search

karlheyes / icecast-kh

KH branch of icecast
GNU General Public License v2.0
297 stars 105 forks source link

auth_url: timelimit header not taken into account #223

Open trilliot opened 6 years ago

trilliot commented 6 years ago

Hello,

I'm using the kh8 build (not migrated to kh9 yet because of various issues pointing instabilities). I'm facing an issue with the timelimit header, that seems not taken into account.

Update: tried on kh10, still exists. See https://github.com/karlheyes/icecast-kh/issues/223#issuecomment-438223570

Here is my configuration:

<icecast>
    <hostname>localhost</hostname>
    <fileserve>1</fileserve>

    <limits>
        <clients>6000</clients>
        <sources>2000</sources>
        <queue-size>524288</queue-size>
        <client-timeout>30</client-timeout>
        <header-timeout>15</header-timeout>
        <source-timeout>10</source-timeout>
        <burst-size>131070</burst-size>
    </limits>

    <authentication>
        <source-password>hackme</source-password>
        <relay-password>hackme</relay-password>
        <admin-user>admin</admin-user>
        <admin-password>hackme</admin-password>
    </authentication>

    <listen-socket>
        <port>80</port>
    </listen-socket>

    <mount>
        <mount-name>/test</mount-name>
        <charset>utf-8</charset>
        <authentication type="url">
            <option name="listener_add" value="http://127.0.0.1:8156" />
            <option name="auth_header" value="icecast-auth-user: 1" />
            <option name="timelimit_header" value="icecast-auth-timelimit:" />
        </authentication>
    </mount>

    <paths>
        <basedir>/usr/local/share/icecast</basedir>

        <logdir>/usr/local/var/log/icecast</logdir>
        <webroot>/usr/local/share/icecast/web</webroot>
        <adminroot>/usr/local/share/icecast/admin</adminroot>

        <alias source="/" dest="/index.html"/>
    </paths>

    <logging>
        <accesslog>access.log</accesslog>
        <errorlog>error.log</errorlog>
        <loglevel>3</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
        <logsize>10000</logsize> <!-- Max size of a logfile -->
        <logarchive>1</logarchive>
    </logging>
</icecast>

I wrote a simple auth server in Python 2 that replies with icecast-auth-user: 1 and icecast-auth-timelimit: 10 headers to every POST request:

#/usr/bin/env python

import BaseHTTPServer

class IcecastHTTPHandler(BaseHTTPServer.BaseHTTPRequestHandler):
    def do_POST(self):
        self.send_response(200)
        self.send_header("icecast-auth-user", "1")
        self.send_header("icecast-auth-timelimit", "10")

def run(server_class=BaseHTTPServer.HTTPServer,
        handler_class=IcecastHTTPHandler):
    server_address = ('', 8156)
    httpd = server_class(server_address, handler_class)
    httpd.serve_forever()

if __name__ == "__main__":
    run()

But when I listen to the /test mountpoint, icecast doesn't take the 10 seconds into account and never drops the connection.

You can check that the server is properly returning headers by curling it:

$ curl -v -d 'test=data' localhost:8156
* About to connect() to localhost port 8156 (#0)
*   Trying ::1...
* Connexion refusée
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8156 (#0)
> POST / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:8156
> Accept: */*
> Content-Length: 9
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 9 out of 9 bytes
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: BaseHTTP/0.3 Python/2.7.5
< Date: Fri, 30 Mar 2018 14:09:21 GMT
< icecast-auth-user: 1
< icecast-auth-timelimit: 10
* Closing connection 0

Am I missing something?

trilliot commented 5 years ago

Hello Karl, I saw you were planning to release a new version.

Any news on this? Have you been able to reproduce, or is there something incorrect in my config? I will try to reproduce on kh10 today.

trilliot commented 5 years ago

~Could not reproduce with kh10 nor kh8.~ ~Sorry for the noise, I will try to figure out what's happening on my side.~

I managed to reproduce on kh10, see below.

trilliot commented 5 years ago

Hi again,

I finally found what's happening. The issue is still here with kh10, but it's quite tricky.

The timelimit header is properly handled when the listener uses Firefox as browser (that is now my primary browser, explains why I first though the issue was fixed). However, if you listen to the stream with Chrome (or Chromium or any derivative), the timelimit auth is not taken into account.

See attached screenshot from my test VM (Centos 7, fresh kh10 build):

capture d ecran 2018-11-13 a 11 52 24

The first listener (using Firefox) is kicked after about 10 seconds, however the second listener (using Chromium) is not.

mylselgan commented 5 years ago

I confirm this issue on icecast-2.4.0-kh10 not working with latest version of both firefox and chrome. It worked well on icecast-2.3.3-kh10

Expected behavior: Stream should drop authenticated listener in 10 to 15 seconds What happens: Authenticated Listener continues on the stream until manually stopped.

My php auth script <?php header("icecast-auth-timelimit: 10"); header("icecast-auth-user: 1");

karlheyes commented 5 years ago

it is down to the use of range headers conflicting with the timelimit setting. I have verified a fix here locally, should be in master shortly ready for a kh11 build.

karl.