
  • Makes requests to parallel backends
  • If allow default was not specified, then denies access.

The rule priority matters. Rules with a higher priority are applied immediately, and then rules with a lower priority are no longer taken into account. For example, if you allow the client's IP address but the client's token is in the black list — the access will be denied because the token has a higher priority.

By the client we mean a client application or device that receives video from the Flussonic server.

To apply this auth backend to a stream, specify auth://myauth1:

stream example_stream {
  input udp://;
  on_play auth://myauth1;

Rules will be applied after you reload the configuration.

The 'allow default' option

The allow default option defines the default behavior in the case when all backends are not responding (for example, because of an error in an HTTP response or non-working script). If this option is enabled, all clients or devices except those listed explicitly in the deny option will have access to the content. And if this option is disabled, all clients or devices except those listed explicitly in the allow option will not have access to the content.

In this way, the allow default option gives you the opportunity to access the content in case the backend is not working.

Let's see how Flussonic deals with different responses from the backend and how the enabled allow default option affects the decision to grant access to a video stream.

Allow default option in case of one backend

If the authorization backend denies access (responds with an error code 4xx, such as 403 Forbidden), Flussonic doesn't allow access to the content, even if you have enabled allow default in the stream settings.

However, if the backend is down (does not respond due to an error) or there is a server error on the server where the backend script runs (with an error code 5xx, such as 500 Internal Server Error), Flussonic allows access to the content to all clients (recipients) except those listed in the deny option.

Allow default option in case of multiple backends

If there are multiple parallel backends, the rules are similar.

If at least one of the backends allows access, access will be granted, even if other backends deny it or are not responding.

If at least one of the backends denies access, and all other backends are not responding (no one allows it), access will be denied.

However, if all backends are down (not responding), Flussonic allows access to the content to all clients except those listed in the deny option.

This table illustrates the logic of authorization in case of using multiple authorization backends on a stream:

Backend 1 Backend 2 Backend 3 Resulting answer
allow allow allow Allow
ban ban ban Ban
ban allow ban Allow
not responding not responding not responding Allow
not responding allow not responding Allow
not responding ban not responding Ban


Multiauth HTTP and access from a local network

auth_backend multi_local {
  allow ip 192.168.0/24;
  backend iptv://localhost; # iptv plugin
  backend http://examplehost/stalker_portal/server/api/chk_flussonic_tmp_link.php;

Ban some IP addresses

auth_backend blacklist {
  deny ip;
  deny ip;
  deny ip 10.10/16;
  allow default;

Use an HTTP backend and allow video to clients with the specified tokens

auth_backend myauth2 {
  allow token friend_token1;
  allow token friend_token2;
  backend http://examplehost/stalker_portal/server/api/chk_flussonic_tmp_link.php;

Allow some User-Agents (certain set-top-boxes) and block others

auth_backend agents {
  allow ua MAG;
  allow ua TVIP;