search

ossrs / srs

SRS is a simple, high-efficiency, real-time video server supporting RTMP, WebRTC, HLS, HTTP-FLV, SRT, MPEG-DASH, and GB28181.
https://ossrs.io
MIT License
24.75k stars 5.28k forks source link

docker SRS Security deny/allow IP not work #3890

Closed lck1115 closed 6 months ago

lck1115 commented 7 months ago

Describe the bug I need to set up my system so that only the localhost IP can publish and play SRS. However, it appears that I can't use "allow IP" and "allow all" simultaneously. "deny IP" and "deny all" can't be used at the same time, either.

My conf is: `vhost defaultVhost {

min_latency off;
tcp_nodelay off;
chunk_size 128;
in_ack_size 0;
out_ack_size 2500000;
publish {
    mr off;
    mr_latency 350;
    firstpkt_timeout 20000;
    normal_timeout 7000;
    parse_sps on;
    try_annexb_first on;
    kickoff_for_idle 0;
}

play {

    gop_cache off;

    gop_cache_max_frames 2500;
    queue_length 10;
    time_jitter off;
    atc off;
    mix_correct off;
    atc_auto off;
    mw_latency 350;
    mw_msgs 8;
    send_min_interval 10.0;
    reduce_sequence_header on;
}
hls {
    # whether the hls is enabled.
    # if off, do not write hls(ts and m3u8) when publish.
    # Overwrite by env SRS_VHOST_HLS_ENABLED for all vhosts.
    # default: off
    enabled on;
    }
# security for host to allow or deny clients.
# @see https://github.com/ossrs/srs/issues/211   
security {
    # whether enable the security for vhost.
    # default: off
    enabled         on;
    allow           play        127.0.0.0/24;
allow      play     172.17.0.0/24;
deny      play      all;
    allow           publish     172.17.0.0/24;
allow           publish     127.0.0.0/24;
deny            publish     all;
}

} `

Version Docker ossrs/srs:latest

Expected behavior The config will allow all IP to play and deny all IP to publish.

TRANS_BY_GPT4

lck1115 commented 7 months ago

I need to clearify that it works on RTMP but not work for HLS.

duiniuluantanqin commented 7 months ago

I have reviewed the code, and currently only the RTMP protocol supports security and refer. Other protocols have not yet been implemented. I will make time to add this functionality.

winlinvip commented 7 months ago

Security is very effective in simpler IP whitelist scenarios. Please ensure that other protocols are also implemented, not just RTMP and HLS.

TRANS_BY_GPT4

duiniuluantanqin commented 7 months ago

Firstly, it must be clarified that there is a conflict in your configuration.

allow           publish     172.17.0.0/24;
allow           publish     127.0.0.0/24;
deny            publish     all;

Within this context, the 'deny' directive will override the preceding 'allow'. This means that with such a configuration, all publish attempts will be blocked. Based on your description, if you want to fulfill the requirement of allowing only the local network to publish, you simply need to remove the line deny publish all;.

TRANS_BY_GPT4