-1

I have a separate server with icecast for online radio. There is another server with a wordpress site. A wordpress site receives radio streams from a server with icecast. The trouble is that the server with icecast is open and accessible to everyone. I wanted to be able to access only the wordpress site. I tried using nginx to close access and open it only for the IP server with a wordpress site, but it blocks for everyone. Please tell me how this can be done?

Thank you for any help in this matter.

veyide2819
  • 11

1 Answers1

0

Firstly, I should say that it is technically impossible to do what you're asking. There are always ways around, even if by proxying your stream server-side. However, you can make a reasonable effort by validating the Referer header when a client connects.

When the browser connects to Icecast to retrieve the stream, it includes the Referer: header, indicating the URL the user is accessing the stream from. For example:

Referer: https://blog.example.com/

As far as I know, stock Icecast has no capability to check this header for you. It does however have authentication hooks, which will allow you to validate the header in your own scripts, by calling their URL and reading its response. So, in your Icecast config, you would include something like:

<mount>
  <mount-name>/stream</mount-name>
  <authentication type="url">
    <option name="stream_auth" value="https://blog.example.com/icecast-auth-script.php" />
    <option name="headers" value="referer" />
    <option name="requestHeader." />
  </authentication>
</mount>

Then, in your PHP script, you can take a look at something like $_POST['requestHeader.referer']. If it matches what you want, tell Icecast to approve the stream:

header('icecast-auth-user: 1');
Brad
  • 159,648
  • 54
  • 349
  • 530
  • "it is technically impossible" is a bold statement. My icecast server is configured to only accept connections from a separate webserver and all connections are proxied through that webserver. It's impossible for anyone to connect to it directly. – miknik Feb 12 '22 at 03:34
  • @miknik Your configuration isn't relevant to this question. ?This is about preventing clients from other websites, not other hosts. – Brad Feb 14 '22 at 05:51
  • If you reverse proxy the Icecast server through Nginx so it is served to the outside world from the same server as your website then you can use Nginx to allow/deny access to the Icecast stream using cookies served from your site, by dynamically altering the stream url, appending query parameters, checking for ip address in webpage server logs, initiating a websocket connection from your page and checking it is active etc etc – miknik Mar 02 '22 at 01:17
  • @miknik Sounds like a lot of work for something that's ineffective. It's still pretty easy to get around all of those obfuscations. By the way, you realize that folks often have multiple public IP addresses simultaneously, right? You're actively breaking your site for those types of users if you're correlating web traffic to the stream traffic as an authentication measure. – Brad Mar 02 '22 at 01:55
  • You can say it's easy, but it would be beyond 99% of internet users to even know where to start. Folks don't "often" have multiple public IP addresses, almost all internet users have a single ip address assigned to their connection and of those with multiple who would use more than one of those multiple ip addresses for connecting to the same web server from a single machine? That's just not how network traffic is routed. You might think its a lot of work, but that's not the same as "technically impossible" – miknik Mar 02 '22 at 09:00
  • @miknik This is Stack Overflow... jumping over the hurdles you have so carefully set up is not going to be difficult for a lot of folks here. In any case, your level of risk is dependent on non-technical factors. It's important to shine a light on the issue for others who may apply these solutions in other situations. And yes, it *is* often the case that people use multiple public IP addresses. Corporate networks are notorious for multiple NAT gateways. On the IPv6 side, one laptop might be connected to a pair of WiFi networks and Ethernet, for 3 addresses. – Brad Mar 02 '22 at 09:23
  • @miknik (continued) Additionally, you have cell phones regularly bouncing between mobile networks and WiFi that need to be accounted for. And, that IP address for mobile devices is all over the place in its behavior. My cell carrier is currently in a transition of being bought out, and networks being phased out. My IP address will change all the time, and yes, this breaks sites like yours. It's an annoying problem when developers make assumptions about IP addresses, which is why I call them out here in Stack Overflow. Maybe it doesn't matter in your case, but it might in someone else's. – Brad Mar 02 '22 at 09:27