Access authorization

    Authorization allows you to control access to channels and allows you to save viewing statistics.

    Enable authorization:

    Go to Settings -> HTTP Authentication and check the check box Enable built-in HTTP/HLS authentication

    Image

    Click the "Apply & Restart" button. After that users (in the settings -> Users section) will have additional authorization options and integration with external services will appear.

    Users and tokens:
    See more..

    This type of authorization will allow you to use tokens, access by ip, login/password, limiting connections and the ability to set the date on which the user is active.

    Go to Settings -> Users, and in the upper right corner click on the NEW USER button. The add user window opens.

    Image

    Description of fields:

    • LOGIN - username (example "testuser").
    • PASSWORD - password (example "87326848").
    • COMMENT - comment (example "test user").
    • TYPE - user type:
      • User - cannot access the web interface. The account is used only for authorization (for example in VLC).
      • Observer - adds access rights to the web interface with read-only rights.
      • Administrator - full access rights.
    • TOKEN - token (example "8732684ydbeb8").
    • IP - IP address of the user.
    • STB - option reserved for middleware.
    • EXPIRATION - to set the amount of time an account will be active.
    • LIMIT CONNECTIONS - limiting connections to client devices.
    • PACKAGES - channel packages.

    client authorization examples:

    • http://server address:8000/playlist.m3u8?auth=testuser:87326848 - HTTP Play with login and password
    • http://server address:8000/playlist.m3u8?token=112277668833743 - HTTP Play with token

    External authorizations: (backend):
    Ministra/stalker portal

    In the field, enter the address of the Stalker Portal (for example "http://testdomain.com/stalker_portal")
    This option enables "Temporary URL" support for working with theMinistra/Stalker portal
    In the settings of the Ministra/Stalker portal enable the option "Temporary URL - Flussonic support"

    IPTVportal

    Specify the url of middleware (For cloud solution "http://go.iptvportal.ru/auth/arescrypt/")

    Portal settings:
    In the "Keys" menu, create a new key

    • name - "Astra"
    • algorithm - "ARESSTREAM"
    • mode - "SM"
    • key length - "1472 bit"
    • update rate - "1:00:00"

    In channel settings:

    • column "auth" - specified value "arescrypt"
    • column "encoded" - set the checkbox.
    • column "key" - select "Astra"
    Microimpuls Smarty

    Specify the url of middleware (for example: "http://smarty.example.com")

    HTTP Request

    This technology allows you to authorize the user through an external script: Image

    Example http backend: php_backend
    After downloading, unzip the archive. Contained files - place on the WEB server - for example in the backend directory.
    Set write permissions on the file ip_list.txt.
    add_ip.php -adds a new entry to the file ip_list.txt
    backend.php - http backend to work with Astra.

    Open add_ip.PHP in the browser and you will see a form to add an IP address.
    You can add your ip address. The script will write it to the ip_list file.txt - which acts as a database.
    In Astra, in the column backend address, specify the path to the backend.php.

    While editing the backend file.php, we can remove the string header('X-Location: http://192.168.1.1:7000/promo'); or enter the address to the promo channel.
    When adding your ip address to ip_list.txt, backend.php will return the code 200 to Astra, thus allowing viewing of the channel. When you delete ip address the code 403 will return and prohibit viewing.

    Astra passes headers to backend:
    X-Real-IP - IP address
    X-Session-ID - unique session number (allows to close the session through API)
    X-Channel-ID - stream id
    X-Real-Path

    In response from backend - Astra expects:
    HTTP status code 200: - allow authorization.
    HTTP status code 403: - deny authorization.
    Any response other than 200 - of course denies authorization.

    If there is a header in the backend response:
    X-Session-Name: Vasya - in the list of sessions - this session will be with the username Vasya.
    If response code 403, you can pass the header X-Location: http://example.com/matras - for example redirect to promo channel.

    Securetoken

    This technology allows to protect streams from illegal viewing with the help of temporary tokens, which are generated separately for each channel/stream.

    1. Go to the tab Settings -> HTTP Authentication and set the checkbox in the field Enable built-in HTTP/HLS authentication (restart required). After that, in the SECURETOKEN field, enter the invented secret key. For example - the word test Image Save the settings and restart Astra.

    2. Go to the console of our server and download the example token generator: securetoken.php
      cd /tmp
      wget http://cesbo.com/download/astra/scripts/auth/http-backend/securetoken.php
      

      Edit the file: in the variable $key = 'SECRETKEY' we will write our secret word - 'test' Image Save the changes and run token-generator: (Note: PHP must be installed on the server!)

      php -S 0:81 /tmp/securetoken.php
      
    3. Go to the settings of any of our stream. We need its ID:
      Image In the example it is a stream with id a01 and hls-output at http://0:8002/test.m3u8. Remember its ID.
      After enabling authorization, the stream will require a token for authorization. Create a token.
      Open a web browser and in the url bar make a request to our test generator:
      http://server_ip:81/?stream=a01 (where a01 is the ID of our test stream). we will receive a token with a lifetime of 3 hours:
      Image Each new request to the generator will generate unique tokens.
      Now, to view the stream - we will use the link:
      http://server_ip:8002/test.m3u8?token=d5c55f937f3b14a563889af7defdb452e4e22309-eb77c133b8068a19049566ce5dfe8d33-1561464903-1561453803
      A token is added to the stream address.

    Allow access without authorization

    It is possible to add IP addresses / networks whose users will have access to streams without authorization.

    Deny access

    Black list. It is possible to add IP addresses / networks whose users will not have access to streams, even if they have a login / password or a token.