Configure security using Wowza Streaming Engine Manager

This article explains how to configure the source and playback security options in Wowza Streaming Engine™ Manager.

Source security options


Limit maximum connections

You can restrict the number of concurrent connections that are accepted by the Wowza Streaming Engine live and VOD applications. By default, the number of connections isn't restricted.

  1. In Wowza Streaming Engine Manager, click Applications at the top of the page and then select your application in the contents panel.
  2. On the Setup tab of the application page, click Edit.
  3. Under Maximum Connections, select the Limit number of connections box and set a value.


     
  4. Click Save and then restart the application.
Note: Changing the maximum number of connections in the Wowza Streaming Engine application does not override the Server > Virtual Host Setup > Maximum Connections setting. If the server-level setting is also set, the lesser of the two values is used.

Secure incoming sources

For live applications, you can require authentication and/or control the IP addresses that the Wowza Streaming Engine application will accept. To use authentication, you first need to add source authentication credentials.

  1. In Wowza Streaming Engine Manager, click Server in the menu bar and then click Source Authentication in the contents panel.


     
  2. Click Add Source.
  3. Add Source User Name and Password information. The source user name and password values are case-sensitive and can only contain alphanumeric, period (.), underscore (_), and hyphen (-) characters.

  4. Click Add.

    A source account is used to authenticate connections from sources to live applications in Wowza Streaming Engine. You can create and store multiple source accounts for a Wowza Streaming Engine instance. By default, the source credentials are stored in [install-dir]/conf/publish.password.

  5. In your application's contents panel, click Source Security, and then click Edit.


     
  1. Configure any of the following Source Security settings as needed. See the descriptions of each setting below for more information.

    • RTMP Sources
       
      • Open (no authentication required) – Any RTMP encoder enabled for publishing can publish to this application.
      • Require password authentication – (Default) All RTMP encoders enabled for publishing must authenticate to publish to this application. The FlashVer value sent from an encoder must match one of the values in the Flash Version String setting. To require password authentication, you must have a source account on the Source Authentication page in Wowza Streaming Engine Manager to require that source supply a matching source user name and password for the source account to connect to your application.
      • RTMP publishing not allowed – All attempts to publish from an RTMP encoder enabled for publishing will be blocked.
      Note: These settings only affect RTMP encoders that publish a stream to the server. They don't affect connections started with a Stream File.
    • RTSP Sources
       
      • Open (no authentication required) – Any RTSP encoder can publish to this application.
      • Require password authentication – (Default) All RTSP encoders must authenticate to publish to the application. To require password authentication, you must have a source account on the Source Authentication page in Wowza Streaming Engine Manager to require that source supply a matching source user name and password for the source account to connect to your application.
      • RTSP publishing not allowed – All attempts to publish from an RTSP encoder will be blocked.
      Note: These settings only affect RTSP encoders that publish a stream to the server. They don't affect connections started with a Stream File.
    • Client Restrictions – This setting controls which IP addresses encoders can connect from. You can use a comma-separated list of addresses. The wildcard (*) character can be used, but it must replace a complete block of numbers and not a partial block. For example, 192.168.1.*, 10.*.*.* is valid but 123.2*.*.* is not.
       
      • No client restrictions – (Default) Client connections aren't restricted by IP address.
      • Only allow publishing from the following IP addresses – The IP addresses listed in the box are allowed to publish to the server after passing authentication. Connections from all other IP addresses are blocked from publishing.
      • Do NOT allow publishing from the following IP addresses – The IP addresses listed in the box are blocked from publishing. Other IP addresses are allowed to publish to the server after passing authentication.
      Note: Wowza Streaming Engine 4.8.8.01 and later has a known issue with setting Client Restrictions from Wowza Streaming Engine Manager. See Setting client restrictions from Wowza Streaming Engine Manager does not work for a workaround.
    • Duplicate Stream Names – Select Reject a second stream with the same name that's published to this application to prevent a second encoder from publishing an RTMP stream with the same name as an existing RTMP stream.
    • Flash Version String – This setting is used to identify an RTMP source to the server. If not set, the following default value is used (Wowza Streaming Engine 4.8.12 and later). Most commercial encoders use one of these values in their Flash Version String.
      Wirecast/|FME/|FMLE/|Wowza GoCoder*|Lavf/|UA Teradek/|KulaByte/|HaivisionKB/|VidBlaster/|XSplit/|PESA|makitoX/|Elemental Live*
      

      The FlashVer value from the RTMP connection is compared with this setting to see if it starts with one of the values to determine if it's a source.

      VHost-level Flash version string

      In Wowza Streaming Engine version 4.1.1 and later, you can add a property at the virtual host (VHost) level to enable the same custom Flash Version String setting for all applications.

      1. In Wowza Streaming Engine Manager, click the Server tab at the top of the page and then click Virtual Host Setup in the contents panel.
         
      2. In the Virtual Host Setup page, click the Properties tab and then click Custom in the Quick Links bar.
        Note: Access to the Properties tab in Wowza Streaming Engine Manager is limited to administrators with advanced permissions. For more information, see Manage credentials.
      3. In the Custom area, click Edit.
         
      4. Click Add Custom Property, specify the following custom property settings in the Add Custom Property dialog box and then click Add.
         
        • In Path, select /Root/VHost.
           
        • In Name, enter securityPublishValidEncoders.
           
        • In Type, select String.
           
        • In Value, enter Wirecast/|FME/|FMLE/|Wowza GoCoder*/|[myEncoderString]. The [myEncoderString] value is optional. You can replace this value with the Flash Version String for an additional RTMP source.
      5. In the Virtual Host Setup page, click Save and then restart the Server when prompted to apply the custom property.
      Setting this custom property in the Virtual Host Setup page overwrites the default value. To define a per-application Flash Version String that will be used instead of the VHost-level value, configure the Flash Version String setting in the application's Source Security page.
  2. Click Save and then restart the application.

Playback security options


Playback security options apply to both live and VOD applications.

  1. Click Applications at the top of the page and then select your application in the contents panel.
  2. In the contents panel, click Playback Security.
  3. To change the settings, click Edit. The default settings don't restrict any playback connections.

  4. Configure any of the following Playback Security settings as needed:
     
    • Require Secure Connection – With this setting enabled, all RTMP players must use a secure protocol (for example, RTMPS).
    • SecureToken – This setting specifies that a private security token must be exchanged between the application and clients. Select a SecureToken option and then either enter a string of alphanumeric characters in the Shared Secret box or click Generate SecureToken Shared Secret to create a random private shared secret. This value must be used by all connections that play streams from this application. If the connection doesn't match or is not set, then the player connection will be rejected.

      In Wowza Streaming Engine 4.1.0 and later, you can select Protect all protocols using hash (SecureToken version 2) to use SecureToken playback protection for all streaming protocols using a hash algorithm to generate the security token. For details, see Protect streaming using SecureToken in Wowza Streaming Engine.

    • Client Restrictions – This setting enables you to control which IP addresses players can connect from. You can use a comma-separated list of addresses. The wildcard (*) character can be used, but it must replace a complete block of numbers and not a partial block. For example, 192.168.1.*, 10.*.*.* is valid but 123.2*.*.* is not.
       
      • No client restrictions – (Default) Client connections aren't restricted by IP address.
      • Only allow playback from the following IP addresses The IP addresses listed in the box are allowed to connect. All other IP addresses will be blocked.
      • Do NOT allow playback from the following IP addresses – The IP addresses listed in the box are blocked from connecting. All other IP addresses are allowed.
      Note: Wowza Streaming Engine 4.8.8.01 and later has a known issue with setting Client Restrictions from Wowza Streaming Engine Manager. See Setting client restrictions from Wowza Streaming Engine Manager does not work for a workaround.
  5. Click Save and then restart the application.
Note: Playback security settings are ignored if the connection FlashVer matches the Flash Version String setting on the Source Security page. The connection will be identified as a source and not a player.

Custom properties


This section describes the custom properties that can be used by advanced users to configure security. For details about how to configure custom properties, see Configure properties.

Note: Access to the Properties tab in Wowza Streaming Engine Manager is limited to administrators with advanced permissions. For more information, see Manage credentials.

SecureToken target

Use the securitySecureTokenTarget property to define which types of operations are controlled if SecureToken is enabled.

Path
Name
Type
Value
Root/Application securitySecureTokenTarget String play,publish,create

If the Value is empty, the token is checked during the connect phase of the RTMP connection instead of during individual operations. The setting is a comma-separated list of operations and can have any of the following values:

  • play – All RTMP connections that try to play a stream require a valid security token.
  • publish – All RTMP connections that try to publish a stream require a valid security token.
  • create – All RTMP connections that try to create a stream require a valid security token.
Note: This property isn't used if the connection has a valid Flash Version String.

Custom password file location

Use the securityPublishPasswordFile property to define a custom location for the publish.password file that's used to authenticate RTMP-based and RTSP-based source connections to the application.

Path
Name
Type
Value
Root/Application securityPublishPasswordFile String ${com.wowza.wms.context.VHostConfigHome}/conf/${com.wowza.wms.context.Application}/publish.password

The default setting for authenticating sources is to use the [install-dir]/conf/publish.password file. This file is written to by Wowza Streaming Engine Manager when you use the Server > Source Authentication page to add or edit source credentials.

When you define a custom securityPublishPasswordFile location, the default publish.password file isn't used and you must manage your own password files for the application.

Note: You can specify custom locations for the publish.password file using the rtmpEncoderAuthenticateFile property (for RTMP-based sources) or rtspEncoderAuthenticateFile property (for RTSP-based sources). Wowza Streaming Engine 4.1 software will first check to see if the securityPublishPasswordFile property is set. If it's not set, it will then check to see if these alternate properties are set.

If you're running Wowza Streaming Engine 4.0, you must use the securityPublishPasswordFile property to authenticate RTMP-based sources and the rtspEncoderAuthenticateFile property to authenticate RTSP-based sources using publish.password in a custom location.

For details about how to configure these alternate properties, see Enable username/password authentication for RTMP/RTSP publishing to Wowza Streaming Engine.