Skip to content

How to deny access by IP address

It is sometimes necessary to restrict access to certain IP addresses, or to allow access to a stream only by a specific IP address. It can be done with auth configurator.

You can setup very flexible authorization schemes with auth configurator. On this page, we will give examples of how to block certain IP addresses, or how to skip the check of tokens for some IP addresses. This can be useful in monitoring systems.

All the following rules can be applied to a single stream or as a global setting.

stream example_stream {
  input fake://fake;
  on_play auth://blacklist;
}

Where blacklist is a name of one of the configured backend. Sure, you can configure more than one auth rule.

Block

This settings you can set via /etc/flussonic/flussonic.conf file.

auth_backend blacklist {
  deny ip 1.1.1.1;
  deny ip 2.2.2.2;
  deny ip 10.10/16;
  allow default;
}

The rule denies access for two certain hosts (1.1.1.1, 2.2.2.2) and an entire subnet (10.10.0.0/16).

The allow default; string means allowing all connections by default, except from the IP addresses listed in deny. More about the allow default option

Allow

auth_backend whitelist {
  allow ip 192.168.0/24;
  allow ip 10.10/16;
  allow ip 8.8.8.8;
}

The rule allows playback only for specified networks and one certain IP address. Other connections will be blocked.

auth_backend multi {
  allow ip 192.168.0/24;
  backend http://examplehost/stalker_portal/server/api/chk_flussonic_tmp_link.php;
}

The rule allows playback without a token from the local network, other connections will be checked via IPTV Middleware.