Aaccess authorization

    Authorization allows you to control access to channels and allows you to save viewing statistics.

    Enable authorization:

    Go to Settings -> HTTP Authentication and check the check box Enable built-in HTTP/HLS authentication


    After that - click the "Apply & Restart" button. After this action - users (in the Settings -> Users section) will have additional authorization types.

    Users and tokens:
    See more..

    This type of authorization will allow you to use tokens, access by ip, login/password, limiting connections and the ability to set the date on which the user is active.

    Go to Settings -> Users, and in the upper right corner click on the NEW USER button. The add user window will open.


    Description of fields:

    • LOGIN - Username. (example "testuser")
    • PASSWORD - password (example "87326848")
    • COMMENT - comment (example "test user")
    • TYPE - user type:
      • user - cannot access the web interface. The account is used only for authorization (for example in VLC)
      • observer - adds access rights to the web interface with read-only rights
      • administrator - full access rights.
    • TOKEN - token (example "8732684ydbeb8")
    • IP - IP address of the user.
    • STB - option reserved for middleware
    • EXPIRATION - It is possible to set the time for which the account will be active.
    • LIMIT CONNECTIONS - limiting connections to client devices.
    • PACKAGES - channel packages.

    client authorization examples:

    • http://server address:8000/playlist.m3u8?auth=testuser:87326848 - HTTP Play with login and password
    • http://server address:8000/playlist.m3u8?token=112277668833743 - HTTP Play with token

    External authorizations: (backend):
    Ministra/stalker portal

    In the field, enter the address of the Stalker Portal (for example "http://testdomain.com/stalker_portal")
    This option enables "Temporary URL" support for working with theMinistra/Stalker portal
    In the settings of the Ministra/Stalker portal enable the option "Temporary URL - Flussonic support"


    Specify the url of middleware (For cloud solution "http://go.iptvportal.ru/auth/arescrypt/")

    Portal settings:\

    In the "Keys" menu, create a new key:\

    • name - "Astra"
    • algorithm - "ARESSTREAM"
    • mode - "SM"
    • key length - "1472 bit"
    • update rate - "1:00:00"

    In channel settings:

    • column "auth" - specified value "arescrypt"
    • column "encoded" - set the checkbox.
    • column "key" - select "Astra"
    Microimpuls Smarty

    Specify the url of middleware (for example: "http://smarty.example.com")

    HTTP Request

    This technology allows you to authorize the user through an external script: Image

    Example http backend: php_backend
    After downloading, unzip the archive. Contained files - place on the WEB server - for example in the backend directory.
    Set write permissions on the file ip_list.txt.
    add_ip.php -adds a new entry to the file ip_list.txt
    backend.php - http backend to work with Astra.

    By opening the browser add_ip.php - you will see a form to add an ip address.
    You can add your ip address. The script will write it to the ip_list file.txt - which acts as a database.
    In Astra - in the column backend address - specify the path to the backend.php.

    Открыв на редактирование файл backend.php - мы можем удалить строку header('X-Location:'); или вписать в ней адрес к промо - каналу.
    При добавлении Вашего ip адреса в ip_list.txt - backend.php будет возвращать в Астра код 200 - тем самым разрешая просмотр канала. При удалении - будет возвращатся код 403 - запрещая.

    Astra passes headers to backend:
    X-Real-IP - IP address
    X-Session-ID - unique session number. (On it for example it is possible to close session through API.)
    X-Channel-ID - stream id

    In response, backend - Astra expects:
    HTTP status code 200: - allow authorization.
    HTTP status code 403: - deny authorization.
    Any response other than 200 - of course denies authorization.

    if there is a header in the backend response:
    X-Session-Name: Vasya - in the list of sessions - this session will be with the username Vasya.
    If response code 403, you can pass the header X-Location: http://example.com/matras - for example redirect to promo channel.


    This technology allows to protect streams from illegal viewing with the help of temporary tokens

    1. Go to the tab Settings -> HTTP Authentication and set the checkbox in the field Enable built-in HTTP/HLS authentication (restart required). After this action - in the SECURETOKEN come up with our secret key. For example - the word test Image Save the settings and restart Astra.

    2. Go to the console of our server and download the example token generator: securetoken.php
      cd /tmp
      wget http://cesbo.com/download/astra/scripts/auth/http-backend/securetoken.php

      Edit the file: in the variable $key = 'SECRETKEY' we will write our secret word - 'test' Image Save the changes and run token-generator: (Note: PHP must be installed on the server!)

      php -S 0:81 /tmp/securetoken.php
    3. Lets go to the settings of any of our stream. We need his ID:
      Image In the example it is a stream with id a01 and hls-output at http://0:8002/test.m3u8. Remember his ID.
      After enabling authorization, the stream will require a token for authorization. Create a token:
      Open a web browser and in the url bar - execute a request to token-generator :
      http://server_ip:81/?stream=a01 (where a01 is the ID of our test stream). we will receive a token with a lifetime of 3 hours:
      Image Each new request to the generator will generate unique tokens.
      Now, to view the stream - we will use the link:
      That is, a token is added to the stream address.

    Allow access without authorization

    It is possible to add IP addresses / networks whose users will have access to streams without authorization.

    Deny access

    Black list. It is possible to add IP addresses / networks whose users will not have access to streams, even if they have a login / password or a token.