@warren-bank/hls-proxy 3.5.1 → 3.5.3

package/README.md

@@ -113,6 +113,7 @@ options:
 --tls
 --host <host>
 --port <number>
+--copy-req-headers
 --req-headers <filepath>
 --origin <header>
 --referer <header>
@@ -132,7 +133,8 @@ options:
 --cache-storage <adapter>
 --cache-storage-fs-dirpath <dirpath>
 -v <number>
---acl-whitelist <ip_address_list>
+--acl-ip <ip_address_list>
+--acl-pass <password_list>
 --http-proxy <http[s]://[user:pass@]hostname:port>
 --tls-cert <filepath>
 --tls-key <filepath>
@@ -166,6 +168,7 @@ options:
   * when this option is not specified:
     * HTTP proxy binds to: `80`
     * HTTPS proxy binds to: `443`
+* _--copy-req-headers_ is a flag to enable the duplication of all HTTP request headers sent to the proxy &rarr; to the request made by the proxy to the video server
 * _--req-headers_ is the filepath to a JSON data _Object_ containing key:value pairs
   * each _key_ is the name of an HTTP header to send in every outbound request
 * _--origin_ is the value of the corresponding HTTP request header
@@ -363,8 +366,10 @@ options:
     * show an enhanced technical trace (useful while debugging unexpected behavior)
   * `4`:
     * show the content of .m3u8 files (both before and after URLs are modified)
-* _--acl-whitelist_ restricts proxy server access to clients at IP addresses in whitelist
+* _--acl-ip_ restricts proxy server access to clients at IP addresses in whitelist
   * ex: `"192.168.1.100,192.168.1.101,192.168.1.102"`
+* _--acl-pass_ restricts proxy server access to requests that include a `password` querystring parameter having a value in whitelist
+  * ex: `"1111,2222,3333,4444,5555"`
 * --http-proxy enables all outbound HTTP and HTTPS requests from HLS-Proxy to be tunnelled through an additional external web proxy server
   * SOCKS proxies are not supported
   * ex: `http://myusername:mypassword@myproxy.example.com:1234`

package/hls-proxy/acl_pass.js

@@ -0,0 +1,25 @@
+const expressjs = require('./expressjs_utils')
+const {URL}     = require('./url')
+
+const get_encoded_qs_password = function(req) {
+  const req_url = new URL( expressjs.get_full_req_url(req) )
+
+  return req_url.searchParams.get('password') || ''
+}
+
+const is_allowed = function(params, req) {
+  const {acl_pass} = params
+
+  if (acl_pass && Array.isArray(acl_pass) && acl_pass.length) {
+    const password = decodeURIComponent( get_encoded_qs_password(req) )
+
+    return (acl_pass.indexOf(password) >= 0)
+  }
+
+  return true
+}
+
+module.exports = {
+  get_encoded_qs_password,
+  is_allowed
+}

package/hls-proxy/bin/hlsd.js

@@ -34,6 +34,7 @@ const server = (use_tls)
 const middleware = require('../proxy')({
   is_secure:                            use_tls,
   host:                                 normalize_host(argv_vals["--host"], argv_vals["--port"]),
+  copy_req_headers:                     argv_vals["--copy-req-headers"],
   req_headers:                          argv_vals["--req-headers"],
   req_options:                          argv_vals["--req-options"],
   hooks:                                argv_vals["--hooks"],
@@ -44,7 +45,8 @@ const middleware = require('../proxy')({
   cache_storage:                        argv_vals["--cache-storage"],
   cache_storage_fs_dirpath:             argv_vals["--cache-storage-fs-dirpath"],
   debug_level:                          argv_vals["-v"],
-  acl_whitelist:                        argv_vals["--acl-whitelist"],
+  acl_ip:                               argv_vals["--acl-ip"],
+  acl_pass:                             argv_vals["--acl-pass"],
   http_proxy:                           argv_vals["--http-proxy"],
   manifest_extension:                   argv_vals["--manifest-extension"],
   segment_extension:                    argv_vals["--segment-extension"]

package/hls-proxy/bin/lib/help.js

@@ -8,6 +8,7 @@ options:
 --tls
 --host <host>
 --port <number>
+--copy-req-headers
 --req-headers <filepath>
 --origin <header>
 --referer <header>
@@ -27,7 +28,8 @@ options:
 --cache-storage <adapter>
 --cache-storage-fs-dirpath <dirpath>
 -v <number>
---acl-whitelist <ip_address_list>
+--acl-ip <ip_address_list>
+--acl-pass <password_list>
 --http-proxy <http[s]://[user:pass@]hostname:port>
 --tls-cert <filepath>
 --tls-key <filepath>

package/hls-proxy/bin/lib/process_argv.js

@@ -2,6 +2,8 @@ const process_argv = require('@warren-bank/node-process-argv')
 
 const {HttpProxyAgent, HttpsProxyAgent} = require('hpagent')
 
+const {normalize_req_headers} = require('../../utils')
+
 const argv_flags = {
   "--help":                                 {bool: true},
   "--version":                              {bool: true},
@@ -10,6 +12,7 @@ const argv_flags = {
   "--host":                                 {},
   "--port":                                 {num:  "int"},
 
+  "--copy-req-headers":                     {bool: true},
   "--req-headers":                          {file: "json"},
   "--origin":                               {},
   "--referer":                              {},
@@ -33,7 +36,8 @@ const argv_flags = {
   "--cache-storage-fs-dirpath":             {file: "path-exists"},
 
   "-v":                                     {num:  "int"},
-  "--acl-whitelist":                        {},
+  "--acl-ip":                               {},
+  "--acl-pass":                             {},
   "--http-proxy":                           {},
 
   "--tls-cert":                             {file: "path-exists"},
@@ -46,6 +50,7 @@ const argv_flags = {
 
 const argv_flag_aliases = {
   "--help":                                 ["-h"],
+  "--acl-ip":                               ["--acl-whitelist"],
   "--http-proxy":                           ["--https-proxy", "--proxy"]
 }
 
@@ -72,7 +77,7 @@ if (argv_vals["--version"]) {
 }
 
 if (argv_vals["--origin"] || argv_vals["--referer"] || argv_vals["--useragent"] || (Array.isArray(argv_vals["--header"]) && argv_vals["--header"].length)) {
-  argv_vals["--req-headers"] = argv_vals["--req-headers"] || {}
+  argv_vals["--req-headers"] = normalize_req_headers( argv_vals["--req-headers"] || {} )
 
   if (argv_vals["--origin"]) {
     argv_vals["--req-headers"]["origin"] = argv_vals["--origin"]
@@ -149,13 +154,8 @@ if (argv_vals["--req-secure-honor-server-cipher-order"] || argv_vals["--req-secu
   }
 }
 
-if (argv_vals["--req-options"] && argv_vals["--req-options"]["headers"]) {
-  const lc_headers = {}
-  for (let key in argv_vals["--req-options"]["headers"]) {
-    lc_headers[ key.toLowerCase() ] = argv_vals["--req-options"]["headers"][key]
-  }
-  argv_vals["--req-options"]["headers"] = lc_headers
-}
+if (argv_vals["--req-options"] && argv_vals["--req-options"]["headers"])
+  argv_vals["--req-options"]["headers"] = normalize_req_headers( argv_vals["--req-options"]["headers"] )
 
 if (typeof argv_vals["--max-segments"] !== 'number')
   argv_vals["--max-segments"] = 20
@@ -169,6 +169,14 @@ if (typeof argv_vals["--cache-key"] !== 'number')
 if (typeof argv_vals["-v"] !== 'number')
   argv_vals["-v"] = 0
 
+if (argv_vals["--acl-ip"]) {
+  argv_vals["--acl-ip"] = argv_vals["--acl-ip"].trim().toLowerCase().split(/\s*,\s*/g)
+}
+
+if (argv_vals["--acl-pass"]) {
+  argv_vals["--acl-pass"] = argv_vals["--acl-pass"].trim().split(/\s*,\s*/g)
+}
+
 if (argv_vals["--http-proxy"]) {
   const proxy_options = {
     keepAlive:      true,

package/hls-proxy/manifest_parser.js

@@ -112,7 +112,7 @@ const parse_HHMMSS_to_seconds = function(str) {
 //   prefetch_urls: [],
 //   modified_m3u8: ''
 // }
-const parse_manifest = function(m3u8_content, m3u8_url, referer_url, hooks, cache_segments, debug, vod_start_at_ms, redirected_base_url, should_prefetch_url, manifest_extension, segment_extension) {
+const parse_manifest = function(m3u8_content, m3u8_url, referer_url, hooks, cache_segments, debug, vod_start_at_ms, redirected_base_url, should_prefetch_url, manifest_extension, segment_extension, qs_password) {
   const m3u8_lines = m3u8_content.split(regexs.m3u8_line_separator)
   m3u8_content = null
 
@@ -125,7 +125,7 @@ const parse_manifest = function(m3u8_content, m3u8_url, referer_url, hooks, cach
       redirect_embedded_url(embedded_url, hooks, m3u8_url, debug)
       if (validate_embedded_url(embedded_url)) {
         finalize_embedded_url(embedded_url, vod_start_at_ms, debug)
-        encode_embedded_url(embedded_url, hooks, redirected_base_url, debug, manifest_extension, segment_extension)
+        encode_embedded_url(embedded_url, hooks, redirected_base_url, debug, manifest_extension, segment_extension, qs_password)
         get_prefetch_url(embedded_url, should_prefetch_url, prefetch_urls)
         modify_m3u8_line(embedded_url, m3u8_lines)
       }
@@ -332,7 +332,7 @@ const finalize_embedded_url = function(embedded_url, vod_start_at_ms, debug) {
   }
 }
 
-const encode_embedded_url = function(embedded_url, hooks, redirected_base_url, debug, manifest_extension, segment_extension) {
+const encode_embedded_url = function(embedded_url, hooks, redirected_base_url, debug, manifest_extension, segment_extension, qs_password) {
   if (embedded_url.unencoded_url) {
     let file_extension = embedded_url.url_type
     if (file_extension) {
@@ -344,6 +344,9 @@ const encode_embedded_url = function(embedded_url, hooks, redirected_base_url, d
 
     embedded_url.encoded_url = `${redirected_base_url}/${ utils.base64_encode(embedded_url.unencoded_url) }.${file_extension || 'other'}`
 
+    if (qs_password)
+      embedded_url.encoded_url += `?password=${qs_password}`
+
     debug(3, 'redirecting (proxied):', embedded_url.encoded_url)
 
     if (hooks && (hooks instanceof Object) && hooks.redirect_final && (typeof hooks.redirect_final === 'function')) {
@@ -379,7 +382,7 @@ const modify_m3u8_line = function(embedded_url, m3u8_lines) {
   }
 }
 
-const modify_m3u8_content = function(params, segment_cache, m3u8_content, m3u8_url, referer_url, redirected_base_url) {
+const modify_m3u8_content = function(params, segment_cache, m3u8_content, m3u8_url, referer_url, inbound_req_headers, redirected_base_url, qs_password) {
   const {hooks, cache_segments, max_segments, debug_level, manifest_extension, segment_extension} = params
 
   const {has_cache, get_time_since_last_access, is_expired, prefetch_segment} = segment_cache
@@ -421,13 +424,13 @@ const modify_m3u8_content = function(params, segment_cache, m3u8_content, m3u8_u
           const matching_url = urls[0]
           urls[0] = undefined
 
-          promise = prefetch_segment(m3u8_url, matching_url, referer_url, dont_touch_access)
+          promise = prefetch_segment(m3u8_url, matching_url, referer_url, inbound_req_headers, dont_touch_access)
         }
 
         promise.then(() => {
           urls.forEach((matching_url, index) => {
             if (matching_url) {
-              prefetch_segment(m3u8_url, matching_url, referer_url, dont_touch_access)
+              prefetch_segment(m3u8_url, matching_url, referer_url, inbound_req_headers, dont_touch_access)
 
               urls[index] = undefined
             }
@@ -437,7 +440,7 @@ const modify_m3u8_content = function(params, segment_cache, m3u8_content, m3u8_u
     : null
 
   {
-    const parsed_manifest = parse_manifest(m3u8_content, m3u8_url, referer_url, hooks, cache_segments, debug, vod_start_at_ms, redirected_base_url, should_prefetch_url, manifest_extension, segment_extension)
+    const parsed_manifest = parse_manifest(m3u8_content, m3u8_url, referer_url, hooks, cache_segments, debug, vod_start_at_ms, redirected_base_url, should_prefetch_url, manifest_extension, segment_extension, qs_password)
     is_vod          = !!parsed_manifest.meta_data.is_vod                  // default: false => hls live stream
     seg_duration_ms = parsed_manifest.meta_data.seg_duration_ms || 10000  // default: 10 seconds in ms
     prefetch_urls   = parsed_manifest.prefetch_urls

package/hls-proxy/proxy.js

@@ -1,16 +1,18 @@
-const request = require('@warren-bank/node-request').request
-const cookies = require('./cookies')
-const parser  = require('./manifest_parser')
-const timers  = require('./timers')
-const utils   = require('./utils')
+const request  = require('@warren-bank/node-request').request
+const acl_pass = require('./acl_pass')
+const cookies  = require('./cookies')
+const parser   = require('./manifest_parser')
+const timers   = require('./timers')
+const utils    = require('./utils')
 
 const get_middleware = function(params) {
   const {cache_segments} = params
-  let   {acl_whitelist}  = params
+  let   {acl_ip}         = params
 
   const segment_cache = require('./segment_cache')(params)
   const {get_segment, add_listener} = segment_cache
 
+  const is_acl_pass_allowed = acl_pass.is_allowed.bind(null, params)
   const debug               = utils.debug.bind(null, params)
   const parse_req_url       = utils.parse_req_url.bind(null, params)
   const get_request_options = utils.get_request_options.bind(null, params)
@@ -19,16 +21,14 @@ const get_middleware = function(params) {
   const middleware = {}
 
   // Access Control
-  if (acl_whitelist) {
-    acl_whitelist = acl_whitelist.trim().toLowerCase().split(/\s*,\s*/g)
-
+  if (acl_ip && Array.isArray(acl_ip) && acl_ip.length) {
     middleware.connection = (socket) => {
       if (socket && socket.remoteAddress) {
-        let remoteIP = socket.remoteAddress.toLowerCase().replace(/^::?ffff:/, '')
+        const remote_ip = socket.remoteAddress.toLowerCase().replace(/^::?ffff:/, '')
 
-        if (acl_whitelist.indexOf(remoteIP) === -1) {
+        if (acl_ip.indexOf(remote_ip) === -1) {
           socket.destroy()
-          debug(2, socket.remoteFamily, 'connection blocked by ACL whitelist:', remoteIP)
+          debug(2, socket.remoteFamily, 'connection blocked by ACL IP whitelist:', remote_ip)
         }
       }
     }
@@ -36,6 +36,13 @@ const get_middleware = function(params) {
 
   // Create an HTTP tunneling proxy
   middleware.request = async (req, res) => {
+    if (!is_acl_pass_allowed(req)) {
+      res.writeHead(401)
+      res.end()
+      debug(2, 'request blocked by ACL password whitelist:', req.url)
+      return
+    }
+
     debug(3, 'proxying (raw):', req.url)
 
     utils.add_CORS_headers(res)
@@ -48,7 +55,8 @@ const get_middleware = function(params) {
       return
     }
 
-    const is_m3u8 = (url_type === 'm3u8')
+    const qs_password = acl_pass.get_encoded_qs_password(req)
+    const is_m3u8     = (url_type === 'm3u8')
 
     const send_cache_segment = function(segment, type) {
       if (!type)
@@ -71,7 +79,7 @@ const get_middleware = function(params) {
       }
     }
 
-    const options = get_request_options(url, is_m3u8, referer_url)
+    const options = get_request_options(url, is_m3u8, referer_url, req.headers)
     debug(1, 'proxying:', url)
     debug(3, 'm3u8:', (is_m3u8 ? 'true' : 'false'))
 
@@ -99,7 +107,7 @@ const get_middleware = function(params) {
           : url
 
         res.writeHead(200, { "content-type": "application/x-mpegURL" })
-        res.end( modify_m3u8_content(response.toString().trim(), m3u8_url, referer_url, redirected_base_url) )
+        res.end( modify_m3u8_content(response.toString().trim(), m3u8_url, referer_url, req.headers, redirected_base_url, qs_password) )
       }
     })
     .catch((e) => {

package/hls-proxy/segment_cache.js

@@ -161,7 +161,7 @@ module.exports = function(params) {
     }
   }
 
-  const prefetch_segment = function(m3u8_url, url, referer_url, dont_touch_access) {
+  const prefetch_segment = function(m3u8_url, url, referer_url, inbound_req_headers, dont_touch_access) {
     let promise = Promise.resolve()
 
     if (cache[m3u8_url] === undefined) {
@@ -184,7 +184,7 @@ module.exports = function(params) {
       index = ts.length
       ts[index] = {key: get_privatekey_from_url(url), has: false, cb: [], type: null, state: {}}
 
-      let options = get_request_options(url, /* is_m3u8= */ false, referer_url)
+      let options = get_request_options(url, /* is_m3u8= */ false, referer_url, inbound_req_headers)
       promise = request(options, '', {binary: true, stream: false, cookieJar: cookies.getCookieJar()})
       .then(({redirects, response}) => {
         debug(1, `prefetch (complete, ${response.length} bytes):`, debug_url)

package/hls-proxy/timers.js

@@ -11,7 +11,7 @@ const initialize_timers = function(params) {
     const get_request_options = utils.get_request_options.bind(null, params)
 
     const request_wrapper = function(url, POST_data, user_config) {
-      const options = get_request_options(url, /* is_m3u8= */ false, /* referer_url= */ null)
+      const options = get_request_options(url, /* is_m3u8= */ false, /* referer_url= */ null, /* inbound_req_headers= */ null)
       const config  = Object.assign(
         {},
         (user_config || {}),

package/hls-proxy/utils.js

@@ -120,8 +120,22 @@ const debug = function() {
   }
 }
 
-const get_request_options = function(params, url, is_m3u8, referer_url) {
-  const {req_headers, req_options, hooks, http_proxy} = params
+const normalize_req_headers = function(req_headers) {
+  const normalized = {}
+
+  for (let name in req_headers) {
+    normalized[ name.toLowerCase() ] = req_headers[name]
+  }
+
+  return normalized
+}
+
+const get_request_options = function(params, url, is_m3u8, referer_url, inbound_req_headers) {
+  const {copy_req_headers, req_headers, req_options, hooks, http_proxy} = params
+
+  const copied_req_headers = (copy_req_headers && inbound_req_headers && (inbound_req_headers instanceof Object))
+    ? normalize_req_headers(inbound_req_headers)
+    : null
 
   const additional_req_options = (hooks && (hooks instanceof Object) && hooks.add_request_options && (typeof hooks.add_request_options === 'function'))
     ? hooks.add_request_options(url, is_m3u8)
@@ -131,7 +145,7 @@ const get_request_options = function(params, url, is_m3u8, referer_url) {
     ? hooks.add_request_headers(url, is_m3u8)
     : null
 
-  if (!req_options && !http_proxy && !additional_req_options && !req_headers && !additional_req_headers && !referer_url) return url
+  if (!req_options && !http_proxy && !additional_req_options && !copied_req_headers && !req_headers && !additional_req_headers && !referer_url) return url
 
   const request_options = Object.assign(
     {},
@@ -142,6 +156,7 @@ const get_request_options = function(params, url, is_m3u8, referer_url) {
 
   request_options.headers = Object.assign(
     {},
+    (copied_req_headers      || {}),
     ((           req_options &&            req_options.headers) ?            req_options.headers : {}),
     ((additional_req_options && additional_req_options.headers) ? additional_req_options.headers : {}),
     (req_headers             || {}),
@@ -186,6 +201,7 @@ module.exports = {
   get_content_type,
   add_CORS_headers,
   debug,
+  normalize_req_headers,
   get_request_options,
   should_prefetch_url
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@warren-bank/hls-proxy",
   "description": "Node.js server to proxy HLS video streams",
-  "version":     "3.5.1",
+  "version":     "3.5.3",
   "scripts": {
     "start":     "node hls-proxy/bin/hlsd.js",
     "sudo": "sudo node hls-proxy/bin/hlsd.js"