mirror of
https://gitlab.xiph.org/xiph/icecast-server.git
synced 2024-11-03 04:17:17 -05:00
a517f4c1ce
svn path=/icecast/trunk/icecast/; revision=19125
223 lines
14 KiB
HTML
223 lines
14 KiB
HTML
<?xml version="1.0"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
|
|
<head>
|
|
<title>Icecast v2.x Documentation</title>
|
|
<link rel="stylesheet" type="text/css" href="style.css" />
|
|
</head>
|
|
<body>
|
|
<div class="boxtest">
|
|
<h1>Icecast 2 Authentication</h1>
|
|
<hr id='titlebar' />
|
|
<br />
|
|
<br />
|
|
<br />
|
|
<h2>Listener Authentication</h2>
|
|
<p>Listener authentication is a feature of icecast which allows you to secure a certain
|
|
mountpoint such that in order to listen, a listener must pass some verification test. With
|
|
this feature, a simple pay-for-play operation (eg user/pass), or some filtering based on the
|
|
listener connection can be performed. This section will show you the basics of setting up
|
|
and maintaining this component.</p>
|
|
<p>To define listener authentication, a group of tags are specified in the <mount>
|
|
group relating to the mountpoint. This means that authentication can apply to listeners of
|
|
source clients or relays.</p>
|
|
<br />
|
|
<p>The following authentication mechanisms can apply to listeners</p>
|
|
<ul>
|
|
<li>HTPASSWD - lookup a named file for a matching username and password</li>
|
|
<li>URL - issue web requests (eg PHP) to match authentication</li>
|
|
</ul>
|
|
<p>The listener authentication within a specified mount in the icecast XML configuration
|
|
can apply to either to a stream from a source client, relay or a webroot based file. They
|
|
do apply to intro files or fallback streams.
|
|
</p>
|
|
<br />
|
|
<h2>HTPASSWD Listener Authentication</h2>
|
|
<p>In order to use listener authentication, you MUST configure a mount specific option. This means that you have to provide a <mount> section in the main icecast config file. The following is an example :</p>
|
|
<pre>
|
|
<mount>
|
|
<mount-name>/example.ogg</mount-name>
|
|
<authentication type="htpasswd">
|
|
<option name="filename" value="myauth"/>
|
|
<option name="allow_duplicate_users" value="0"/>
|
|
</authentication>
|
|
</mount>
|
|
</pre>
|
|
<p>To support listener authentication you MUST provide at a minimum <mount-name> and <authentication>. The mount-name is the name of the mountpoint that you will use to connect your source client with and authentication configures what type of icecast2 authenticator to use. Currently, only a single type "htpasswd" is implemented. New authenticators will be added later. Each authenticator has a variable number of options that are required and these are specified as shown in the example. The htpasswd authenticator requires a few parameters. The first, filename, specifies the name of the file to use to store users and passwords. Note that this file need not exist (and probably will not exist when you first set it up). Icecast has built-in support for managing users and passwords via the web admin interface. More on this later in this section. The second option, allow_duplicate_users, if set to 0, will prevent multiple connections using the same username. Setting this value to 1 will enable mutltiple connections from the same username on a given mountpoint. Note there is no way to specify a "max connections" for a particular user.
|
|
</p>
|
|
<p>Icecast supports a mixture of streams that require listener authentication and those that do not. Only mounts that are named in the config file can be configured for listener authentication.</p>
|
|
<br />
|
|
<br />
|
|
<h3>Configuring Users and Passwords</h3>
|
|
<p>Once the appropriate entries are made to the config file, connect your source client (using the mountpoint you named in the config file). To configure users and passwords for this stream you must use the web-based admin interface. Navigate to http://server:ip/admin/stats.xsl to begin. If you have configured everything properly, you should see a screen like the following :</p>
|
|
<img src="listener_auth1.jpg" alt="Screenshot of http://server:ip/admin/stats.xsl" />
|
|
<p>You will see a lock in front of all mountpoint configured for listener authentication. Also note that this page will only show CONNECTED mountpoints.</p>
|
|
<p>To manage users and passwords for this mountpoint, click on the lock or follow the "Manage Authentication" link. The following screen will be shown :</p>
|
|
<img src="listener_auth2.jpg" alt="Screenshot of Manage Authentication" />
|
|
<p>This screen will show all the users configured for this mountpoint. Adding users is as simple as entering a username and password in the fields and clicking "Add New User". Note that usernames MUST be unique and there are NO restrictions on passwords. You can delete users by clicking the appropriate delete link next to each user.</p>
|
|
<br />
|
|
<br />
|
|
<br />
|
|
<h3>Finishing it all off</h3>
|
|
<p>Ok, so you've created your users, and you have everything setup properly, how do your users login ? Well, we've provided a simple login form that you can use for this purpose. This page (http://server:port/auth.xsl) will bring up a form that users can use to enter their username and password.</p>
|
|
<img src="listener_auth3.jpg" alt="Screenshot of http://server:port/auth.xsl" />
|
|
<p>This page will serve a m3u with the username and password and in most cases should open the correct media player and begin playing your stream</p>
|
|
<br />
|
|
<br />
|
|
<h2>URL</h2>
|
|
<p>Authenticating listeners via the URL method involves icecast, when a listener connects,
|
|
issuing requests to a web server and checking the response headers. If a certain header is
|
|
sent back then the listener connecting is allowed to continue, if not, an error is sent back
|
|
to the listener.</p>
|
|
<p>The URLs specified will invoke some web server scripts like PHP to do any work that they
|
|
may choose to do. All that is required of the scripting language is that POST information can
|
|
be handled and response headers can be sent back. libcurl is used for the requesting so
|
|
https connections may be possible, but be aware of the extra overhead involved.</p>
|
|
<p>The useragent sent in each curl request will represent the icecast server version. The
|
|
response headers will depend on whether the listener is to be accepted. In the case of
|
|
rejection, a response header <pre>icecast-auth-message: reason </pre> should also be returned
|
|
for placing in the log files.
|
|
</p>
|
|
<p>In order to use URL based listener authentication, you MUST configure a mount specific
|
|
option. This means that you have to provide a <mount> section in the main icecast
|
|
config file. The following shows the list of options available :</p>
|
|
<pre>
|
|
<mount>
|
|
<mount-name>/example.ogg</mount-name>
|
|
<authentication type="url">
|
|
<option name="mount_add" value="http://auth.example.org/stream_start.php"/>
|
|
<option name="mount_remove" value="http://auth.example.org/stream_end.php"/>
|
|
<option name="listener_add" value="http://auth.example.org/listener_joined.php"/>
|
|
<option name="listener_remove" value="http://auth.example.org/listener_left.php"/>
|
|
<option name="username" value="user"/>
|
|
<option name="password" value="pass"/>
|
|
<option name="auth_header" value="icecast-auth-user: 1"/>
|
|
<option name="timelimit_header" value="icecast-auth-timelimit:"/>
|
|
<option name="headers" value="x-pragma,x-token"/>
|
|
<option name="header_prefix" value="ClientHeader."/>
|
|
<option name="stream_auth" value="http://auth.example.org/source.php"/>
|
|
</authentication>
|
|
</mount>
|
|
</pre>
|
|
<p>The options are described below in more detail, each of which is optional, but in each
|
|
case, within the POST data, the value for each setting is encoded.</p>
|
|
<h3>mount_add</h3>
|
|
<p>This URL is for informing the auth server of a stream starting. No listener information
|
|
is passed for this, but can be used to initialise any details the auth server may have.
|
|
</p>
|
|
<p>POST details are</p>
|
|
<pre>
|
|
action=mount_add&mount=/live&server=icecast.example.org&port=8000
|
|
</pre>
|
|
<p>Here the details indicate the server name (<hostname>) and mountpoint starting up</p>
|
|
<h3>mount_remove</h3>
|
|
<p>This URL is for informing the auth server of a stream finishing, like the start option, no
|
|
listener details are passed.</p>
|
|
<p>POST details are</p>
|
|
<pre>
|
|
action=mount_remove&mount=/live&server=icecast.example.org&port=8000
|
|
</pre>
|
|
<p>like the start option, server name and mountpoint are provided</p>
|
|
</p>
|
|
<h3>listener_add</h3>
|
|
<p>This is most likely to be used if anything. When a listener connects, before anything is
|
|
sent back to them, this request is processed. The default action is to reject a listener
|
|
unless the auth server sends back a response header which may be stated in the 'header' option
|
|
</p>
|
|
<p>POST details are</p>
|
|
<pre>
|
|
action=listener_add&server=icecast.example.org&port=8000&client=1&mount=/live&user=&pass=&ip=127.0.0.1&agent=My%20player
|
|
</pre>
|
|
<p>There are more details with this, client is the unique ID for the client within icecast,
|
|
user and pass may be blank but come from the HTTP basic auth that the listener states, ip
|
|
is the listeners IP address and agent is the Useragent from the listeners player.</p>
|
|
<p>The mount here (unlike the start/end options) states the requested url including any
|
|
query parameters, so for instance the requested URL can be /stream.ogg&session=xyz, but
|
|
note that each option data is escaped before being passed via POST
|
|
</p>
|
|
<h3>listener_remove</h3>
|
|
<p>This URL is for when a listener connection closes.</p>
|
|
<p>POST details are</p>
|
|
<pre>
|
|
action=listener_remove&server=icecast.example.org&port=8000&client=1&mount=/live&user=&pass=&duration=3600&ip=127.0.0.1&agent=My%20player
|
|
</pre>
|
|
<p>Again this is similar to the add option, the difference being that a duration is passed
|
|
reflecting the number of seconds the listener was connected for </p>
|
|
<div id="stream_auth" >
|
|
<h3>stream_auth</h3>
|
|
<p>Technically this does not belong to listener authentication, but due to its similarity
|
|
it is explained here too. When a source connects, before anything is sent back to them,
|
|
this request is processed. The default action is to reject a source unless the auth server
|
|
sends back a response header which may be stated in the 'header' option
|
|
</p>
|
|
<p>POST details are</p>
|
|
<pre>
|
|
action=stream_auth&mount=/stream.ogg&ip=192.0.2.0&server=icecast.example.org&port=8000&user=source&pass=password&admin=1
|
|
</pre>
|
|
<p>The request contains: the mountpoint, the IP from which the source client is connecting,
|
|
the hostname of the icecast server the client tries to connect to,
|
|
the port of said server and finally username and password as sent by the source client.
|
|
As admin requests can come in for a stream (eg metadata update) these requests can be
|
|
issued while stream is active. For these &admin=1 is added to the POST details.</p></div>
|
|
<h3>auth_header</h3>
|
|
<p>The expected response header to be returned that allows the authencation to take
|
|
place may be specified here. The default is
|
|
<pre>icecast-auth-user: 1</pre>
|
|
but it could can anything you like, for instance
|
|
<pre>HTTP 200 OK</pre>
|
|
<h3>timelimit_header</h3>
|
|
<p>Listeners could have a time limit imposed on them, and if this header is sent back with a
|
|
figure (which represents seconds) then that is how long the client will remain connected for.
|
|
</p>
|
|
<h3>headers</h3>
|
|
<p>This is a list of HTTP headers provided by the client which should be passed to the authencation service.
|
|
Those headers are prepended by the value of header_prefix and sent as post parameters.
|
|
</p>
|
|
<h3>header_prefix</h3>
|
|
<p>This is the prefix used for passing client headers. See headers for details.
|
|
</p>
|
|
<br />
|
|
<h2>A note about players and authentication</h2>
|
|
<p>We do not have an exaustive list of players that support listener authentication. We use
|
|
standard HTTP basic authentication, and in general, many media players support this if they
|
|
support anything at all. Winamp and Foobar2000 support HTTP basic authentication on windows,
|
|
and XMMS supports it on unix platforms. Winamp/XMMS as least support the passing of query
|
|
parameters, other players may also do</p>
|
|
<br />
|
|
<h2>Source Authentication</h2>
|
|
<p>Source authentication is a feature of icecast which allows you to secure a certain
|
|
mountpoint such that in order to stream to it, a source client must pass some verification test.
|
|
This section will show you the basics of setting up and maintaining this component.</p>
|
|
|
|
<p>To define source authentication, a group of tags are specified in the <mount>
|
|
group relating to the mountpoint.</p>
|
|
<br />
|
|
<p>The following authentication mechanisms can apply to sources</p>
|
|
<ul>
|
|
<li>BASIC - <password> and possibly <username> in the <mount> section</li>
|
|
<li>URL - issue web requests (eg PHP) to match authentication</li>
|
|
</ul>
|
|
<br />
|
|
|
|
<div id="stream_auth" >
|
|
|
|
<h3>URL authentication: stream_auth</h3>
|
|
<p>A <mount> can contain a section <authentication type="url">
|
|
and therein <option name="stream_auth" value="http://auth.example.org/source.php"/>.
|
|
When a source connects, before anything is sent back to them,
|
|
this request is processed. The default action is to reject a source unless the auth server
|
|
sends back a response header which may be stated in the 'header' option (same as listener auth)
|
|
</p>
|
|
<p>POST details are</p>
|
|
<pre>
|
|
action=stream_auth&mount=/stream.ogg&ip=192.0.2.0&server=icecast.example.org&port=8000&user=source&pass=password&admin=1
|
|
</pre>
|
|
<p>The request contains: the mountpoint, the IP from which the source client is connecting,
|
|
the hostname of the icecast server the client tries to connect to,
|
|
the port of said server and finally username and password as sent by the source client.
|
|
As admin requests can come in for a stream (eg metadata update) these requests can be
|
|
issued while stream is active. For these &admin=1 is added to the POST details.</p></div>
|
|
</div>
|
|
</body>
|
|
</html>
|