diff --git a/README.md b/README.md
index 4c13ccb59..5a15550c2 100755
--- a/README.md
+++ b/README.md
@@ -501,6 +501,7 @@ Supported operating systems and hardware:
* 2013-10-17, Created.
## History
+* v2.0, 2015-01-02, hotfix [#211](https://github.com/winlinvip/simple-rtmp-server/issues/211), support security allow/deny publish/play all/ip. 2.0.86
* v2.0, 2015-01-02, hotfix [#207](https://github.com/winlinvip/simple-rtmp-server/issues/207), trim the last 0 of log. 2.0.85
* v2.0, 2014-01-02, fix [#158](https://github.com/winlinvip/simple-rtmp-server/issues/158), http-callback check http status code ok(200). 2.0.84
* v2.0, 2015-01-02, hotfix [#216](https://github.com/winlinvip/simple-rtmp-server/issues/216), http-callback post in application/json content-type. 2.0.83
diff --git a/trunk/conf/full.conf b/trunk/conf/full.conf
old mode 100755
new mode 100644
index 6b6b273d7..1776a9d18
--- a/trunk/conf/full.conf
+++ b/trunk/conf/full.conf
@@ -142,6 +142,35 @@ http_stream {
vhost __defaultVhost__ {
}
+# the security to allow or deny clients.
+vhost security.srs.com {
+ # security for host to allow or deny clients.
+ # @see https://github.com/winlinvip/simple-rtmp-server/issues/211
+ security {
+ # whether enable the security for vhost.
+ # default: off
+ enabled on;
+ # the security list, each item format as:
+ # allow|deny publish|play all|
+ # for example:
+ # allow publish all;
+ # deny publish all;
+ # allow publish 127.0.0.1;
+ # deny publish 127.0.0.1;
+ # allow play all;
+ # deny play all;
+ # allow play 127.0.0.1;
+ # deny play 127.0.0.1;
+ # SRS apply the following simple strategies one by one:
+ # 1. allow all if security disabled.
+ # 2. default to deny all when security enabled.
+ # 3. allow if matches allow strategy.
+ # 4. deny if matches deny strategy.
+ allow play all;
+ allow publish all;
+ }
+}
+
# the MR(merged-read) setting for publisher.
# the MW(merged-write) settings for player.
vhost mrw.srs.com {
diff --git a/trunk/conf/realtime.conf b/trunk/conf/realtime.conf
old mode 100755
new mode 100644
diff --git a/trunk/conf/security.deny.publish.conf b/trunk/conf/security.deny.publish.conf
new file mode 100644
index 000000000..a2c6e59da
--- /dev/null
+++ b/trunk/conf/security.deny.publish.conf
@@ -0,0 +1,13 @@
+# security config for srs, allow play and deny publish.
+# @see https://github.com/winlinvip/simple-rtmp-server/issues/211#issuecomment-68507035
+# @see full.conf for detail config.
+
+listen 1935;
+max_connections 1000;
+vhost __defaultVhost__ {
+ security {
+ enabled on;
+ deny publish all;
+ allow play all;
+ }
+}
diff --git a/trunk/configure b/trunk/configure
index dd6d5f4e3..67d9bc464 100755
--- a/trunk/configure
+++ b/trunk/configure
@@ -389,7 +389,7 @@ if [ $SRS_EXPORT_LIBRTMP_PROJECT = NO ]; then
"srs_app_pithy_print" "srs_app_reload" "srs_app_http_api" "srs_app_http_conn" "srs_app_http_hooks"
"srs_app_json" "srs_app_ingest" "srs_app_ffmpeg" "srs_app_utility" "srs_app_dvr" "srs_app_edge"
"srs_app_kbps" "srs_app_heartbeat" "srs_app_empty" "srs_app_http_client" "srs_app_avc_aac"
- "srs_app_recv_thread")
+ "srs_app_recv_thread" "srs_app_security")
APP_INCS="src/app"; MODULE_DIR=${APP_INCS} . auto/modules.sh
APP_OBJS="${MODULE_OBJS[@]}"
fi
diff --git a/trunk/src/app/srs_app_config.cpp b/trunk/src/app/srs_app_config.cpp
index 72031ad70..4b1d616be 100644
--- a/trunk/src/app/srs_app_config.cpp
+++ b/trunk/src/app/srs_app_config.cpp
@@ -434,7 +434,8 @@ int SrsConfig::reload_conf(SrsConfig* conf)
// always support reload without additional code:
// chunk_size, ff_log_dir, max_connections,
// bandcheck, http_hooks, heartbeat,
- // token_traverse, debug_srs_upnode
+ // token_traverse, debug_srs_upnode,
+ // security
// merge config: listen
if (!srs_directive_equals(root->get("listen"), old_root->get("listen"))) {
@@ -1363,6 +1364,7 @@ int SrsConfig::check_config()
&& n != "atc" && n != "atc_auto"
&& n != "debug_srs_upnode"
&& n != "mr" && n != "mw_latency" && n != "min_latency"
+ && n != "security"
) {
ret = ERROR_SYSTEM_CONFIG_INVALID;
srs_error("unsupported vhost directive %s, ret=%d", n.c_str(), ret);
@@ -1440,6 +1442,16 @@ int SrsConfig::check_config()
return ret;
}
}*/
+ } else if (n == "security") {
+ for (int j = 0; j < (int)conf->directives.size(); j++) {
+ SrsConfDirective* security = conf->at(j);
+ string m = security->name.c_str();
+ if (m != "enabled" && m != "deny" && m != "allow") {
+ ret = ERROR_SYSTEM_CONFIG_INVALID;
+ srs_error("unsupported vhost security directive %s, ret=%d", m.c_str(), ret);
+ return ret;
+ }
+ }
} else if (n == "transcode") {
for (int j = 0; j < (int)conf->directives.size(); j++) {
SrsConfDirective* trans = conf->at(j);
@@ -2456,6 +2468,43 @@ bool SrsConfig::get_vhost_edge_token_traverse(string vhost)
return true;
}
+bool SrsConfig::get_security_enabled(string vhost)
+{
+ SrsConfDirective* conf = get_vhost(vhost);
+
+ if (!conf) {
+ return SRS_CONF_DEFAULT_SECURITY_ENABLED;
+ }
+
+ SrsConfDirective* security = conf->get("security");
+ if (!security) {
+ return SRS_CONF_DEFAULT_SECURITY_ENABLED;
+ }
+
+ conf = security->get("enabled");
+ if (!conf || conf->arg0() != "on") {
+ return SRS_CONF_DEFAULT_SECURITY_ENABLED;
+ }
+
+ return true;
+}
+
+SrsConfDirective* SrsConfig::get_security_rules(string vhost)
+{
+ SrsConfDirective* conf = get_vhost(vhost);
+
+ if (!conf) {
+ return NULL;
+ }
+
+ SrsConfDirective* security = conf->get("security");
+ if (!security) {
+ return NULL;
+ }
+
+ return security;
+}
+
SrsConfDirective* SrsConfig::get_transcode(string vhost, string scope)
{
SrsConfDirective* conf = get_vhost(vhost);
diff --git a/trunk/src/app/srs_app_config.hpp b/trunk/src/app/srs_app_config.hpp
index aaf7f973f..959553204 100644
--- a/trunk/src/app/srs_app_config.hpp
+++ b/trunk/src/app/srs_app_config.hpp
@@ -76,6 +76,8 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#define SRS_CONF_DEFAULT_HTTP_HEAETBEAT_URL "http://"SRS_CONSTS_LOCALHOST":8085/api/v1/servers"
#define SRS_CONF_DEFAULT_HTTP_HEAETBEAT_SUMMARIES false
+#define SRS_CONF_DEFAULT_SECURITY_ENABLED false
+
#define SRS_CONF_DEFAULT_STATS_NETWORK_DEVICE_INDEX 0
#define SRS_CONF_DEFAULT_STAGE_PLAY_USER_INTERVAL_MS 10000
@@ -659,6 +661,16 @@ public:
* all clients connected to edge must be tranverse to origin to verify.
*/
virtual bool get_vhost_edge_token_traverse(std::string vhost);
+// vhost security section
+public:
+ /**
+ * whether the secrity of vhost enabled.
+ */
+ virtual bool get_security_enabled(std::string vhost);
+ /**
+ * get the security rules.
+ */
+ virtual SrsConfDirective* get_security_rules(std::string vhost);
// vhost transcode section
public:
/**
@@ -776,7 +788,7 @@ public:
* @remark, we will use some variable, for instance, [vhost] to substitude with vhost.
*/
virtual std::string get_engine_output(SrsConfDirective* engine);
-// ingest section
+// vhost ingest section
public:
/**
* get the ingest directives of vhost.
diff --git a/trunk/src/app/srs_app_rtmp_conn.cpp b/trunk/src/app/srs_app_rtmp_conn.cpp
index 87eef5c4a..029c0ace2 100644
--- a/trunk/src/app/srs_app_rtmp_conn.cpp
+++ b/trunk/src/app/srs_app_rtmp_conn.cpp
@@ -51,6 +51,7 @@ using namespace std;
#include
#include
#include
+#include
// when stream is busy, for example, streaming is already
// publishing, when a new client to request to publish,
@@ -81,6 +82,7 @@ SrsRtmpConn::SrsRtmpConn(SrsServer* srs_server, st_netfd_t client_stfd)
rtmp = new SrsRtmpServer(skt);
refer = new SrsRefer();
bandwidth = new SrsBandwidth();
+ security = new SrsSecurity();
duration = 0;
kbps = new SrsKbps();
kbps->set_io(skt, skt);
@@ -102,6 +104,7 @@ SrsRtmpConn::~SrsRtmpConn()
srs_freep(skt);
srs_freep(refer);
srs_freep(bandwidth);
+ srs_freep(security);
srs_freep(kbps);
}
@@ -360,6 +363,13 @@ int SrsRtmpConn::stream_service_cycle()
req->strip();
srs_trace("client identified, type=%s, stream_name=%s, duration=%.2f",
srs_client_type_string(type).c_str(), req->stream.c_str(), req->duration);
+
+ // security check
+ if ((ret = security->check(type, ip, req)) != ERROR_SUCCESS) {
+ srs_error("security check failed. ret=%d", ret);
+ return ret;
+ }
+ srs_info("security check ok");
// client is identified, set the timeout to service timeout.
rtmp->set_recv_timeout(SRS_CONSTS_RTMP_RECV_TIMEOUT_US);
diff --git a/trunk/src/app/srs_app_rtmp_conn.hpp b/trunk/src/app/srs_app_rtmp_conn.hpp
index 111fc0f83..ea3fc7619 100644
--- a/trunk/src/app/srs_app_rtmp_conn.hpp
+++ b/trunk/src/app/srs_app_rtmp_conn.hpp
@@ -51,6 +51,7 @@ class SrsRtmpClient;
class SrsSharedPtrMessage;
class SrsQueueRecvThread;
class SrsPublishRecvThread;
+class SrsSecurity;
/**
* the client provides the main logic control for RTMP clients.
@@ -66,6 +67,7 @@ private:
SrsRtmpServer* rtmp;
SrsRefer* refer;
SrsBandwidth* bandwidth;
+ SrsSecurity* security;
// elapse duration in ms
// for live play duration, for instance, rtmpdump to record.
// @see https://github.com/winlinvip/simple-rtmp-server/issues/47
diff --git a/trunk/src/app/srs_app_security.cpp b/trunk/src/app/srs_app_security.cpp
new file mode 100644
index 000000000..14a128ef5
--- /dev/null
+++ b/trunk/src/app/srs_app_security.cpp
@@ -0,0 +1,153 @@
+/*
+The MIT License (MIT)
+
+Copyright (c) 2013-2015 winlin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+*/
+
+#include
+
+#include
+#include
+
+using namespace std;
+
+SrsSecurity::SrsSecurity()
+{
+}
+
+SrsSecurity::~SrsSecurity()
+{
+}
+
+int SrsSecurity::check(SrsRtmpConnType type, string ip, SrsRequest* req)
+{
+ int ret = ERROR_SUCCESS;
+
+ // allow all if security disabled.
+ if (!_srs_config->get_security_enabled(req->vhost)) {
+ return ret;
+ }
+
+ // default to deny all when security enabled.
+ ret = ERROR_SYSTEM_SECURITY;
+
+ // rules to apply
+ SrsConfDirective* rules = _srs_config->get_security_rules(req->vhost);
+ if (!rules) {
+ return ret;
+ }
+
+ // allow if matches allow strategy.
+ if (allow_check(rules, type, ip, req) == ERROR_SYSTEM_SECURITY_ALLOW) {
+ ret = ERROR_SUCCESS;
+ }
+
+ // deny if matches deny strategy.
+ if (deny_check(rules, type, ip, req) == ERROR_SYSTEM_SECURITY_DENY) {
+ ret = ERROR_SYSTEM_SECURITY_DENY;
+ }
+
+ return ret;
+}
+
+int SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType type, std::string ip, SrsRequest* req)
+{
+ int ret = ERROR_SUCCESS;
+
+ for (int i = 0; i < (int)rules->directives.size(); i++) {
+ SrsConfDirective* rule = rules->at(i);
+
+ if (rule->name != "allow") {
+ continue;
+ }
+
+ switch (type) {
+ case SrsRtmpConnPlay:
+ if (rule->arg0() != "play") {
+ break;
+ }
+ if (rule->arg1() == "all" || rule->arg1() == ip) {
+ ret = ERROR_SYSTEM_SECURITY_ALLOW;
+ break;
+ }
+ break;
+ case SrsRtmpConnFMLEPublish:
+ case SrsRtmpConnFlashPublish:
+ if (rule->arg0() != "publish") {
+ break;
+ }
+ if (rule->arg1() == "all" || rule->arg1() == ip) {
+ ret = ERROR_SYSTEM_SECURITY_ALLOW;
+ break;
+ }
+ break;
+ }
+
+ // when matched, donot search more.
+ if (ret == ERROR_SYSTEM_SECURITY_ALLOW) {
+ break;
+ }
+ }
+
+ return ret;
+}
+
+int SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType type, std::string ip, SrsRequest* req)
+{
+ int ret = ERROR_SUCCESS;
+
+ for (int i = 0; i < (int)rules->directives.size(); i++) {
+ SrsConfDirective* rule = rules->at(i);
+
+ if (rule->name != "deny") {
+ continue;
+ }
+
+ switch (type) {
+ case SrsRtmpConnPlay:
+ if (rule->arg0() != "play") {
+ break;
+ }
+ if (rule->arg1() == "all" || rule->arg1() == ip) {
+ ret = ERROR_SYSTEM_SECURITY_DENY;
+ break;
+ }
+ break;
+ case SrsRtmpConnFMLEPublish:
+ case SrsRtmpConnFlashPublish:
+ if (rule->arg0() != "publish") {
+ break;
+ }
+ if (rule->arg1() == "all" || rule->arg1() == ip) {
+ ret = ERROR_SYSTEM_SECURITY_DENY;
+ break;
+ }
+ break;
+ }
+
+ // when matched, donot search more.
+ if (ret == ERROR_SYSTEM_SECURITY_DENY) {
+ break;
+ }
+ }
+
+ return ret;
+}
+
diff --git a/trunk/src/app/srs_app_security.hpp b/trunk/src/app/srs_app_security.hpp
new file mode 100644
index 000000000..efa6cb18e
--- /dev/null
+++ b/trunk/src/app/srs_app_security.hpp
@@ -0,0 +1,70 @@
+/*
+The MIT License (MIT)
+
+Copyright (c) 2013-2015 winlin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+*/
+
+#ifndef SRS_APP_SECURITY_HPP
+#define SRS_APP_SECURITY_HPP
+
+/*
+#include
+*/
+
+#include
+
+#include
+
+#include
+
+class SrsConfDirective;
+
+/**
+* the security apply on vhost.
+* @see https://github.com/winlinvip/simple-rtmp-server/issues/211
+*/
+class SrsSecurity
+{
+public:
+ SrsSecurity();
+ virtual ~SrsSecurity();
+public:
+ /**
+ * security check the client apply by vhost security strategy
+ * @param type the client type, publish or play.
+ * @param ip the ip address of client.
+ * @param req the request object of client.
+ */
+ virtual int check(SrsRtmpConnType type, std::string ip, SrsRequest* req);
+private:
+ /**
+ * security check the allow,
+ * @return, if allowed, ERROR_SYSTEM_SECURITY_ALLOW.
+ */
+ virtual int allow_check(SrsConfDirective* rules, SrsRtmpConnType type, std::string ip, SrsRequest* req);
+ /**
+ * security check the deny,
+ * @return, if allowed, ERROR_SYSTEM_SECURITY_DENY.
+ */
+ virtual int deny_check(SrsConfDirective* rules, SrsRtmpConnType type, std::string ip, SrsRequest* req);
+};
+
+#endif
+
diff --git a/trunk/src/core/srs_core.hpp b/trunk/src/core/srs_core.hpp
index e5a742acc..bb776e8ea 100644
--- a/trunk/src/core/srs_core.hpp
+++ b/trunk/src/core/srs_core.hpp
@@ -31,7 +31,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
// current release version
#define VERSION_MAJOR 2
#define VERSION_MINOR 0
-#define VERSION_REVISION 85
+#define VERSION_REVISION 86
// server info.
#define RTMP_SIG_SRS_KEY "SRS"
#define RTMP_SIG_SRS_ROLE "origin/edge server"
diff --git a/trunk/src/kernel/srs_kernel_error.hpp b/trunk/src/kernel/srs_kernel_error.hpp
index 7bbfeb525..278a3351a 100644
--- a/trunk/src/kernel/srs_kernel_error.hpp
+++ b/trunk/src/kernel/srs_kernel_error.hpp
@@ -90,6 +90,9 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#define ERROR_SYSTEM_FILE_SEEK 1049
#define ERROR_SYSTEM_IO_INVALID 1050
#define ERROR_ST_EXCEED_THREADS 1051
+#define ERROR_SYSTEM_SECURITY 1052
+#define ERROR_SYSTEM_SECURITY_DENY 1053
+#define ERROR_SYSTEM_SECURITY_ALLOW 1054
///////////////////////////////////////////////////////
// RTMP protocol error.
diff --git a/trunk/src/srs/srs.upp b/trunk/src/srs/srs.upp
index c400d51a7..b6712314a 100755
--- a/trunk/src/srs/srs.upp
+++ b/trunk/src/srs/srs.upp
@@ -104,6 +104,8 @@ file
..\app\srs_app_rtmp_conn.cpp,
..\app\srs_app_pithy_print.hpp,
..\app\srs_app_pithy_print.cpp,
+ ..\app\srs_app_security.hpp,
+ ..\app\srs_app_security.cpp,
..\app\srs_app_server.hpp,
..\app\srs_app_server.cpp,
..\app\srs_app_st.hpp,