feat: remove SRT IP allowlist

2026-04-04 13:59:25 +01:00 · 2026-04-04 13:59:25 +01:00 · 9150d3cc83
parent b88f6f1e5c
commit 9150d3cc83
2 changed files with 0 additions and 31 deletions
--- a/config.example.json
+++ b/config.example.json
@ -24,5 +24,4 @@
    "mediamtx_rtsp_url": "rtsp://127.0.0.1:8554/live",
    "mediamtx_hls_url": "http://techy.music:8888/aussie_dj/index.m3u8",
    "_comment_srt_allowed_ips": "List of DJ source IPs allowed to publish an SRT stream. Empty = allow all.",
-    "srt_allowed_ips": []
 }
--- a/server.py
+++ b/server.py
@ -54,14 +54,6 @@ _MEDIAMTX_SRT_PORT  = int(CONFIG.get('mediamtx_srt_port') or 8890)
 _MEDIAMTX_RTSP_URL = (CONFIG.get('mediamtx_rtsp_url') or 'rtsp://127.0.0.1:8554/live').strip()
 _MEDIAMTX_HLS_URL  = (CONFIG.get('mediamtx_hls_url')  or 'http://techy.music:8888/aussie_dj/index.m3u8').strip()

-# Allowlist of DJ source IPs permitted to publish an SRT stream.
-# Accepts a list of strings or a single string in config.json.
-# Empty list / omitted = no restriction (allow any source IP).
-_raw_srt_ips = CONFIG.get('srt_allowed_ips') or []
-if isinstance(_raw_srt_ips, str):
-    _raw_srt_ips = [_raw_srt_ips]
-_SRT_ALLOWED_IPS: set = {ip.strip() for ip in _raw_srt_ips if isinstance(ip, str) and ip.strip()}
-
 DJ_PANEL_PASSWORD = (CONFIG.get('dj_panel_password') or '').strip()
 DJ_AUTH_ENABLED = bool(DJ_PANEL_PASSWORD)

@ -1128,20 +1120,6 @@ def mediamtx_webhook():
    path      = (data.get('path')   or data.get('MTX_PATH', '')       or request.args.get('path', '')).strip()
    source_id = (data.get('id')     or data.get('sourceID', '')       or '').strip()

-    # ── Source-IP allowlist (mediamtx >= 1.x sends source.remoteAddr) ──────
-    # Extract publisher IP from the nested source object MediaMTX sends in
-    # its native webhook payload.  curl-based runOnPublish callers won't
-    # include this field, so we fall through silently when it's absent.
-    raw_remote = ''
-    if isinstance(data.get('source'), dict):
-        raw_remote = data['source'].get('remoteAddr', '')
-    # remoteAddr is "ip:port" — strip the port
-    publisher_ip = raw_remote.rsplit(':', 1)[0].strip('[]') if raw_remote else ''
-
-    if _SRT_ALLOWED_IPS and publisher_ip and publisher_ip not in _SRT_ALLOWED_IPS:
-        print(f"SRT WEBHOOK: Rejected publish from unauthorized IP '{publisher_ip}'")
-        return jsonify({'ok': False, 'error': 'source IP not in allowlist'}), 403
-
    if event == 'publish':
        _srt_state.update({
            'active':     True,
@ -1207,13 +1185,6 @@ def srt_auth():
    protocol = (data.get('protocol') or '').strip().lower()
    client_ip = (data.get('ip')      or '').strip()

-    # Only gate SRT publish actions — allow reads and other protocols through.
-    if action == 'publish' and protocol == 'srt':
-        if _SRT_ALLOWED_IPS and client_ip not in _SRT_ALLOWED_IPS:
-            print(f"SRT AUTH: Blocked '{client_ip}' — not in srt_allowed_ips")
-            return '', 403
-        print(f"SRT AUTH: Allowed '{client_ip}'")
-
    return '', 200


@ -1228,7 +1199,6 @@ def srt_status():
        'srt_started_at':        _srt_state['started_at'],
        'broadcast_active':      broadcast_state.get('active', False),
        'srt_transcoder_running': proc is not None and proc.poll() is None,
-        'srt_allowed_ips':       sorted(_SRT_ALLOWED_IPS) if _SRT_ALLOWED_IPS else 'any',
    })