Protect live-origin

**alexxxutz** · 07-06-2012, 11:39 AM

Hello,

I have a BIG problem here and I can't find a good solution.
I have a loadbalancer configuration with working edges.
I created a module to authenticate via URL params from MySQL database when publishing (so the publish part is 100% secured).
Now the problem is that someone pasted the publish URL in his player as streamer and as file used the stream name. He can play the stream like this in his player (without using edge servers), and it's using all my bandwidth from origin server.
What i want to do is to secure playing. I am already using the hotlink denial module, so from liveedge servers they can't steal URL. It works just in my player.
Now in live origin I can't use hotlink denial, because edges don't stream anymore. Also I can't use RTMP authentication module, because it asks for user and password on publish and I don't need this.
I also tried to use SecureToken, but FMLE can't publish (SecureToken protects publish too, and i don't need it).

Please help me

**rrlanham** · 07-08-2012, 02:44 PM

You can use ModuleSecureURLParams on the origin, and SecureToken in the edge to prevent other clients from connecting to the origin.

Take a look at this section of the Liverepeater guide:
http://www.wowza.com/forums/content....t#secureOrigin

Replace ModuleRTMPAutenticate with ModuleSecureURLParams
http://www.wowza.com/forums/content....cureURLParams)

Richard

**alexxxutz** · 07-15-2012, 07:14 AM

Hello again,

If i add ModuleSecureURLParams module on the Origin, I can't connect with encoder (when i click connect, i get an error saying that i must check URL or stream name). Also I tried to use ModuleSecureToken. I can connect with encoder, but when I click on Publish (in encoder) i get an error message.
My Origin config (the important part) is:

<Repeater>
<OriginURL></OriginURL>
<QueryString><![CDATA[]]></QueryString>
</Repeater>
<Modules>
<Module>
<Name>base</Name>
<Description>Base</Description>
<Class>com.wowza.wms.module.ModuleCore</Class>
</Module>
<Module>
<Name>properties</Name>
<Description>Properties</Description>
<Class>com.wowza.wms.module.ModuleProperties</Class>
</Module>
<Module>
<Name>logging</Name>
<Description>Client Logging</Description>
<Class>com.wowza.wms.module.ModuleClientLogging</Class>
</Module>
<Module>
<Name>flvplayback</Name>
<Description>FLVPlayback</Description>
<Class>com.wowza.wms.module.ModuleFLVPlayback</Class>
</Module>

<Module>
<Name>MyWowzaModule</Name>
<Description>MyCompany MyWowzaModule</Description>
<Class>com.mycompany.wms.module.MyWowzaModule</Class>
</Module>

<Module>
<Name>ModuleSecureToken</Name>
<Description>ModuleSecureToken</Description>
<Class>com.wowza.wms.plugin.security.ModuleSecureT oken</Class>
</Module>

</Modules>

<Properties>

<Property>
<Name>secureTokenSharedSecret</Name>
<Value>1234</Value>
</Property>

</Properties>

**rrlanham** · 07-15-2012, 04:26 PM

What encoder are you using? What do you see in Wowza access logs when you try to connect with ModuleRTMPAuthenticate

Richard

**alexxxutz** · 07-17-2012, 11:43 AM

FMLE. With ModuleRTMPAuthenticate, I have to enter user/pass in encoder, and I don't need this feature! I just want to protect liveorigin from beeing used directly by users in their players.

**rrlanham** · 07-17-2012, 12:18 PM

You could do something in onConnect on the origin like this:

Code:

package test;

import com.wowza.wms.amf.*;
import com.wowza.wms.client.*;
import com.wowza.wms.module.*;
import com.wowza.wms.request.*;

public class ModuleLimitToEdges extends ModuleBase {

	public void onConnect(IClient client, RequestFunction function,
			AMFDataList params) {
		
		String userAgent = client.getFlashVer();
		
		String  page = client.getPageUrl();
		
		getLogger().info("UserAgent: " + userAgent); // Edge returns WIN 10,0,12,36

		getLogger().info("PageURL: " + page); // if edge this will be "unknown"

		String ipAddress = client.getIp(); // if you know Ip of each edge this can be useful

	}

}

Richard

**alexxxutz** · 07-28-2012, 04:07 PM

I can't belive that wowza created a Load Balancer but don't have useful compiled modules to secure it :| I have to make my own module for a simple security problem. I think this should be included in a predefined module on wowza. It's a BIG security hole for the load balancer. Also I think predefined modules should not come with "functions pack", or to have the posibility to disable not needed functions. Thanks

**rrlanham** · 07-30-2012, 05:18 AM

You can add security to the Wowza servers that the load balancer redirects clients to. What security feature are you adding to the LB?

Richard

Thread: Protect live-origin

Thread Tools

Display

Protect live-origin

Posting Permissions