I have icecast compiled w/ all the required to support URL auth on mounts.
I create mounts on the fly using liquidsoap and I configured auth in icecast.xml as follow:
<mount type="default">
<authentication type="url">
<!-- this url just give you back the proper auth header w/out any check -->
<option name="listener_add" value="http://foo/listener_added"/>
</authentication>
</mount>
This should work only on listeners but is actually called for everything but that. EVERY http request is passed to it and prevents also admin to login. This is a raw print of POST data from icecast:
{'ip': u'x.x.x.x', 'mount': u'/assets/css/style.css', 'agent': u'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36', 'server': u'foo.com', 'client': u'2566', 'user': u'', 'pass': u'', 'action': u'listener_add', 'port': u'8000'}
{'ip': u'x.x.x.x', 'mount': u'/assets/font/FiraSans-Regular.woff', 'agent': u'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36', 'server': u'foo.com', 'client': u'2567', 'user': u'', 'pass': u'', 'action': u'listener_add', 'port': u'8000'}
{'ip': u'x.x.x.x', 'mount': u'/assets/font/FiraSans-Bold.woff', 'agent': u'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36', 'server': u'foo.com', 'client': u'2568', 'user': u'', 'pass': u'', 'action': u'listener_add', 'port': u'8000'}
{'ip': u'x.x.x.x', 'mount': u'/assets/font/FiraMono-Regular.woff', 'agent': u'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36', 'server': u'foo.com', 'client': u'2569', 'user': u'', 'pass': u'', 'action': u'listener_add', 'port': u'8000'}
{'ip': u'x.x.x.x', 'mount': u'/favicon.ico', 'agent': u'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36', 'server': u'foo.com', 'client': u'2570', 'user': u'', 'pass': u'', 'action': u'listener_add', 'port': u'8000'}
which are clearly not a "listener" request.
In the error log I see:
[2017-11-10 17:41:52] EROR connection/_handle_authed_client Client (role=anonymous, username=source) not allowed to use this request method on /mount_name
for each mount point. Whereas, if I deactivate auth=url I find:
[2017-11-10 17:54:53] INFO auth/auth_add_client adding client 0x1148df0 for authentication on 0x11277a0
meaning the source credentials are ok.
Am I missing anything?