Wowza Community

Hls over https

Hi

I would like to ask what’s the best approach to deliver http stream to https page to avoid browser warning about mixed content.

I’ have configure ssl security on wowza but it’s resource killer (CPU and RAM). Is there any solution?

Thanks

Peter

Mixing HTTP and HTTPS content will always throw a Cross Origin Resource Sharing (CORS) at the browser level. There is no method to either suppress or ignore that warning. Content must always use HTTP only or HTTPS only.

As for resource usage, please make sure that your server meets our minimum hardware specifications.

Please reference the following.

https://www.wowza.com/docs/how-to-request-an-ssl-certificate-from-a-certificate-authority

From the article:

“This article provides instructions for X509 certificates that are commonly received from the certificate authority.”

And

“X509 defines formats for public key certificates. RSA and DSA are two of thepublic key algorithms that can be used in X509 certificates.”

In this page:
https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html

You can search for these lines:

-keysize
2048 (when using -genkeypair and -keyalg is “RSA”)
1024 (when using -genkeypair and -keyalg is “DSA”)

Further research leads to this discussion:
https://stackoverflow.com/questions/2841094/what-is-the-difference-between-dsa-and-rsa

DSA is faster in signing, but slower in verifying. A DSA key of the same strength as RSA (1024 bits) generates a smaller signature. An RSA 512 bit key has been cracked, but only a 280 DSA key.

So RSA would need to be used and because it can both encrypt and decrypt, and an RSA 512 has already been cracked.

The StreamLock option is a good fit for a “Free” option needing HTTPS delivery, however if security of the content is a real concern then using RSA 2048 is a better fit, though the added overhead does have to be accounted for concerning resources.

May you can also use Nginx + SSL to caching HLS

I really don’t care about security. My problem is that everyone’s serving sites over https and if I stream hls over http I get mixed content and google chrome blocks hls.js plugin in flowplayer due the mixed content.

I am trying to live stream over https to avoid this issue. But when I enable ssl stream lock as I was written I could stream only for 300 visitors and my CPU was at 100%. Normally with http I stream for 7000-8000 visitors.

Any ideas what is the best approach?

Thanks

You can use a less CPU intensive method for SSL delivery. Please reference the article below for more information on changing the cipher suite that is being used.

https://www.wowza.com/docs/how-to-improve-ssl-configuration

Nothing more on this? This is a terrible setback for many uses of HLS, particularly when those TLS files being served over http are in fact AES encrypted. Per-session encryption will never, ever be as scalable as one-time encryption.

@Peter , you can also use nginx for handling 443 and proxy pass the hls request to your wowza via 1935 port.

Set the nginx server on your wowza streaming engine machine.

Listen 443 on nginx not on wowza

server {
        listen       443 ssl;
        server_name  yourDomain;

        #sample nginx conf
        ssl_certificate ../ssl/server.crt;
	ssl_certificate_key ../ssl/server.key;
 	ssl_protocols         SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        #sample nginx conf 

		location / {
			proxy_pass http://localhost:1935/;
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "upgrade";
			proxy_redirect off;
			
			proxy_set_header Host $host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			   }
       }	

When you request

https://yourDomain/yourApp/yourStream/playlist.m3u8

nginx handle this request and proxy passing the request to the wowza and get response from wowza then answer the request, by the way your link can work on https page and your wowza still working on 1935 :wink: