Get_iplayer is streaming live TV!

Mon Nov 28 08:40:53 PST 2016

I think I have no explained it very well at all ...!

Here goes.  I run get_iplayer web frontend using the PERL script (get_iplayer.cgi) which listens on a port (we'll call it 1234) and presents a nicely formatted web page.

Some 'orrible urchin has discovered that I run get_iplayer on port 1234 and has written some scripts to play live BBC  (and S4C) TV.  

I am sort-of trying to protect the port, but given that I access my server from a whole heap of locations and I can't say in advance what those source IPs will be, it will make it all rather cumbersome.

You are correct that if get_iplayer.cgi was served from within a web-site, I could protect the cgi-bin directory with an htpasswd and htaccess and all would be ticketyboo (except I HATE passwords cos I forget them), but it doesn’t work like that.

So, what get_iplayer.cgi needs is a password system built in, but I'm warned that that is not a good idea.

I am now using iptables to block the undesirables, but that is not a sustainable method of working because I'm always going to be on the backfoot watching for the next dodgy IP address that attacks me.

I like the reverse HTTPD idea - I can stick some normal password directives in my HTTP settings and limit get_iplayer to only allow access from 127.0.0.1.

D

-----Original Message-----
From: david at harleystreet.net [mailto:david at harleystreet.net] 
Sent: 28 November 2016 16:26
To: Lake D Mr (PG/R - Elec Electronic Eng) <d.lake at surrey.ac.uk>
Cc: get_iplayer at lists.infradead.org
Subject: RE: Get_iplayer is streaming live TV!

Clearly I have not understood at all.

I thought get_iplayer.cgi was the script which was being accessed by unauthorised folk and thus being told to do stuff not desired by you.

If so, then protecting where it is located by .htaccess would surely have worked?

If it is not get_iplayer.cgi which is being accessed then obviously I have completely misunderstood.

It seems from what you say that it is not get_iplayer.cgi which you are trying to protect, but a port on the server.

In which case then some form of firewall would have been a possibility.

Webpages need not be involved in the "access".

> "Am I missing something?"
>
> Sorry, but yes you are.    It is not running as a cgi script pulled from a webpage - it is
> running as a bit of Perl scripting which just happens to have a .cgi ending.
>
> So, it is NOT a web-based cgi script which I could protect.  It is a 
> Perl Daemon that runs detached and listens on the port you declare it to listen on.
>
> (I hope I wasn't being overly blunt/rude just then; thanks for the 
> advice.  Wish it was a simple as an htpasswd/htaccess file :-( )
>
> -----Original Message-----
> From: david at harleystreet.net [mailto:david at harleystreet.net]
> Sent: 28 November 2016 14:37
> To: Lake D Mr (PG/R - Elec Electronic Eng) <d.lake at surrey.ac.uk>
> Cc: get_iplayer at lists.infradead.org
> Subject: RE: Get_iplayer is streaming live TV!
>
> You protect the directory where the cgi file is located and then folk 
> can't run it because they can't access it.
>
> Am I missing something?
>
>
>> Correct, but that is not how the cgi script runs.  It is not a 
>> regular Apache/HTTPD cgi-bin
>>
>> It runs as a Daemon.  It doesn't read from a directory so it won't 
>> pick up any htaccess/htpassword.
>>
>> I think I need to put a password module into the cgi script.
>>
>> David
>>
>> -----Original Message-----
>> From: david at harleystreet.net [mailto:david at harleystreet.net]
>> Sent: 28 November 2016 14:10
>> To: Lake D Mr (PG/R - Elec Electronic Eng) <d.lake at surrey.ac.uk>
>> Cc: get_iplayer at lists.infradead.org
>> Subject: RE: Get_iplayer is streaming live TV!
>>
>> I don't understand the problem.
>>
>> As explained at the url I gave...
>>
>> A typical .htaccess file looks like the following:
>>
>> AuthUserFile /path/to/.htpasswd
>> AuthType Basic
>> AuthName "My restricted Area"
>> Require valid-user
>>
>> Then your .htpasswd is placed at the location referenced above.
>>
>>
>>
>>> Yes, but that is for Apache, isn't it?
>>>
>>> I thought that get_iplayer.cgi ran as a Daemon (written in Perl).   How do I apply
>>> standard
>>> htaccess to that ?
>>>
>>> Please excuse me if I'm being a little thick today (or at least more than usual).
>>>
>>> -----Original Message-----
>>> From: david at harleystreet.net [mailto:david at harleystreet.net]
>>> Sent: 28 November 2016 14:00
>>> To: Lake D Mr (PG/R - Elec Electronic Eng) <d.lake at surrey.ac.uk>
>>> Cc: roger at firedrake.org; get_iplayer at lists.infradead.org
>>> Subject: RE: Get_iplayer is streaming live TV!
>>>
>>>
>>>
>>>> The answer is going to be some .htaccess-like username/password.
>>>
>>> It's pretty simple to create a password file using something like this...
>>>
>>> http://www.web2generators.com/apache-tools/htpasswd-generator
>>>
>>> -----
>>> No virus found in this message.
>>> Checked by AVG - www.avg.com
>>> Version: 2016.0.7924 / Virus Database: 4664/13487 - Release Date:
>>> 11/27/16 _______________________________________________
>>> get_iplayer mailing list
>>> get_iplayer at lists.infradead.org
>>> http://lists.infradead.org/mailman/listinfo/get_iplayer
>>>
>>>
>>
>>
>> -----
>> No virus found in this message.
>> Checked by AVG - www.avg.com
>> Version: 2016.0.7924 / Virus Database: 4664/13487 - Release Date:
>> 11/27/16 _______________________________________________
>> get_iplayer mailing list
>> get_iplayer at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/get_iplayer
>>
>>
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2016.0.7924 / Virus Database: 4664/13487 - Release Date: 
> 11/27/16
>

-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2016.0.7924 / Virus Database: 4664/13487 - Release Date: 11/27/16