webmaster at berean-biblechurch.org
2018-Dec-28 14:55 UTC
[Icecast] separation of web interface and mountpoint
It looks like default behavior is for Icecast to expose its web interface on the same address and port as any mountpoint. E.g.: mountpoint = https://server.com/listentome web app = https://server.com/ I'd like to restrict the web interface to ONLY A CERTAIN IP ADDRESS AND TCP PORT so that it is not accessible on the public IP. E.g.: mountpoint = https://server.com/listentome web app = https://192.168.1.10:8000/ Is this possible? In other words, I don't want any web interface to be available to the internet. I want the web UI to be available only to my local machine/LAN and the mountpoint (stream) available to the internet. Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.xiph.org/pipermail/icecast/attachments/20181228/fc7eb6d3/attachment.html>
Philipp Schafft
2018-Dec-28 16:40 UTC
[Icecast] separation of web interface and mountpoint
Good afternoon, On Fri, 2018-12-28 at 08:55 -0600, webmaster at berean-biblechurch.org wrote:> It looks like default behavior is for Icecast to expose its web > interface on the same address and port as any mountpoint. E.g.: > > mountpoint = https://server.com/listentome > web app = https://server.com/Yes. Icecast supports all operations on all sockets.> I'd like to restrict the web interface to ONLY A CERTAIN IP ADDRESS AND > TCP PORT so that it is not accessible on the public IP. E.g.: > > mountpoint = https://server.com/listentome > web app = https://192.168.1.10:8000/It's a bad idea to use IP addresses. If at all, you should add a DNS record for it in your internal DNS zone.> Is this possible?This depends on your version. With Icecast 2.4.x (stable) it is mostly possible. With Icecast 2.5.x (development) it is possible but requires some configuration.> In other words, I don't want any web interface to be available to the > internet. I want the web UI to be available only to my local > machine/LAN and the mountpoint (stream) available to the internet.The big point here is: Why are you trying to do this?: * Mounts can be set as hidden so they are not listed. If listing mounts is the problem. * If you don't like the public WI at all, just point your <webroot> to an empty directory. You can also modify the XSLT files to match your needs. * The admin interface can be secured using a secure password. This will make keep it available and secure. * Hiding the version number: Doing this makes it harder for debugging. However it does not improve security at all (as many think) as you can fingerprint the version number anyway. * The authentication system can be used for precise access control. (This is even more true for Icecast 2.5.x). With best regards, -- Philipp Schafft (CEO/Geschäftsführer) Telephon: +49.3535 490 17 92 Löwenfelsen UG (haftungsbeschränkt) Registration number: Bickinger Straße 21 HRB 12308 CB 04916 Herzberg (Elster) VATIN/USt-ID: Germany DE305133015 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part URL: <http://lists.xiph.org/pipermail/icecast/attachments/20181228/c23825cc/attachment.sig>