Access Control

The Allow and Deny ACLs (First Stage)

The first pair of ACLs (Allow and Deny) control the general access to the HTTP server or service of Inlab-MJPG-Streamer.

  • If a Deny-ACL is specified with the -D option and a client matches an entry, the connection is denied and immediately closed.
  • If an Deny-ACL is specified with the -D option and a client does not match any entry, the connection is not denied.
  • If an Allow-ACL is specified with the -A option and a client matches an entry, the connection is thus explicitly allowed.
  • If an Allow-ACL is specified with the -A option and a client does not match any entry, the connection is denied and immediately closed.
  • Although possible to used both ACLs, we recommend to control access with either a single Deny-ACL (“blacklisting”) or with a single Allow-ACL (“whitelisting”).
  • If neither of both is specified, all connections are allowed on this level.

The Restrict and Extend ACLs (Second Stage)

The second pair of ACLs (Restrict and Extend) control the HTTP privilege level of a client accessing Inlab-MJPG-Streamer over HTTP.

  • If a Restrict-ACL is specified with the -R option and a client matches an entry, the privilege level of this client is set to restricted.
  • If an Restrict-ACL is specified with the -R option and a client does not match any entry, the privilege level of this client remains unrestricted.
  • If an Extend-ACL is specified with the -E option and a client matches an entry, the privilege level thus explicitly remains unrestricted.
  • If an Extend-ACL is specified with the -E option and a client does not match any entry, the privilege level is set to restricted.
  • Although possible to used both ACLs, we recommend to control access with either a single Restrict-ACL (“blacklisting”) or with a single Extend-ACL (“whitelisting”).
  • If neither of both is specified, all connections are unrestricted.

The General Access Control List Syntax

The general syntax of all the ACL files is very simple. IPv4 and IPv6 entries can be freely mixed, the netmask specifier is optional. If there’s any parsing or format error the irritant will be displayed together with the line number and file name.

This parsable example file shows all the possibilities:

# comments start with a '#'
# whitespace are blanks, tabs and newlines

172.17.3.44                     # a single IPv4 address
10.2.2.0/24                     # an IPv4 /24 network
10.3.3.6    10.4.0.0/16         # multiple entries
127.0.0.1/8                     # the IPv4 loopback network

::1                             # the IPv6 loopback address
fe80::5c0c:b4f0:5253:44da/64    # the link local IPv6 network
2001:DB8::1:1 2001:db8::2:4/32  # multiple entries