webmaster at berean-biblechurch.org
2019-Jan-01 14:16 UTC
[Icecast] interface separation follow-up - Icecast Digest, Vol 174, Issue 11
(forgive me if I mess up this reply; I've never used a mailing list before) Thanks, Philipp. It sounds like the best thing is for me to point to an empty webroot folder. Why do I want to do this? Simply to lesson exposure to the server. There is no need, in my case, for anyone on the internet to see a listing of mountpoints or server version or admin link (this opens a door for cracking) or anything. I want to expose only the mountpoint links from a web page. Justin On 2018-12-29 06:00, icecast-request at xiph.org wrote:> Send Icecast mailing list submissions to > icecast at xiph.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.xiph.org/mailman/listinfo/icecast > or, via email, send a message with subject or body 'help' to > icecast-request at xiph.org > > You can reach the person managing the list at > icecast-owner at xiph.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Icecast digest..." > > > Today's Topics: > > 1. separation of web interface and mountpoint > (webmaster at berean-biblechurch.org) > 2. Re: separation of web interface and mountpoint (Philipp Schafft) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 28 Dec 2018 08:55:55 -0600 > From: webmaster at berean-biblechurch.org > To: icecast at xiph.org > Subject: [Icecast] separation of web interface and mountpoint > Message-ID: <2b8805bd7a28fc7d1b7af6e37183b308 at berean-biblechurch.org> > Content-Type: text/plain; charset="utf-8" > > It looks like default behavior is for Icecast to expose its web > interface on the same address and port as any mountpoint. E.g.: > > mountpoint = https://server.com/listentome > web app = https://server.com/ > > I'd like to restrict the web interface to ONLY A CERTAIN IP ADDRESS AND > TCP PORT so that it is not accessible on the public IP. E.g.: > > mountpoint = https://server.com/listentome > web app = https://192.168.1.10:8000/ > > Is this possible? > > In other words, I don't want any web interface to be available to the > internet. I want the web UI to be available only to my local > machine/LAN and the mountpoint (stream) available to the internet. > > Justin > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.xiph.org/pipermail/icecast/attachments/20181228/fc7eb6d3/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Fri, 28 Dec 2018 16:40:36 +0000 > From: Philipp Schafft <phschafft at de.loewenfelsen.net> > To: Icecast streaming server user discussions <icecast at xiph.org> > Subject: Re: [Icecast] separation of web interface and mountpoint > Message-ID: <1546015236.5167.12.camel at de.loewenfelsen.net> > Content-Type: text/plain; charset="utf-8" > > Good afternoon, > > > On Fri, 2018-12-28 at 08:55 -0600, webmaster at berean-biblechurch.org > wrote: >> It looks like default behavior is for Icecast to expose its web >> interface on the same address and port as any mountpoint. E.g.: >> >> mountpoint = https://server.com/listentome >> web app = https://server.com/ > > Yes. Icecast supports all operations on all sockets. > > >> I'd like to restrict the web interface to ONLY A CERTAIN IP ADDRESS >> AND >> TCP PORT so that it is not accessible on the public IP. E.g.: >> >> mountpoint = https://server.com/listentome >> web app = https://192.168.1.10:8000/ > > It's a bad idea to use IP addresses. If at all, you should add a DNS > record for it in your internal DNS zone. > >> Is this possible? > > This depends on your version. With Icecast 2.4.x (stable) it is mostly > possible. With Icecast 2.5.x (development) it is possible but requires > some configuration. > > >> In other words, I don't want any web interface to be available to the >> internet. I want the web UI to be available only to my local >> machine/LAN and the mountpoint (stream) available to the internet. > > The big point here is: Why are you trying to do this?: > * Mounts can be set as hidden so they are not listed. If listing > mounts is the problem. > * If you don't like the public WI at all, just point your > <webroot> to an empty directory. You can also modify the XSLT > files to match your needs. > * The admin interface can be secured using a secure password. > This > will make keep it available and secure. > * Hiding the version number: Doing this makes it harder for > debugging. However it does not improve security at all (as many > think) as you can fingerprint the version number anyway. > * The authentication system can be used for precise access > control. (This is even more true for Icecast 2.5.x). > > > With best regards, > > -- > Philipp Schafft (CEO/Geschäftsführer) > Telephon: +49.3535 490 17 92 > > Löwenfelsen UG (haftungsbeschränkt) Registration number: > Bickinger Straße 21 HRB 12308 CB > 04916 Herzberg (Elster) VATIN/USt-ID: > Germany DE305133015 > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 490 bytes > Desc: This is a digitally signed message part > URL: > <http://lists.xiph.org/pipermail/icecast/attachments/20181228/c23825cc/attachment-0001.sig> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Icecast mailing list > Icecast at xiph.org > http://lists.xiph.org/mailman/listinfo/icecast > > > ------------------------------ > > End of Icecast Digest, Vol 174, Issue 11 > ****************************************