Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Support IP whitelist for HTTP-FLV, HLS, WebRTC, and SRT. v5.0.202 v6.0.104 #3902

Merged
merged 2 commits into from
Dec 14, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions trunk/src/app/srs_app_http_static.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ void SrsHlsVirtualConn::expire()
SrsHlsStream::SrsHlsStream()
{
_srs_hybrid->timer5s()->subscribe(this);
security_ = new SrsSecurity();
}

SrsHlsStream::~SrsHlsStream()
Expand All @@ -76,6 +77,7 @@ SrsHlsStream::~SrsHlsStream()
srs_freep(info);
}
map_ctx_info_.clear();
srs_freep(security_);
}

srs_error_t SrsHlsStream::serve_m3u8_ctx(ISrsHttpResponseWriter* w, ISrsHttpMessage* r, ISrsFileReaderFactory* factory, string fullpath, SrsRequest* req, bool* served)
Expand Down Expand Up @@ -167,6 +169,10 @@ srs_error_t SrsHlsStream::serve_new_session(ISrsHttpResponseWriter* w, ISrsHttpM
return srs_error_wrap(err, "stat on client");
}

if ((err = security_->check(SrsHlsPlay, req->ip, req)) != srs_success) {
return srs_error_wrap(err, "HLS: security check");
}

// We must do hook after stat, because depends on it.
if ((err = http_hooks_on_play(req)) != srs_success) {
return srs_error_wrap(err, "HLS: http_hooks_on_play");
Expand Down
4 changes: 3 additions & 1 deletion trunk/src/app/srs_app_http_static.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
#define SRS_APP_HTTP_STATIC_HPP

#include <srs_core.hpp>

#include <srs_app_security.hpp>
#include <srs_app_http_conn.hpp>

class ISrsFileReaderFactory;
Expand Down Expand Up @@ -52,6 +52,8 @@ class SrsHlsStream : public ISrsFastTimer
// interface ISrsFastTimer
private:
srs_error_t on_timer(srs_utime_t interval);
private:
SrsSecurity* security_;
};

// The Vod streaming, like FLV, MP4 or HLS streaming.
Expand Down
6 changes: 6 additions & 0 deletions trunk/src/app/srs_app_http_stream.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -558,11 +558,13 @@ SrsLiveStream::SrsLiveStream(SrsLiveSource* s, SrsRequest* r, SrsBufferCache* c)
source = s;
cache = c;
req = r->copy()->as_http();
security_ = new SrsSecurity();
}

SrsLiveStream::~SrsLiveStream()
{
srs_freep(req);
srs_freep(security_);
}

srs_error_t SrsLiveStream::update_auth(SrsLiveSource* s, SrsRequest* r)
Expand Down Expand Up @@ -600,6 +602,10 @@ srs_error_t SrsLiveStream::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessage
return srs_error_wrap(err, "stat on client");
}

if ((err = security_->check(SrsFlvPlay, req->ip, req)) != srs_success) {
return srs_error_wrap(err, "flv: security check");
}

// We must do hook after stat, because depends on it.
if ((err = http_hooks_on_play(r)) != srs_success) {
return srs_error_wrap(err, "http hook");
Expand Down
3 changes: 2 additions & 1 deletion trunk/src/app/srs_app_http_stream.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
#define SRS_APP_HTTP_STREAM_HPP

#include <srs_core.hpp>

#include <srs_app_security.hpp>
#include <srs_app_http_conn.hpp>

class SrsAacTransmuxer;
Expand Down Expand Up @@ -180,6 +180,7 @@ class SrsLiveStream : public ISrsHttpHandler
SrsRequest* req;
SrsLiveSource* source;
SrsBufferCache* cache;
SrsSecurity* security_;
public:
SrsLiveStream(SrsLiveSource* s, SrsRequest* r, SrsBufferCache* c);
virtual ~SrsLiveStream();
Expand Down
12 changes: 12 additions & 0 deletions trunk/src/app/srs_app_rtc_api.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,12 @@ using namespace std;
SrsGoApiRtcPlay::SrsGoApiRtcPlay(SrsRtcServer* server)
{
server_ = server;
security_ = new SrsSecurity();
}

SrsGoApiRtcPlay::~SrsGoApiRtcPlay()
{
srs_freep(security_);
}


Expand Down Expand Up @@ -228,6 +230,10 @@ srs_error_t SrsGoApiRtcPlay::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessa
}
}

if ((err = security_->check(SrsRtcConnPlay, ruc->req_->ip, ruc->req_)) != srs_success) {
return srs_error_wrap(err, "RTC: security check");
}

if ((err = http_hooks_on_play(ruc->req_)) != srs_success) {
return srs_error_wrap(err, "RTC: http_hooks_on_play");
}
Expand Down Expand Up @@ -324,10 +330,12 @@ srs_error_t SrsGoApiRtcPlay::http_hooks_on_play(SrsRequest* req)
SrsGoApiRtcPublish::SrsGoApiRtcPublish(SrsRtcServer* server)
{
server_ = server;
security_ = new SrsSecurity();
}

SrsGoApiRtcPublish::~SrsGoApiRtcPublish()
{
srs_freep(security_);
}

// Request:
Expand Down Expand Up @@ -503,6 +511,10 @@ srs_error_t SrsGoApiRtcPublish::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMe
return srs_error_wrap(err, "create session");
}

if ((err = security_->check(SrsRtcConnPublish, ruc->req_->ip, ruc->req_)) != srs_success) {
return srs_error_wrap(err, "RTC: security check");
}

// We must do hook after stat, because depends on it.
if ((err = http_hooks_on_publish(ruc->req_)) != srs_success) {
return srs_error_wrap(err, "RTC: http_hooks_on_publish");
Expand Down
4 changes: 3 additions & 1 deletion trunk/src/app/srs_app_rtc_api.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
#define SRS_APP_RTC_API_HPP

#include <srs_core.hpp>

#include <srs_app_security.hpp>
#include <srs_protocol_http_stack.hpp>

class SrsRtcServer;
Expand All @@ -20,6 +20,7 @@ class SrsGoApiRtcPlay : public ISrsHttpHandler
{
private:
SrsRtcServer* server_;
SrsSecurity* security_;
public:
SrsGoApiRtcPlay(SrsRtcServer* server);
virtual ~SrsGoApiRtcPlay();
Expand All @@ -39,6 +40,7 @@ class SrsGoApiRtcPublish : public ISrsHttpHandler
{
private:
SrsRtcServer* server_;
SrsSecurity* security_;
public:
SrsGoApiRtcPublish(SrsRtcServer* server);
virtual ~SrsGoApiRtcPublish();
Expand Down
12 changes: 10 additions & 2 deletions trunk/src/app/srs_app_security.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,10 @@ srs_error_t SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType ty

switch (type) {
case SrsRtmpConnPlay:
case SrsRtcConnPlay:
case SrsHlsPlay:
case SrsFlvPlay:
case SrsRtcConnPlay:
case SrsSrtConnPlay:
if (rule->arg0() != "play") {
break;
}
Expand All @@ -90,6 +93,7 @@ srs_error_t SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType ty
case SrsRtmpConnFlashPublish:
case SrsRtmpConnHaivisionPublish:
case SrsRtcConnPublish:
case SrsSrtConnPublish:
if (rule->arg0() != "publish") {
break;
}
Expand Down Expand Up @@ -126,7 +130,10 @@ srs_error_t SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType typ

switch (type) {
case SrsRtmpConnPlay:
case SrsRtcConnPlay:
case SrsHlsPlay:
case SrsFlvPlay:
case SrsRtcConnPlay:
case SrsSrtConnPlay:
if (rule->arg0() != "play") {
break;
}
Expand All @@ -141,6 +148,7 @@ srs_error_t SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType typ
case SrsRtmpConnFlashPublish:
case SrsRtmpConnHaivisionPublish:
case SrsRtcConnPublish:
case SrsSrtConnPublish:
if (rule->arg0() != "publish") {
break;
}
Expand Down
15 changes: 13 additions & 2 deletions trunk/src/app/srs_app_srt_conn.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,8 @@ SrsMpegtsSrtConn::SrsMpegtsSrtConn(SrsSrtServer* srt_server, srs_srt_t srt_fd, s
srt_source_ = NULL;
req_ = new SrsRequest();
req_->ip = ip;

security_ = new SrsSecurity();
}

SrsMpegtsSrtConn::~SrsMpegtsSrtConn()
Expand All @@ -184,6 +186,7 @@ SrsMpegtsSrtConn::~SrsMpegtsSrtConn()
srs_freep(delta_);
srs_freep(srt_conn_);
srs_freep(req_);
srs_freep(security_);
}

std::string SrsMpegtsSrtConn::desc()
Expand Down Expand Up @@ -311,6 +314,10 @@ srs_error_t SrsMpegtsSrtConn::publishing()
return srs_error_wrap(err, "srt: stat client");
}

if ((err = security_->check(SrsSrtConnPublish, ip_, req_)) != srs_success) {
return srs_error_wrap(err, "srt: security check");
}

// We must do hook after stat, because depends on it.
if ((err = http_hooks_on_publish()) != srs_success) {
return srs_error_wrap(err, "srt: callback on publish");
Expand All @@ -333,12 +340,16 @@ srs_error_t SrsMpegtsSrtConn::playing()
// We must do stat the client before hooks, because hooks depends on it.
SrsStatistic* stat = SrsStatistic::instance();
if ((err = stat->on_client(_srs_context->get_id().c_str(), req_, this, SrsSrtConnPlay)) != srs_success) {
return srs_error_wrap(err, "rtmp: stat client");
return srs_error_wrap(err, "srt: stat client");
}

if ((err = security_->check(SrsSrtConnPlay, ip_, req_)) != srs_success) {
return srs_error_wrap(err, "srt: security check");
}

// We must do hook after stat, because depends on it.
if ((err = http_hooks_on_play()) != srs_success) {
return srs_error_wrap(err, "rtmp: callback on play");
return srs_error_wrap(err, "srt: callback on play");
}

err = do_playing();
Expand Down
2 changes: 2 additions & 0 deletions trunk/src/app/srs_app_srt_conn.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
#include <srs_app_st.hpp>
#include <srs_app_conn.hpp>
#include <srs_app_srt_utility.hpp>
#include <srs_app_security.hpp>

class SrsBuffer;
class SrsLiveSource;
Expand Down Expand Up @@ -123,6 +124,7 @@ class SrsMpegtsSrtConn : public ISrsConnection, public ISrsStartable, public ISr

SrsRequest* req_;
SrsSrtSource* srt_source_;
SrsSecurity* security_;
};

#endif
Expand Down