docker SRS Security deny/allow IP not work

[lck1115]

Describe the bug
I need to set up my system so that only the localhost IP can publish and play SRS. However, it appears that I can't use "allow IP" and "allow all" simultaneously.
"deny IP" and "deny all" can't be used at the same time, either.

My conf is:
`vhost defaultVhost {

min_latency off;
tcp_nodelay off;
chunk_size 128;
in_ack_size 0;
out_ack_size 2500000;
publish {
    mr off;
    mr_latency 350;
    firstpkt_timeout 20000;
    normal_timeout 7000;
    parse_sps on;
    try_annexb_first on;
    kickoff_for_idle 0;
}

play {

    gop_cache off;

    gop_cache_max_frames 2500;
    queue_length 10;
    time_jitter off;
    atc off;
    mix_correct off;
    atc_auto off;
    mw_latency 350;
    mw_msgs 8;
    send_min_interval 10.0;
    reduce_sequence_header on;
}
hls {
    # whether the hls is enabled.
    # if off, do not write hls(ts and m3u8) when publish.
    # Overwrite by env SRS_VHOST_HLS_ENABLED for all vhosts.
    # default: off
    enabled on;
	}
# security for host to allow or deny clients.
# @see https://github.com/ossrs/srs/issues/211   
security {
    # whether enable the security for vhost.
    # default: off
    enabled         on;
    allow           play        127.0.0.0/24;
allow	   play		172.17.0.0/24;
deny	  play		all;
    allow           publish     172.17.0.0/24;
allow           publish     127.0.0.0/24;
deny            publish     all;
}

}
`

Version
Docker ossrs/srs:latest

Expected behavior
The config will allow all IP to play and deny all IP to publish.

TRANS_BY_GPT4

[lck1115]

I need to clearify that it works on RTMP but not work for HLS.

[duiniuluantanqin]

I have reviewed the code, and currently only the RTMP protocol supports security and refer. Other protocols have not yet been implemented. I will make time to add this functionality.

[winlinvip]

Security is very effective in simpler IP whitelist scenarios. Please ensure that other protocols are also implemented, not just RTMP and HLS.

TRANS_BY_GPT4

[duiniuluantanqin]

Firstly, it must be clarified that there is a conflict in your configuration.

allow           publish     172.17.0.0/24;
allow           publish     127.0.0.0/24;
deny            publish     all;

Within this context, the 'deny' directive will override the preceding 'allow'. This means that with such a configuration, all publish attempts will be blocked. Based on your description, if you want to fulfill the requirement of allowing only the local network to publish, you simply need to remove the line deny publish all;.

TRANS_BY_GPT4