[Icecast] interface separation follow-up - Icecast Digest, Vol 174, Issue 11

Tue Jan 1 14:16:53 UTC 2019

(forgive me if I mess up this reply; I've never used a mailing list 
before)

Thanks, Philipp.  It sounds like the best thing is for me to point to an 
empty webroot folder.

Why do I want to do this?  Simply to lesson exposure to the server.  
There is no need, in my case, for anyone on the internet to see a 
listing of mountpoints or server version or admin link (this opens a 
door for cracking) or anything.  I want to expose only the mountpoint 
links from a web page.

Justin

On 2018-12-29 06:00, icecast-request at xiph.org wrote:
> Send Icecast mailing list submissions to
> 	icecast at xiph.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.xiph.org/mailman/listinfo/icecast
> or, via email, send a message with subject or body 'help' to
> 	icecast-request at xiph.org
> 
> You can reach the person managing the list at
> 	icecast-owner at xiph.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Icecast digest..."
> 
> 
> Today's Topics:
> 
>    1. separation of web interface and mountpoint
>       (webmaster at berean-biblechurch.org)
>    2. Re: separation of web interface and mountpoint (Philipp Schafft)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Fri, 28 Dec 2018 08:55:55 -0600
> From: webmaster at berean-biblechurch.org
> To: icecast at xiph.org
> Subject: [Icecast] separation of web interface and mountpoint
> Message-ID: <2b8805bd7a28fc7d1b7af6e37183b308 at berean-biblechurch.org>
> Content-Type: text/plain; charset="utf-8"
> 
> It looks like default behavior is for Icecast to expose its web
> interface on the same address and port as any mountpoint. E.g.:
> 
>   mountpoint = https://server.com/listentome
>   web app = https://server.com/
> 
> I'd like to restrict the web interface to ONLY A CERTAIN IP ADDRESS AND
> TCP PORT so that it is not accessible on the public IP. E.g.:
> 
>   mountpoint = https://server.com/listentome
>   web app = https://192.168.1.10:8000/
> 
> Is this possible?
> 
> In other words, I don't want any web interface to be available to the
> internet.  I want the web UI to be available only to my local
> machine/LAN and the mountpoint (stream) available to the internet.
> 
> Justin
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://lists.xiph.org/pipermail/icecast/attachments/20181228/fc7eb6d3/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 28 Dec 2018 16:40:36 +0000
> From: Philipp Schafft <phschafft at de.loewenfelsen.net>
> To: Icecast streaming server user discussions <icecast at xiph.org>
> Subject: Re: [Icecast] separation of web interface and mountpoint
> Message-ID: <1546015236.5167.12.camel at de.loewenfelsen.net>
> Content-Type: text/plain; charset="utf-8"
> 
> Good afternoon,
> 
> 
> On Fri, 2018-12-28 at 08:55 -0600, webmaster at berean-biblechurch.org
> wrote:
>> It looks like default behavior is for Icecast to expose its web
>> interface on the same address and port as any mountpoint. E.g.:
>> 
>>   mountpoint = https://server.com/listentome
>>   web app = https://server.com/
> 
> Yes. Icecast supports all operations on all sockets.
> 
> 
>> I'd like to restrict the web interface to ONLY A CERTAIN IP ADDRESS 
>> AND
>> TCP PORT so that it is not accessible on the public IP. E.g.:
>> 
>>   mountpoint = https://server.com/listentome
>>   web app = https://192.168.1.10:8000/
> 
> It's a bad idea to use IP addresses. If at all, you should add a DNS
> record for it in your internal DNS zone.
> 
>> Is this possible?
> 
> This depends on your version. With Icecast 2.4.x (stable) it is mostly
> possible. With Icecast 2.5.x (development) it is possible but requires
> some configuration.
> 
> 
>> In other words, I don't want any web interface to be available to the
>> internet.  I want the web UI to be available only to my local
>> machine/LAN and the mountpoint (stream) available to the internet.
> 
> The big point here is: Why are you trying to do this?:
>       * Mounts can be set as hidden so they are not listed. If listing
>         mounts is the problem.
>       * If you don't like the public WI at all, just point your
>         <webroot> to an empty directory. You can also modify the XSLT
>         files to match your needs.
>       * The admin interface can be secured using a secure password. 
> This
>         will make keep it available and secure.
>       * Hiding the version number: Doing this makes it harder for
>         debugging. However it does not improve security at all (as many
>         think) as you can fingerprint the version number anyway.
>       * The authentication system can be used for precise access
>         control. (This is even more true for Icecast 2.5.x).
> 
> 
> With best regards,
> 
> --
> Philipp Schafft (CEO/Geschäftsführer)
> Telephon: +49.3535 490 17 92
> 
> Löwenfelsen UG (haftungsbeschränkt)     Registration number:
> Bickinger Straße 21                     HRB 12308 CB
> 04916 Herzberg (Elster)                 VATIN/USt-ID:
> Germany                                 DE305133015
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 490 bytes
> Desc: This is a digitally signed message part
> URL:
> <http://lists.xiph.org/pipermail/icecast/attachments/20181228/c23825cc/attachment-0001.sig>
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast
> 
> 
> ------------------------------
> 
> End of Icecast Digest, Vol 174, Issue 11
> ****************************************