diff --git a/trunk/doc/CHANGELOG.md b/trunk/doc/CHANGELOG.md
index 1d4965f730..1f32d08ee8 100644
--- a/trunk/doc/CHANGELOG.md
+++ b/trunk/doc/CHANGELOG.md
@@ -7,6 +7,7 @@ The changelog for SRS.
## SRS 6.0 Changelog
+* v6.0, 2023-12-14, Merge [#3902](https://github.com/ossrs/srs/pull/3902): Security: Support IP whitelist for HTTP-FLV, HLS, WebRTC, and SRT. v6.0.104 (#3902)
* v6.0, 2023-11-22, Merge [#3891](https://github.com/ossrs/srs/pull/3891): fix 'sed' error in options.sh. v6.0.103 (#3891)
* v6.0, 2023-11-22, Merge [#3883](https://github.com/ossrs/srs/pull/3883): Fix opus delay options, use ffmpeg-opus in docker test. v6.0.102 (#3883)
* v6.0, 2023-11-19, Merge [#3886](https://github.com/ossrs/srs/pull/3886): Change the hls_aof_ratio to 2.1. v6.0.101 (#3886)
@@ -115,6 +116,7 @@ The changelog for SRS.
## SRS 5.0 Changelog
+* v5.0, 2023-12-14, Merge [#3902](https://github.com/ossrs/srs/pull/3902): Security: Support IP whitelist for HTTP-FLV, HLS, WebRTC, and SRT. v5.0.202 (#3902)
* v5.0, 2023-11-22, Merge [#3891](https://github.com/ossrs/srs/pull/3891): fix 'sed' error in options.sh. v5.0.201 (#3891)
* v5.0, 2023-11-19, Merge [#3886](https://github.com/ossrs/srs/pull/3886): Change the hls_aof_ratio to 2.1. v5.0.200 (#3886)
* v5.0, 2023-11-15, Merge [#3879](https://github.com/ossrs/srs/pull/3879): Add --extra-ldflags. v5.0.199 (#3879)
diff --git a/trunk/src/app/srs_app_http_static.cpp b/trunk/src/app/srs_app_http_static.cpp
index a1e7b93c89..69ecea1c02 100644
--- a/trunk/src/app/srs_app_http_static.cpp
+++ b/trunk/src/app/srs_app_http_static.cpp
@@ -64,6 +64,7 @@ void SrsHlsVirtualConn::expire()
SrsHlsStream::SrsHlsStream()
{
_srs_hybrid->timer5s()->subscribe(this);
+ security_ = new SrsSecurity();
}
SrsHlsStream::~SrsHlsStream()
@@ -76,6 +77,7 @@ SrsHlsStream::~SrsHlsStream()
srs_freep(info);
}
map_ctx_info_.clear();
+ srs_freep(security_);
}
srs_error_t SrsHlsStream::serve_m3u8_ctx(ISrsHttpResponseWriter* w, ISrsHttpMessage* r, ISrsFileReaderFactory* factory, string fullpath, SrsRequest* req, bool* served)
@@ -167,6 +169,10 @@ srs_error_t SrsHlsStream::serve_new_session(ISrsHttpResponseWriter* w, ISrsHttpM
return srs_error_wrap(err, "stat on client");
}
+ if ((err = security_->check(SrsHlsPlay, req->ip, req)) != srs_success) {
+ return srs_error_wrap(err, "HLS: security check");
+ }
+
// We must do hook after stat, because depends on it.
if ((err = http_hooks_on_play(req)) != srs_success) {
return srs_error_wrap(err, "HLS: http_hooks_on_play");
diff --git a/trunk/src/app/srs_app_http_static.hpp b/trunk/src/app/srs_app_http_static.hpp
index 4d9da18537..6c2a02cf86 100644
--- a/trunk/src/app/srs_app_http_static.hpp
+++ b/trunk/src/app/srs_app_http_static.hpp
@@ -8,7 +8,7 @@
#define SRS_APP_HTTP_STATIC_HPP
#include
-
+#include
#include
class ISrsFileReaderFactory;
@@ -52,6 +52,8 @@ class SrsHlsStream : public ISrsFastTimer
// interface ISrsFastTimer
private:
srs_error_t on_timer(srs_utime_t interval);
+private:
+ SrsSecurity* security_;
};
// The Vod streaming, like FLV, MP4 or HLS streaming.
diff --git a/trunk/src/app/srs_app_http_stream.cpp b/trunk/src/app/srs_app_http_stream.cpp
index eaa1984f3f..f738413d39 100755
--- a/trunk/src/app/srs_app_http_stream.cpp
+++ b/trunk/src/app/srs_app_http_stream.cpp
@@ -558,11 +558,13 @@ SrsLiveStream::SrsLiveStream(SrsLiveSource* s, SrsRequest* r, SrsBufferCache* c)
source = s;
cache = c;
req = r->copy()->as_http();
+ security_ = new SrsSecurity();
}
SrsLiveStream::~SrsLiveStream()
{
srs_freep(req);
+ srs_freep(security_);
}
srs_error_t SrsLiveStream::update_auth(SrsLiveSource* s, SrsRequest* r)
@@ -600,6 +602,10 @@ srs_error_t SrsLiveStream::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessage
return srs_error_wrap(err, "stat on client");
}
+ if ((err = security_->check(SrsFlvPlay, req->ip, req)) != srs_success) {
+ return srs_error_wrap(err, "flv: security check");
+ }
+
// We must do hook after stat, because depends on it.
if ((err = http_hooks_on_play(r)) != srs_success) {
return srs_error_wrap(err, "http hook");
diff --git a/trunk/src/app/srs_app_http_stream.hpp b/trunk/src/app/srs_app_http_stream.hpp
index 0264f60698..087342f224 100755
--- a/trunk/src/app/srs_app_http_stream.hpp
+++ b/trunk/src/app/srs_app_http_stream.hpp
@@ -8,7 +8,7 @@
#define SRS_APP_HTTP_STREAM_HPP
#include
-
+#include
#include
class SrsAacTransmuxer;
@@ -180,6 +180,7 @@ class SrsLiveStream : public ISrsHttpHandler
SrsRequest* req;
SrsLiveSource* source;
SrsBufferCache* cache;
+ SrsSecurity* security_;
public:
SrsLiveStream(SrsLiveSource* s, SrsRequest* r, SrsBufferCache* c);
virtual ~SrsLiveStream();
diff --git a/trunk/src/app/srs_app_rtc_api.cpp b/trunk/src/app/srs_app_rtc_api.cpp
index b0d695c4a3..115dc9dee6 100644
--- a/trunk/src/app/srs_app_rtc_api.cpp
+++ b/trunk/src/app/srs_app_rtc_api.cpp
@@ -31,10 +31,12 @@ using namespace std;
SrsGoApiRtcPlay::SrsGoApiRtcPlay(SrsRtcServer* server)
{
server_ = server;
+ security_ = new SrsSecurity();
}
SrsGoApiRtcPlay::~SrsGoApiRtcPlay()
{
+ srs_freep(security_);
}
@@ -228,6 +230,10 @@ srs_error_t SrsGoApiRtcPlay::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessa
}
}
+ if ((err = security_->check(SrsRtcConnPlay, ruc->req_->ip, ruc->req_)) != srs_success) {
+ return srs_error_wrap(err, "RTC: security check");
+ }
+
if ((err = http_hooks_on_play(ruc->req_)) != srs_success) {
return srs_error_wrap(err, "RTC: http_hooks_on_play");
}
@@ -324,10 +330,12 @@ srs_error_t SrsGoApiRtcPlay::http_hooks_on_play(SrsRequest* req)
SrsGoApiRtcPublish::SrsGoApiRtcPublish(SrsRtcServer* server)
{
server_ = server;
+ security_ = new SrsSecurity();
}
SrsGoApiRtcPublish::~SrsGoApiRtcPublish()
{
+ srs_freep(security_);
}
// Request:
@@ -503,6 +511,10 @@ srs_error_t SrsGoApiRtcPublish::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMe
return srs_error_wrap(err, "create session");
}
+ if ((err = security_->check(SrsRtcConnPublish, ruc->req_->ip, ruc->req_)) != srs_success) {
+ return srs_error_wrap(err, "RTC: security check");
+ }
+
// We must do hook after stat, because depends on it.
if ((err = http_hooks_on_publish(ruc->req_)) != srs_success) {
return srs_error_wrap(err, "RTC: http_hooks_on_publish");
diff --git a/trunk/src/app/srs_app_rtc_api.hpp b/trunk/src/app/srs_app_rtc_api.hpp
index a4797f7a9c..3aa4144cfc 100644
--- a/trunk/src/app/srs_app_rtc_api.hpp
+++ b/trunk/src/app/srs_app_rtc_api.hpp
@@ -8,7 +8,7 @@
#define SRS_APP_RTC_API_HPP
#include
-
+#include
#include
class SrsRtcServer;
@@ -20,6 +20,7 @@ class SrsGoApiRtcPlay : public ISrsHttpHandler
{
private:
SrsRtcServer* server_;
+ SrsSecurity* security_;
public:
SrsGoApiRtcPlay(SrsRtcServer* server);
virtual ~SrsGoApiRtcPlay();
@@ -39,6 +40,7 @@ class SrsGoApiRtcPublish : public ISrsHttpHandler
{
private:
SrsRtcServer* server_;
+ SrsSecurity* security_;
public:
SrsGoApiRtcPublish(SrsRtcServer* server);
virtual ~SrsGoApiRtcPublish();
diff --git a/trunk/src/app/srs_app_security.cpp b/trunk/src/app/srs_app_security.cpp
index af4d6bec71..e92f332335 100644
--- a/trunk/src/app/srs_app_security.cpp
+++ b/trunk/src/app/srs_app_security.cpp
@@ -75,7 +75,10 @@ srs_error_t SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType ty
switch (type) {
case SrsRtmpConnPlay:
- case SrsRtcConnPlay:
+ case SrsHlsPlay:
+ case SrsFlvPlay:
+ case SrsRtcConnPlay:
+ case SrsSrtConnPlay:
if (rule->arg0() != "play") {
break;
}
@@ -90,6 +93,7 @@ srs_error_t SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType ty
case SrsRtmpConnFlashPublish:
case SrsRtmpConnHaivisionPublish:
case SrsRtcConnPublish:
+ case SrsSrtConnPublish:
if (rule->arg0() != "publish") {
break;
}
@@ -126,7 +130,10 @@ srs_error_t SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType typ
switch (type) {
case SrsRtmpConnPlay:
- case SrsRtcConnPlay:
+ case SrsHlsPlay:
+ case SrsFlvPlay:
+ case SrsRtcConnPlay:
+ case SrsSrtConnPlay:
if (rule->arg0() != "play") {
break;
}
@@ -141,6 +148,7 @@ srs_error_t SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType typ
case SrsRtmpConnFlashPublish:
case SrsRtmpConnHaivisionPublish:
case SrsRtcConnPublish:
+ case SrsSrtConnPublish:
if (rule->arg0() != "publish") {
break;
}
diff --git a/trunk/src/app/srs_app_srt_conn.cpp b/trunk/src/app/srs_app_srt_conn.cpp
index 427f567f4d..c67dec3ab6 100644
--- a/trunk/src/app/srs_app_srt_conn.cpp
+++ b/trunk/src/app/srs_app_srt_conn.cpp
@@ -174,6 +174,8 @@ SrsMpegtsSrtConn::SrsMpegtsSrtConn(SrsSrtServer* srt_server, srs_srt_t srt_fd, s
srt_source_ = NULL;
req_ = new SrsRequest();
req_->ip = ip;
+
+ security_ = new SrsSecurity();
}
SrsMpegtsSrtConn::~SrsMpegtsSrtConn()
@@ -184,6 +186,7 @@ SrsMpegtsSrtConn::~SrsMpegtsSrtConn()
srs_freep(delta_);
srs_freep(srt_conn_);
srs_freep(req_);
+ srs_freep(security_);
}
std::string SrsMpegtsSrtConn::desc()
@@ -311,6 +314,10 @@ srs_error_t SrsMpegtsSrtConn::publishing()
return srs_error_wrap(err, "srt: stat client");
}
+ if ((err = security_->check(SrsSrtConnPublish, ip_, req_)) != srs_success) {
+ return srs_error_wrap(err, "srt: security check");
+ }
+
// We must do hook after stat, because depends on it.
if ((err = http_hooks_on_publish()) != srs_success) {
return srs_error_wrap(err, "srt: callback on publish");
@@ -333,12 +340,16 @@ srs_error_t SrsMpegtsSrtConn::playing()
// We must do stat the client before hooks, because hooks depends on it.
SrsStatistic* stat = SrsStatistic::instance();
if ((err = stat->on_client(_srs_context->get_id().c_str(), req_, this, SrsSrtConnPlay)) != srs_success) {
- return srs_error_wrap(err, "rtmp: stat client");
+ return srs_error_wrap(err, "srt: stat client");
+ }
+
+ if ((err = security_->check(SrsSrtConnPlay, ip_, req_)) != srs_success) {
+ return srs_error_wrap(err, "srt: security check");
}
// We must do hook after stat, because depends on it.
if ((err = http_hooks_on_play()) != srs_success) {
- return srs_error_wrap(err, "rtmp: callback on play");
+ return srs_error_wrap(err, "srt: callback on play");
}
err = do_playing();
diff --git a/trunk/src/app/srs_app_srt_conn.hpp b/trunk/src/app/srs_app_srt_conn.hpp
index 0b9f04884a..e4c6767c29 100644
--- a/trunk/src/app/srs_app_srt_conn.hpp
+++ b/trunk/src/app/srs_app_srt_conn.hpp
@@ -16,6 +16,7 @@
#include
#include
#include
+#include
class SrsBuffer;
class SrsLiveSource;
@@ -123,6 +124,7 @@ class SrsMpegtsSrtConn : public ISrsConnection, public ISrsStartable, public ISr
SrsRequest* req_;
SrsSrtSource* srt_source_;
+ SrsSecurity* security_;
};
#endif
diff --git a/trunk/src/core/srs_core_version5.hpp b/trunk/src/core/srs_core_version5.hpp
index 236ecd9b90..4c3b41c010 100644
--- a/trunk/src/core/srs_core_version5.hpp
+++ b/trunk/src/core/srs_core_version5.hpp
@@ -1,5 +1,5 @@
//
-// Copyright (c) 2013-2023 The SRS Authors
+// Copyright (c) 2023-2023 The SRS Authors
//
// SPDX-License-Identifier: MIT
//
@@ -9,6 +9,6 @@
#define VERSION_MAJOR 5
#define VERSION_MINOR 0
-#define VERSION_REVISION 201
+#define VERSION_REVISION 202
#endif
diff --git a/trunk/src/core/srs_core_version6.hpp b/trunk/src/core/srs_core_version6.hpp
index cb4db62aae..f25224cff8 100644
--- a/trunk/src/core/srs_core_version6.hpp
+++ b/trunk/src/core/srs_core_version6.hpp
@@ -9,6 +9,6 @@
#define VERSION_MAJOR 6
#define VERSION_MINOR 0
-#define VERSION_REVISION 103
+#define VERSION_REVISION 104
#endif