[Icecast] Public stats on beta

Philipp Schafft phschafft at de.loewenfelsen.net
Sun Jan 21 19:06:48 UTC 2024 

Good afternoon,

On Sun, 2024-01-21 at 15:08 +0000, TDAS wrote:
> Yeeek. That’s a lot of options :) 

It's a lot of possibilities! ;)


> As someone who is pretty savvy but has only ever left Icecast
> authentication at the defaults, are there any examples, as I need to
> get it turned off pretty quickly.

I'm not really sure here. That endpoint is meant to be public. Fiddling
with it might break things.

You could try something like this in the global <authentication>
section:
   <role type="anonymous" match-admin="publicstats,publicstats.json" deny-all="*" />

However keep in mind that this does not affect any roles that might
have been evaluated earlier.


> Also, as there is no ‘publicstats’ in the admin dir, I’m guessing it
> is aliased somewhere. [...]

If you by 'alias' mean rendered, then it's "alias" is the status page
of Icecast ("/status.xsl" normally aliased to "/").


> …but not sure if I should start messing around in ‘c’ files. I’m a js
> guy ;) 

I would suggest not to break your update path by building a custom
version. ;)

With best regards,


> > On 21 Jan 2024, at 11:03, Philipp Schafft
> > <phschafft at de.loewenfelsen.net> wrote:
> > 
> > Good morning,
> > 
> > On Sun, 2024-01-21 at 10:39 +0000, TDAS wrote:
> > > Can anyone tell me why /admin/publicstats is unprotected? And how
> > > I
> > > go about changing that!?
> > > 
> > > I don’t understand why it would be accessible by anyone without
> > > authenticating when it is under /admin/ ??
> > 
> > The endpoint is meant to be a replacement for /status-json.xsl
> > which it
> > deprecates.
> > 
> > The admin/-namespace is basically everything that is not user
> > provided.
> > It might not be the best name, but it's called that for historical
> > reasons™.
> > 
> > Endpoints in the admin/-namespace are subject to normal access
> > control
> > (and have always been). For example mount specific endpoints have
> > always been available with the source credentials as well by
> > default.
> > And the buildm3u endpoint has always been accessible to anyone (as
> > it
> > is useless otherwise).
> > 
> > Access to those endpoints can be controlled using the normal
> > allow/deny-admin options, using "publicstats", and
> > "publicstats.json"
> > as commands.
> > 
> > Please also note that the different stats view are also subject to
> > some
> > content filtering logic. So you'll find that depending on which of
> > the
> > endpoints you access and depending on your used credentials you
> > will
> > have access to different data.
> > 
> > 
> > For more details see:
> > https://wiki.xiph.org/Icecast_Server/2.5_Authentication
> > 

-- 
Philipp Schafft (CEO/Geschäftsführer)
Telephone:           +49.3535 490 17 92
Website:             https://www.loewenfelsen.net/
Follow us:           https://www.linkedin.com/company/loewenfelsen/
Geschäftsführer/CEO: Philipp Schafft

Löwenfelsen UG (haftungsbeschränkt)     Registration number:
Bickinger Straße 21                     HRB 12308 CB
04916 Herzberg (Elster)                 VATIN/USt-ID:
Germany                                 DE305133015

More information about the Icecast mailing list