[Icecast] Public stats on beta

TDAS talldarkandstrange at icloud.com
Sun Jan 21 15:08:10 UTC 2024 

Yeeek. That’s a lot of options :) 

As someone who is pretty savvy but has only ever left Icecast authentication at the defaults, are there any examples, as I need to get it turned off pretty quickly.

Also, as there is no ‘publicstats’ in the admin dir, I’m guessing it is aliased somewhere. A grep finds:

src/acl.c:    acl_set_admin_str(ret, ACL_POLICY_ALLOW, "buildm3u,publicstats,publicstats.json");
src/admin.c:#define PUBLICSTATS_RAW_REQUEST             "publicstats"
src/admin.c:#define PUBLICSTATS_JSON_REQUEST            "publicstats.json"
src/admin.c:    { PUBLICSTATS_RAW_REQUEST,              ADMINTYPE_HYBRID,       ADMIN_FORMAT_RAW,           ADMINSAFE_SAFE,     command_public_stats, NULL},
src/admin.c:    { PUBLICSTATS_JSON_REQUEST,             ADMINTYPE_HYBRID,       ADMIN_FORMAT_JSON,          ADMINSAFE_SAFE,     command_public_stats, NULL},

…but not sure if I should start messing around in ‘c’ files. I’m a js guy ;) 



> On 21 Jan 2024, at 11:03, Philipp Schafft <phschafft at de.loewenfelsen.net> wrote:
> 
> Good morning,
> 
> On Sun, 2024-01-21 at 10:39 +0000, TDAS wrote:
>> Can anyone tell me why /admin/publicstats is unprotected? And how I
>> go about changing that!?
>> 
>> I don’t understand why it would be accessible by anyone without
>> authenticating when it is under /admin/ ??
> 
> The endpoint is meant to be a replacement for /status-json.xsl which it
> deprecates.
> 
> The admin/-namespace is basically everything that is not user provided.
> It might not be the best name, but it's called that for historical
> reasons™.
> 
> Endpoints in the admin/-namespace are subject to normal access control
> (and have always been). For example mount specific endpoints have
> always been available with the source credentials as well by default.
> And the buildm3u endpoint has always been accessible to anyone (as it
> is useless otherwise).
> 
> Access to those endpoints can be controlled using the normal
> allow/deny-admin options, using "publicstats", and "publicstats.json"
> as commands.
> 
> Please also note that the different stats view are also subject to some
> content filtering logic. So you'll find that depending on which of the
> endpoints you access and depending on your used credentials you will
> have access to different data.
> 
> 
> For more details see:
> https://wiki.xiph.org/Icecast_Server/2.5_Authentication
> 
> 
> With best regards,
> 
> -- 
> Philipp Schafft (CEO/Geschäftsführer)
> Telephone:           +49.3535 490 17 92
> Website:             https://www.loewenfelsen.net/
> Follow us:           https://www.linkedin.com/company/loewenfelsen/
> Geschäftsführer/CEO: Philipp Schafft
> 
> Löwenfelsen UG (haftungsbeschränkt)     Registration number:
> Bickinger Straße 21                     HRB 12308 CB
> 04916 Herzberg (Elster)                 VATIN/USt-ID:
> Germany                                 DE305133015
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast

More information about the Icecast mailing list