EDIT: I have rewritten most of the post so it represents real problem.
I have enabled AllowedHTMLDomains and AllowedSWFDomains, set my domain to it.
Now if I connect to the server with Flash player which support only RTMP streaming everything works as expected. Such players from foreign domains are forbidden to play my content.
But if I connect to the server with player which is able to fallback to RTMPT if RTMP is not working, then the protection is bypassed.
FMS log says:
Accepted a connection from IP:127.0.0.1, referrer: http://post.lnk.lt/flow/flowplayer.commercial-3.2.16.swf, pageurl: http://post.lnk.lt/flow/allow.html
The protection is bypassed because during RTMPT the IP address becomes 127.0.0.1 and this is what I have found in VOD application:
// Authenticating HTML file's domain for the request :
// Don't call validate() when the request is from localhost
// or HTML Domains Authentication is off.
if ((p_client.ip != "127.0.0.1") && application.HTMLDomainsAuth && !this.validate( p_client.pageUrl, this.allowedHTMLDomains ) )
{
trace("Authentication failed for pageurl: " + p_client.pageUrl + ", rejecting connection from "+p_client.ip);
return false;
}
Why this check exist in the first place? To allow FMS Admin to access application?
Maybe this can be fixed by sending real IP address to RTMPT subprocess?
AdChoices