feat: Enhance security and simplify JSON response in Stats API

- Remove sensitive information from error messages (player/publisher keys)
- Use generic "live" key instead of actual publisher names in JSON response
- Move publishers object initialization to success case only
- Reduce information disclosure for improved security

Author: servusrene

Dockerfile

@@ -38,7 +38,8 @@ COPY --from=builder /usr/local/lib/libsrt* /usr/local/lib
 COPY sls.conf /etc/sls/
 
 # expose ports
-EXPOSE 4001/udp 8080/tcp
+# Publisher port, Player port, HTTP API port
+EXPOSE 4001/udp 4000/udp 8080/tcp
 
 # run the server
 CMD ["/usr/local/bin/sls", "-c", "/etc/sls/sls.conf"]

Makefile

@@ -1,66 +1,67 @@
-SHELL = /bin/sh
-MAIN_NAME=sls
-CLIENT_NAME=slc
-INC_PATH = -I./ -I../ -I./slscore -I./include
-LIB_PATH =  -L ./lib
-LIBRARY_FILE = -lpthread -lz -lsrt
-BIN_PATH = ./bin
-
-DEBUG = -g
-CFLAGS += $(DEBUG) -w -fcompare-debug-second 
-
-LOG_PATH = ./logs
-
-
-OUTPUT_PATH = ./obj
-OBJS = $(OUTPUT_PATH)/SLSLog.o \
-	$(OUTPUT_PATH)/common.o\
-	$(OUTPUT_PATH)/conf.o\
-	$(OUTPUT_PATH)/SLSThread.o\
-	$(OUTPUT_PATH)/SLSEpollThread.o\
-	$(OUTPUT_PATH)/SLSManager.o\
-	$(OUTPUT_PATH)/SLSGroup.o\
-	$(OUTPUT_PATH)/SLSRole.o\
-	$(OUTPUT_PATH)/SLSListener.o\
-	$(OUTPUT_PATH)/SLSRoleList.o\
-	$(OUTPUT_PATH)/SLSSrt.o\
-	$(OUTPUT_PATH)/SLSPublisher.o\
-	$(OUTPUT_PATH)/SLSPlayer.o\
-	$(OUTPUT_PATH)/SLSRecycleArray.o\
-	$(OUTPUT_PATH)/SLSMapData.o\
-	$(OUTPUT_PATH)/SLSMapPublisher.o\
-	$(OUTPUT_PATH)/SLSRelay.o\
-	$(OUTPUT_PATH)/SLSPuller.o\
-	$(OUTPUT_PATH)/SLSPusher.o\
-	$(OUTPUT_PATH)/SLSRelayManager.o\
-	$(OUTPUT_PATH)/SLSPullerManager.o\
-	$(OUTPUT_PATH)/SLSPusherManager.o\
-	$(OUTPUT_PATH)/SLSMapRelay.o\
-	$(OUTPUT_PATH)/SLSClient.o\
-	$(OUTPUT_PATH)/TCPRole.o\
-	$(OUTPUT_PATH)/SLSArray.o\
-	$(OUTPUT_PATH)/HttpRoleList.o\
-	$(OUTPUT_PATH)/HttpClient.o\
-	$(OUTPUT_PATH)/SLSSyncClock.o\
-	$(OUTPUT_PATH)/TSFileTimeReader.o
-	
-CORE_PATH = slscore
-COMMON_FILES = common.hpp
-
-all: $(OBJS)
-	mkdir -p ${LOG_PATH}
-	mkdir -p ${OUTPUT_PATH}
-	mkdir -p ${BIN_PATH}
-	${CXX} -o ${BIN_PATH}/${MAIN_NAME}   srt-live-server.cpp $(OBJS) $(CFLAGS) $(INC_PATH) $(LIB_PATH) $(LIBRARY_FILE)
-	${CXX} -o ${BIN_PATH}/${CLIENT_NAME} srt-live-client.cpp $(OBJS) $(CFLAGS) $(INC_PATH) $(LIB_PATH) $(LIBRARY_FILE)
-	#******************************************************************************#
-	#                          Build successful !                                  #
-	#******************************************************************************#
-
-$(OUTPUT_PATH)/%.o: ./$(CORE_PATH)/%.cpp
-	${CXX} -c $(CFLAGS) $< -o $@ $(INC_FLAGS)
-
-clean:
-	rm -f $(OUTPUT_PATH)/*.o
-	rm -rf $(BIN_PATH)/*
-
+SHELL = /bin/sh
+MAIN_NAME=sls
+CLIENT_NAME=slc
+INC_PATH = -I./ -I../ -I./slscore -I./include
+LIB_PATH =  -L ./lib
+LIBRARY_FILE = -lpthread -lz -lsrt
+BIN_PATH = ./bin
+
+DEBUG = -g
+CFLAGS += $(DEBUG) -w -fcompare-debug-second 
+
+LOG_PATH = ./logs
+
+
+OUTPUT_PATH = ./obj
+OBJS = $(OUTPUT_PATH)/SLSLog.o \
+	$(OUTPUT_PATH)/common.o\
+	$(OUTPUT_PATH)/conf.o\
+	$(OUTPUT_PATH)/SLSThread.o\
+	$(OUTPUT_PATH)/SLSEpollThread.o\
+	$(OUTPUT_PATH)/SLSManager.o\
+	$(OUTPUT_PATH)/SLSGroup.o\
+	$(OUTPUT_PATH)/SLSRole.o\
+	$(OUTPUT_PATH)/SLSListener.o\
+	$(OUTPUT_PATH)/SLSRoleList.o\
+	$(OUTPUT_PATH)/SLSSrt.o\
+	$(OUTPUT_PATH)/SLSPublisher.o\
+	$(OUTPUT_PATH)/SLSPlayer.o\
+	$(OUTPUT_PATH)/SLSRecycleArray.o\
+	$(OUTPUT_PATH)/SLSMapData.o\
+	$(OUTPUT_PATH)/SLSMapPublisher.o\
+	$(OUTPUT_PATH)/SLSRelay.o\
+	$(OUTPUT_PATH)/SLSPuller.o\
+	$(OUTPUT_PATH)/SLSPusher.o\
+	$(OUTPUT_PATH)/SLSRelayManager.o\
+	$(OUTPUT_PATH)/SLSPullerManager.o\
+	$(OUTPUT_PATH)/SLSPusherManager.o\
+	$(OUTPUT_PATH)/SLSMapRelay.o\
+	$(OUTPUT_PATH)/SLSClient.o\
+	$(OUTPUT_PATH)/TCPRole.o\
+	$(OUTPUT_PATH)/SLSArray.o\
+	$(OUTPUT_PATH)/HttpRoleList.o\
+	$(OUTPUT_PATH)/HttpClient.o\
+	$(OUTPUT_PATH)/SLSSyncClock.o\
+	$(OUTPUT_PATH)/TSFileTimeReader.o\
+	$(OUTPUT_PATH)/StreamIdMapper.o
+	
+CORE_PATH = slscore
+COMMON_FILES = common.hpp
+
+all: $(OBJS)
+	mkdir -p ${LOG_PATH}
+	mkdir -p ${OUTPUT_PATH}
+	mkdir -p ${BIN_PATH}
+	${CXX} -o ${BIN_PATH}/${MAIN_NAME}   srt-live-server.cpp $(OBJS) $(CFLAGS) $(INC_PATH) $(LIB_PATH) $(LIBRARY_FILE)
+	${CXX} -o ${BIN_PATH}/${CLIENT_NAME} srt-live-client.cpp $(OBJS) $(CFLAGS) $(INC_PATH) $(LIB_PATH) $(LIBRARY_FILE)
+	#******************************************************************************#
+	#                          Build successful !                                  #
+	#******************************************************************************#
+
+$(OUTPUT_PATH)/%.o: ./$(CORE_PATH)/%.cpp
+	${CXX} -c $(CFLAGS) $< -o $@ $(INC_FLAGS)
+
+clean:
+	rm -f $(OUTPUT_PATH)/*.o
+	rm -rf $(BIN_PATH)/*
+

README.md

@@ -56,20 +56,23 @@ if "error while loading shared libraries: libsrt.so.1" occured, please add srt l
 
 use ffmpeg to push camera stream with SRT(on my mac):
 
-$ ./ffmpeg -f avfoundation -framerate 30 -i "0:0" -vcodec libx264  -preset ultrafast -tune zerolatency -flags2 local_header  -acodec libmp3lame -g  30 -pkt_size 1316 -flush_packets 0 -f mpegts "srt://[your.sls.ip]:8080?streamid=uplive.sls.com/live/test"
+./ffmpeg -re -f avfoundation -i "0:0" -vcodec libx264 -acodec libmp3lame -ar 44100 -ac 1 -f mpegts "srt://[your.sls.ip]:4001?streamid=publisher_id"
 
 
+2.how to play
+-------------
+
 play the SRT stream with ffplay:
 
-./ffplay -fflags nobuffer -i "srt://[your.sls.ip]:8080?streamid=live.sls.com/live/test"
+./ffplay -fflags nobuffer -i "srt://[your.sls.ip]:4000?streamid=player_id"
 
 
 2.test with OBS
 ---------------
 
 the OBS supports srt protocol to publish stream when version is later than v25.0. you can use the following url:
-srt://[your.sls.ip]:8080?streamid=uplive.sls.com/live/test
-whith custom service.
+srt://[your.sls.ip]:4001?streamid=publisher_id
+with custom service.
 
 3.test with srt-live-client
 ---------------------------
@@ -80,79 +83,146 @@ push ts file as srt url:
 
 cd bin
 
-./slc -r srt://[your.sls.ip]:8080?streamid=uplive.sls.com/live/test -i [the full file name of exist ts file]
+./slc -r srt://[your.sls.ip]:4001?streamid=publisher_id -i [the full file name of exist ts file]
 
 play srt url
 
-./slc -r srt://[your.sls.ip]:8080?streamid=live.sls.com/live/test -o [the full file name of ts file to save]
+./slc -r srt://[your.sls.ip]:4000?streamid=player_id -o [the full file name of ts file to save]
 
 
 Note:
 =====
 
-1.SLS refer to the RTMP url format(domain/app/stream_name), example: www.sls.com/live/test. The url of SLS must be set in streamid parameter of SRT, which will be the unique identification a stream.
+1. SLS uses simple stream IDs without domain/app prefixes. Stream IDs are validated against the streamids.json configuration file.
 
-2.How to distinguish the publisher and player of the same stream? In conf file, you can set parameters of domain_player/domain_publisher and app_player/app_publisher to resolve it. Importantly, the two combination strings of domain_publisher/app_publisher and domain_player/app_player must not be equal in the same server block.
+2. Publisher and player connections are distinguished by separate ports (listen_publisher and listen_player).
 
 3.I supply a simple android app for test sls, your can download from https://github.com/Edward-Wu/liteplayer-srt
 
+New Features (v1.5)
+===================
+
+Port-based Publisher/Player Separation (Required)
+-------------------------------------------------
+
+The server now requires separate ports for publishers and players, using simple stream IDs:
+
+**Configuration:**
+```
+server {
+    listen_publisher 4001;  # Port for publishers (required)
+    listen_player 4000;     # Port for players (required)
+    
+    # Other configurations...
+}
+```
+
+**URLs:**
+- Publisher: `srt://server:4001?streamid=stream_id`
+- Player: `srt://server:4000?streamid=stream_id`
+
+Stream IDs are now simple values without domain/app prefixes.
+
+Stream ID Mapping (Required)
+----------------------------
+
+For enhanced security, different stream IDs must be used for publishers and players. This is configured using a JSON file (`streamids.json`):
+
+```json
+[
+    {
+        "publisher": "6a204bd89f3c8348afd5c77c717a097a",
+        "player": "422c6f92cd3b84b65e3cb90fab6544f5"
+    },
+    {
+        "publisher": "1de6ce178679f16b48abc7d8a291cb2e",
+        "player": "ed8cae86454f037bbcb0856cf1c2f0e3"
+    }
+]
+```
+
+With this configuration:
+- Publishers must use their specific publisher ID
+- Players use their player ID, which is automatically mapped to the publisher ID
+- Only configured stream IDs are allowed
+- The JSON file must exist and contain valid mappings
+
+Statistics API Enhancement
+--------------------------
+
+The `/stats/` endpoint accepts only player IDs for security reasons:
+
+```
+GET http://server:8080/stats/422c6f92cd3b84b65e3cb90fab6544f5  # Using player ID
+```
+
+The player ID is automatically mapped to the corresponding publisher for statistics retrieval.
+
+Configuration Requirements
+--------------------------
+
+The minimal configuration format:
+
+```
+server {
+    listen_publisher 4001;  # Required
+    listen_player 4000;     # Required
+    
+    latency 2000;
+    backlog 100;
+    idle_streams_timeout 3;
+    
+    publisher_exit_delay 10;
+    record_hls off;
+    record_hls_segment_duration 10;
+}
+```
+
+**Breaking Changes:**
+- Domain and app configurations have been removed
+- Single-port configuration is no longer supported
+- Stream IDs are now simple values without prefixes
+- Default stream ID configuration has been removed
+- Statistics are only accessible via player keys
+
 ReleaseNote
 ============
 
-v1.2
+v1.5
 ----
-1. update the memory mode, in v1.1 which is publisher copy data to eacc player, in v1.2 each publisher put data to a array and all players read data from this array.
-2. update the relation of the publisher and player, the player is not a member of publisher. the only relation of them is array data.
-3. add push and pull features, support all and hash mode for push, support loop and hash for pull. in cluster mode, you can push a stream to a hash node, and pull this stream from the same hash node.
+1. Port-based publisher/player separation with separate listen_publisher and listen_player ports
+2. Simplified stream ID format without domain/app prefixes
+3. Stream ID mapping with JSON-based security validation
+4. Statistics API accessible only via player keys for enhanced security
+5. Removed legacy configuration options (domain, app directives)
 
-v1.2.1
-------
-1. support hostname:port/app in upstreams of pull and push.
+v1.4
+----
+1. support timestamp synchronization of players, resolve the timestamp rollover issue.
+2. add on_event_url http callback, you can do some work when publisher/player connect/disconnect.
+3. add push and pull features, support all and hash mode for push, support loop and hash for pull. in cluster mode, you can push a stream to a hash node, and pull this stream from the same hash node.
 
 v1.3
 ----
-1. support reload.
-2. add idle_streams_timeout feature for relay.
-3. change license type from gpl to mit.
+1. support hostname:port/app in upstreams of pull and push.
+2. support hostname/port/app in upstreams of pull and push.
+3. hostname/port/app for upstreams becomes hostname:port/app.
+4. support multiple apps in the same worker, improved the reliability.
+5. add idle_streams_timeout feature for relay.
 
-v1.4
+v1.2
 ----
-1. add http statistic info.
-2. add http event notification, on_connect, on_close.
-3. add player feature to slc(srt-live-client) tool for pressure test.
-
-v1.4.1
-------
-1. add publisher feather to slc(srt-live-client) tool, which can push ts file with srt according dts.
-2. modify the http bug when host is not available.
-
-v1.4.2
-------
-1. add remote_ip and remote_port to on_event_url which can be as the unique identification for player or publisher.
-
-v1.4.3
-------
-1. change the tcp'epoll mode to select mode for compatible MAC os.
-2. modify the http check repeat bug for reopen.  
-
-v1.4.4
-------
-1. OBS streaming compatible, OBS support the srt protocol which is later than v25.0.
-(https://obsproject.com/forum/threads/obs-studio-25-0-release-candidate.116067/)
-
-v1.4.5
-------
-1. add hls record feature.
-
-v1.4.6
-------
-1. update the pid file path from "~/" to "/opt/soft/sls/"
-
-v1.4.7
-------
-1. update the pid file path from to "/opt/soft/sls/" "/tmp/sls" to avoid the root authority in some case.
+1. update the memory mode, in v1.1 which is publisher copy data to eacc player, in v1.2 each publisher put data to a array and all players read data from this array.
+2. update the relation of the publisher and player, the player is not a member of publisher. the only relation of them is array data.
 
+v1.1
+----
+1. support reload configuration file, send SIGUSR1 to sls or call http interface.
+2. support listen multiple ports.
+3. add on_publisher_timeout and on_timeout_publisher for publisher.
+4. add player.on_close_player for player.
+5. OBS streaming compatible, OBS support the srt protocol which is later than v25.0.
 
-v1.4.8
-------
-1. for compatible srt v1.4.1, add the set latency method before setup method 
+v1.0
+----
+1. add hls output, if you want to save data to hls, config the record_hls,record_hls_segment_duration parameters. sls open the hls option, and hls can be play with Safari directly.

docker-compose.yml

@@ -5,8 +5,11 @@ services:
       dockerfile: Dockerfile
     platform: linux/amd64
     ports:
+      - "4000:4000/udp"
       - "4001:4001/udp"
       - "8080:8080/tcp"
+    volumes:
+      - ./example_streamids.json:/etc/sls/streamids.json:ro
     restart: unless-stopped
     networks:
       - srt-network

example_streamids.json

@@ -0,0 +1,12 @@
+[
+    {"publisher": "internal_pub_001", "player": "live_stream"},
+    {"publisher": "internal_pub_001", "player": "player_key_123"},
+    {"publisher": "internal_pub_001", "player": "player_key_456"},
+    {"publisher": "demo_publisher", "player": "demo"},
+    {"publisher": "demo_publisher", "player": "demo_viewer"},
+    {"publisher": "demo_publisher", "player": "viewer_001"},
+    {"publisher": "demo_publisher", "player": "viewer_002"},
+    {"publisher": "event_pub_live", "player": "event_stream"},
+    {"publisher": "event_pub_live", "player": "event_viewer_vip"},
+    {"publisher": "event_pub_live", "player": "event_viewer_standard"}
+]