Access controls

[Daniel15]

Thanks for this project! I'm trying it out as a proxy for geogated TV streams (so that I can watch free TV channels from my home country while living abroad) and it's working quite well for that use case.

I was wondering if there's currently any option for access controls, such as being able to use Basic authentication (username + password) or restrict connections so they can only come from particular IP addresses. I'd like to restrict my instance so that only I can connect to it.

I'm happy to look through the code and send a pull request if this is not currently available, just wanted to check first :)

Also, can you confirm that the proxy doesn't use any bandwidth if it's not actively being used (assuming prefetching is disabled)? I'd like to leave it running 24/7 but don't want it to keep consuming streams after I disconnect my client.

Thanks!

[warren-bank]

I'm glad you find the app useful.

There isn't currently any way to restrict access, but I'm also not opposed to the idea. I probably wouldn't use special http request headers, since many video clients couldn't be configured to send them (ex: chromecast). A simple IP whitelist would be lightweight and effective (ex: --acl-whitelist "192.168.1.100,192.168.1.101,192.168.1.102"). Would that work?

As for bandwidth, you're correct; the proxy sits completely idle waiting for a connection when not in use. When a connection is received, the request includes a url which the proxy downloads from the network (with modified request headers, etc) and pipes the response back to the client. Once the response is complete, the connection is closed. The proxy again returns to a completely idle state.

[warren-bank]

I went ahead and added the --acl-whitelist option to v0.14.0, which was just pushed to npm.

Hope that meets your need.

[Daniel15]

Thank you! I think that will be sufficient. I'll try it some time this week.

Does the whitelist work with IPv6 addresses? Some of my servers that I'll use for proxying are IPv6-only.

[warren-bank]

Tentative "yes". Though I only tested it with IPv4, node.js appears to convert all IPv4 addresses to IPv6.. which is why I needed to apply a regex filter to remove the unwanted static prefix. That being said, I would assume that IPv6 should work just fine.. with the caveat that your valid IPv6 doesn't contain this static prefix ::ffff: that gets removed.

If this caveat becomes an issue, I could apply a pattern match to detect whether the IPv6 is actually a mapped IPv4 address.. and only strip the static prefix when this pattern matches. I think it's probably unnecessary.. TBD.

PS: if you ever have any problem figuring out why your client IP is getting blocked by the ACL whitelist, you can increase the verbosity of logging to 2+ (ie: -v 2) and your console will show IPs as they get blocked. You can then copy/paste IP addresses from the console log to the ACL whitelist.. and restart the proxy server to apply the new option value.

[Daniel15]

Thanks! I think this should work for me. My ISP uses dynamic IP addressing (for IPv4 at least) but I think I can create a script to periodically get the current IP from a dynamic DNS service and update the ACL / restart the proxy if it changes. Maybe the IPv6 address is static in which case I'll just use IPv6 for everything.