UNPKG

mirakurun

Version:

DVR Tuner Server for Japanese TV.

github.com/Chinachu/Mirakurun

Chinachu/Mirakurun

150 lines (120 loc) 7.4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
[**English**](Configuration.md) | [**日本語**](Configuration.ja.md) # Configuration - 🗒️[server.yml](#serveryml) - Server Settings - 🗒️[tuners.yml](#tunersyml) - Tuner Settings - 🗒️[channels.yml](#channelsyml) - Channel Settings ## ⚠️Security Considerations (FYI) - Mirakurun is designed to be a LAN-only server. - By default, access is restricted to private IP addresses. - Access from arbitrary hostnames or domains is prohibited → **DNS Rebinding / CSRF protection** - `hostname`: Set the hostname to access the Web UI. - `allowOrigins`: Explicitly set allowed hostnames/domains if required. - Multiple techniques are used to mitigate attack risks. - Do not allow API access from all domains or deploy without a reverse proxy, as it may be vulnerable to: - Attacks reusing authenticated BASIC credentials or session data. - Although modern browsers offer protection, do not rely on them entirely. - HTTPS reverse proxies might bypass certain browser and Mirakurun safeguards, increasing risk → [Secure Contexts](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts) - Instead, use VPN, SSH tunnels, or tunnel services. - Note: Some tunnel services require configuring `allowIPv4CidrRanges` to prevent third-party access. > **DNS Rebinding Attack**: An attacker controls a domain and initially serves a legitimate site. After the DNS TTL expires, they switch it to point to their malicious server. This bypasses the browser’s same-origin policy and enables unauthorized access to a LAN server via the browser. > **XSS/CSRF Attack**: An attacker embeds malicious code into a website to gain unauthorized access to a LAN server via the browser. - Examples of attacks: - Execute arbitrary code via tuner commands - Inject malicious code into the server and turn it into a botnet - The above are only a few examples; many others, exploiting browser or middleware vulnerabilities, are devised daily. - With more web-based applications emerging, they can be as vulnerable to similar attacks as browsers. Exercise caution. ## 🗒️server.yml 📛 Partially supported in Web UI ### File Paths - Environment Variable: `SERVER_CONFIG_PATH` - Docker Host (Default): `/opt/mirakurun/config/server.yml` - Linux (Legacy): `/usr/local/etc/mirakurun/server.yml` ### Server Settings List | Property (🗒️server.yml) | Environment Variable (🐋Docker) | Type | Default | Description | |------------|------------------|-------|-----------|------| | `logLevel` | `LOG_LEVEL` | Integer | `2` | Log Level (`-1`: FATAL to `3`: DEBUG) | | `maxLogHistory` | `MAX_LOG_HISTORY` | Integer | `1000` | Maximum number of log lines to retain | | `path` | - | String, null | 🗒️`/var/run/mirakurun.sock` | Unix Socket Path **※Fixed to default in Docker** | | `port` | - | Integer, null | `40772` | Server Port **※Fixed at `40772` on the container side in Docker** | | `hostname` | `HOSTNAME` | String | `localhost` | Hostname | | `disableIPv6` | - | Boolean | `false` | Disable IPv6 **※Always disabled in Docker** | | `jobMaxRunning` | `JOB_MAX_RUNNING` | Integer | logical cores / 2, min 1, max 100 | Maximum number of jobs that can run simultaneously | | `jobMaxStandby` | `JOB_MAX_STANDBY` | Integer | logical cores - 1, min 1, max 100 | Maximum number of jobs that can be prepared simultaneously | | `maxBufferBytesBeforeReady` | `MAX_BUFFER_BYTES_BEFORE_READY` | Integer | `8388608` | Maximum buffer size before ready (bytes)<br>**※Increase if the beginning of the program is missing** | | `eventEndTimeout` | `EVENT_END_TIMEOUT` | Integer | `1000` | Event end timeout (milliseconds)<br>**※Increase if program end is incorrectly detected** | | `programGCJobSchedule` | `PROGRAM_GC_JOB_SCHEDULE` | String | `45 * * * *` | Program list GC schedule (cron-like format) | | `epgGatheringJobSchedule` | `EPG_GATHERING_JOB_SCHEDULE` | String | `20,50 * * * *` | EPG gathering schedule (cron-like format) | | `epgRetrievalTime` | `EPG_RETRIEVAL_TIME` | Integer | `600000` | EPG retrieval time (milliseconds) | | `logoDataInterval` | `LOGO_DATA_INTERVAL` | Integer | `604800000` | Logo data update interval (milliseconds) | | `disableEITParsing` | `DISABLE_EIT_PARSING` | Boolean | `false` | ⚠️Disable EIT parsing | | `disableWebUI` | `DISABLE_WEB_UI` | Boolean | `false` | ⚠️Disable Web UI | | `allowIPv4CidrRanges` | `ALLOW_IPV4_CIDR_RANGES` | String[] | `["10.0.0.0/8", "127.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]` | ⚠️Allowed IPv4 CIDR blocks | | `allowIPv6CidrRanges` | `ALLOW_IPV6_CIDR_RANGES` | String[] | `["fc00::/7"]` | ⚠️Allowed IPv6 CIDR blocks | | `allowOrigins` | `ALLOW_ORIGINS` | String[] | `["https://mirakurun-secure-contexts-api.pages.dev"]` | ⚠️🧪Allowed origins (experimental) | | `allowPNA` | `ALLOW_PNA` | Boolean | `true` | 🧪[PNA](https://github.com/WICG/private-network-access)/[LNA](https://github.com/explainers-by-googlers/local-network-access) permission settings (experimental) | | `tsplayEndpoint` | `TSPLAY_ENDPOINT` | String | `https://mirakurun-secure-contexts-api.pages.dev/tsplay/` | 🧪TSPlay endpoint (experimental) | ## 🗒️tuners.yml 💯 Fully supported in Web UI ### File Path - Environment Variable: `TUNERS_CONFIG_PATH` - Docker Host (Default): `/opt/mirakurun/config/tuners.yml` - Linux (Legacy): `/usr/local/etc/mirakurun/tuners.yml` ### Structure ```yaml # Array - name: TunerIdentificationName # String types: # (GR|BS|CS|SKY)[] - GR - BS - CS - SKY # For chardev/dvb # "<template>" will be replaced with `commandVars[template]` or "(empty)" *@4.0.0~ command: cmd <channel> --arg1 --arg2 <exampleArg1> <exampleArg2>... # String # For dvb dvbDevicePath: /dev/dvb/adapter/dvr/path # String # For multiplexing with remote Mirakurun remoteMirakurunHost: 192.168.x.x # String remoteMirakurunPort: 40772 # Integer remoteMirakurunDecoder: false # Boolean # Optional parameters below decoder: cmd # String isDisabled: false # Boolean ``` #### decoder Specify the CAS processing command as needed. ``` # Reference: MPEG-2 TS flow +-------------+ +----------+ +---------+ +--------+ | TunerDevice | -> | TSFilter | -> | decoder | -> | (user) | +-------------+ +----------+ +---------+ +--------+ RAW STRIPPED DESCRAMBLED ``` ```sh # This is an implementation example. For testing only. sudo npm install arib-b25-stream-test -g --unsafe-perm ``` ## 🗒️channels.yml 💯 Fully supported in Web UI ### File Path - Environment Variable: `CHANNELS_CONFIG_PATH` - Docker Host (Default): `/opt/mirakurun/config/channels.yml` - Linux (Legacy): `/usr/local/etc/mirakurun/channels.yml` ### Structure ```yaml # Array - name: ChannelIdentificationName # String type: GR # Enum [GR|BS|CS|SKY] channel: '0' # String # Optional parameters below serviceId: 1234 # Integer - Services will be automatically scanned if not specified. tsmfRelTs: 1 # Number: 1~15 commandVars: # Optional command variables *@4.0.0~ satellite: EXAMPLE-SAT4A space: 0 freq: 12345 polarity: H exampleArg1: -arg0 -arg1=example exampleArg2: -arg2 "Can include spaces using quotes" isDisabled: false # Boolean ```