Icecast Server/2.5 Authentication: Difference between revisions
Jump to navigation
Jump to search
m (Feature: Added list on common role properties) |
m (→Common options: Update: Updated table and added some basic infos) |
||
| Line 37: | Line 37: | ||
! Property !! Description | ! Property !! Description | ||
|- | |- | ||
| type || The name of one of the backends. | | <code>type</code> || The name of one of the backends. | ||
|- | |- | ||
| name || The name of this role. This is used e.g. in the log files. | | <code>name</code> || The name of this role. This is used e.g. in the log files. | ||
|- | |- | ||
| management-url || A fully qualified URL to a place an admin can manage this specific backend. This is most useful for backends that interact with a backend server such as the | | <code>management-url</code> || A fully qualified URL to a place an admin can manage this specific backend. This is most useful for backends that interact with a backend server such as the <code>url</code> backend. | ||
|- | |- | ||
| method || Obsolete. Use ''match-method''. | | <code>method</code> || Obsolete. Use ''match-method''. | ||
|- | |- | ||
| match-method || See matching. | | <code>match-method</code> || See matching. | ||
|- | |- | ||
| nomatch-method || See matching. | | <code>nomatch-method</code> || See matching. | ||
|- | |- | ||
| match-web || See matching. | | <code>match-web</code> || See matching. | ||
|- | |- | ||
| nomatch-web || See matching. | | <code>nomatch-web</code> || See matching. | ||
|- | |- | ||
| match-admin || See matching. | | <code>match-admin</code> || See matching. | ||
|- | |- | ||
| nomatch-admin || See matching. | | <code>nomatch-admin</code> || See matching. | ||
|- | |- | ||
| match-origin || See matching. | | <code>match-origin</code> || See matching. | ||
|- | |- | ||
| nomatch-origin || See matching. | | <code>nomatch-origin</code> || See matching. | ||
|- | |- | ||
| may-alter || See altering. | | <code>may-alter</code> || See altering. | ||
|- | |- | ||
| may-not-alter || See altering. | | <code>may-not-alter</code> || See altering. | ||
|- | |- | ||
| allow-method || See restricting. | | <code>allow-method</code> || See restricting. | ||
|- | |- | ||
| deny-method || See restricting. | | <code>deny-method</code> || See restricting. | ||
|- | |- | ||
| allow-admin || See restricting. | | <code>allow-admin</code> || See restricting. | ||
|- | |- | ||
| deny-admin || See restricting. | | <code>deny-admin</code> || See restricting. | ||
|- | |- | ||
| allow-web || | | <code>allow-web</code> || When set to <code>*</code> allows access to the ''web/'' domain. Use <code>deny-web="*"</code> to forbid. | ||
|- | |- | ||
| deny-web || | | <code>deny-web</code> || When set to <code>*</code> denies access to the ''web/'' domain. Use <code>allow-web="*"</code> to allow. | ||
|- | |- | ||
| allow-all || | | <code>allow-all</code> || Same as setting all other <code>allow-</code>* keys to <code>*</code>. | ||
|- | |- | ||
| deny-all || | | <code>deny-all</code> || Same as setting all other <code>deny-</code>* keys to <code>*</code>. | ||
|- | |- | ||
| connections-per-user || | | <code>connections-per-user</code> || Maximum number of connections per user or <code>*</code> for unlimited. | ||
|- | |- | ||
| connection-duration || | | <code>connection-duration</code> || Maximum time a connection is allowed to continue in seconds or <code>*</code> for unlimited. This might not be supported for connections other than listeners. | ||
|} | |} | ||
Revision as of 05:33, 11 March 2023
Icecast 2.5.x Authentication
Overview
Icecast 2.5.x features a new authentication system. This system comes with many improvements and more flexibility. All versions of the Icecast 2.5.x series can read both 2.4.x and 2.5.x style configuration. This includes mixed configuration.
While Icecast 2.4.x used a set of global users and one per-mount authentication backend Icecast 2.5.x features a authentication process that allows a request to pass a number of backends before being matched. This improvements allows more complex setups. For example It is now possible to define common backends and exceptions for specific users on a per-mount point basis. Each such a step where a client is checked using a backend is called a role.
For reach client the roles for each of those elements are tried in order:
- Per listen socket roles (effective listen sockets)
- Per type normal mount point roles
- Per type default mount point roles
- Global roles
- Client is rejected.
Note: More steps may be added in later versions.
Backends
The following backends are defined:
| Backend | Description |
|---|---|
| anonymous | This backend matches all clients. Might be renamed in future versions. |
| static | This backend matches one username and checks against a password. |
| legacy-password | Special backend used for ICY sources. |
| url | Forwards the request to a backend server (normally via HTTP or HTTPS). |
| htpasswd | Uses a file based database of users and passwords. |
| enforce-auth | Rejects any clients that does not provide credentials. Returns no-match for any client that does. |
Note: More backends may be added in later versions.
Common options
All roles support the following common options. They are passed as XML properties on the role's tag.
| Property | Description |
|---|---|
type |
The name of one of the backends. |
name |
The name of this role. This is used e.g. in the log files. |
management-url |
A fully qualified URL to a place an admin can manage this specific backend. This is most useful for backends that interact with a backend server such as the url backend.
|
method |
Obsolete. Use match-method. |
match-method |
See matching. |
nomatch-method |
See matching. |
match-web |
See matching. |
nomatch-web |
See matching. |
match-admin |
See matching. |
nomatch-admin |
See matching. |
match-origin |
See matching. |
nomatch-origin |
See matching. |
may-alter |
See altering. |
may-not-alter |
See altering. |
allow-method |
See restricting. |
deny-method |
See restricting. |
allow-admin |
See restricting. |
deny-admin |
See restricting. |
allow-web |
When set to * allows access to the web/ domain. Use deny-web="*" to forbid.
|
deny-web |
When set to * denies access to the web/ domain. Use allow-web="*" to allow.
|
allow-all |
Same as setting all other allow-* keys to *.
|
deny-all |
Same as setting all other deny-* keys to *.
|
connections-per-user |
Maximum number of connections per user or * for unlimited.
|
connection-duration |
Maximum time a connection is allowed to continue in seconds or * for unlimited. This might not be supported for connections other than listeners.
|