Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Secure RTSP and HLS/HTTP streaming

  1. #1

    Default Secure RTSP and HLS/HTTP streaming

    Hello,
    We are live streaming couple of TV channels. We were able to secure RTMP (flash player) streaming with modules and some PHP scripting, so it cannot be hot-linked.

    Now the problem is that RTSP and HTTP/HLS streaming links are totally unsecured. People can simple copy the link and play on any device they want.

    We want the user to visit our website and then only the RTSP or HTTP/HLS link should work.

    Any great mind have any idea !

    We were thinking of using random URL but dont know how Wowza will understand it.



    -Mamoor

  2. #2

    Default

    Just a little idea:

    Write a Wowza module in conjunction with some code on your webserver. When the client clicks your video link on your webserver, send their IP and streamname to your module, to be recorded along with a timeout value. Override the play() method, if they're not on your list reject them.

    This way only clients who authenticated on your webserver can play streams.

  3. #3

    Default

    Good idea but need more clarifications.

    How about random links that keep alive for a minute. Anyone if try to hotlink the temporary URL it would not work and he should be required a new working link.

    I think its easy to implement on webserver under PHP but how Wowza will understand it.


    -Mamoor

  4. #4

    Default

    Use a query string instead of a stream name to do your authentication. A user posted an example: http://www.wowza.com/forums/showthre...P-but-not-RTSP

    On your webserver md5 encode your random salt and their IP and then add the current unix timestamp to the result. On the Wowza module, recalculate hash from their IP + salt, then subtract from key leaving unix time. This will accomplish two things:

    1. Ensure the person who requested the URI is the same IP as the one playing it.
    2. Provide a time, that you can check/reject.

  5. #5
    Join Date
    Dec 2007
    Posts
    21,962

    Default

    Actually, the play command does not run for non-Flash RTMP clients. And you don't have to send IP to Wowza in either case. Take a look at these methods

    http://www.wowza.com/forums/content....-and-San-Jose)

    http://www.wowza.com/forums/content....TSP-RTP-stream

    Richard

  6. #6

    Default

    Going through the code it looks like if the referrer is populated with 123.com and only this domain is allowed then all other will be denied.

    But could u please tell me how the referrer will be populated ?

    Do u have any working example code which i can mimic?, Say the code only allow wowza.com referrer when someone click on an RTSP link.


    -Mamoor

  7. #7
    Join Date
    Dec 2007
    Posts
    21,962

    Default

    You can get the IP like this:

    HTTP:
    String ipAddressClient = httpSession.getIpAddress();
    RTSP:
    String ipAddress = rtpSession.getIp();
    You don't want referrer I don't think, and it might not be reliably populated in some cases, iOS for one, because it does not send that data.

    Richard

  8. #8

    Default

    Richard,
    But we cannot block or allow according to IP address.

    Domain locking is more appropriate. Say, if the link is coming from www.123.com it should allow. Similar like in http://www.wowza.com/forums/content.php?114

    Is similar technique can be implemented in RTSP and HTTP streaming ?

    I used the following code but it deny everything:

    package com.wowza.wms.example.module;

    // com.wowza.wms.example.module.ModuleAccessControlHTTPStreaming

    import com.wowza.wms.httpstreamer.model.IHTTPStreamerSession;
    import com.wowza.wms.module.*;
    import com.wowza.wms.application.*;

    public class ModuleAccessControlHTTPStreaming extends ModuleBase
    {
    public void onHTTPSessionCreate(IHTTPStreamerSession httpSession)
    {
    boolean isGood = true;

    String ipAddressClient = httpSession.getIpAddress();
    String ipAddressServer = httpSession.getServerIp();
    String uri = httpSession.getUri();
    String queryStr = httpSession.getQueryStr();
    String referrer = httpSession.getReferrer();
    String cookieStr = httpSession.getCookieStr();
    String userAgent = httpSession.getUserAgent();

    IApplicationInstance appInstance = httpSession.getAppInstance();
    String streamName = httpSession.getStreamName();

    // Here you can use the request and session information above to determine
    // if you want to reject the connection
    // isGood = true/false;

    getLogger().info("ModuleAccessControlHTTPStreaming.onHTTPSessionCreate["+appInstance.getContextStr()+":"+streamName+"]: accept:"+isGood);

    // boolean reject = true;
    String[] domainLocks = null;
    String[] domainUrl = null;;

    try
    {
    domainLocks = httpSession.getAppInstance().getProperties().getPropertyStr("domainLock").toLowerCase().split(",");
    //String pageUrl = httpSession.getProperties().getPropertyStr("connectpageUrl").toLowerCase();
    // domainUrl = pageUrl.split("/");
    getLogger().info("domainLock: " + httpSession.getAppInstance().getProperties().getPropertyStr("domainLock").toLowerCase());
    getLogger().info("pageUrl: " + ipAddressClient);
    for (int i = 0; i < domainLocks.length; i++)
    {
    if (domainLocks[i].trim().startsWith("*"))
    {
    String lock = domainLocks[i].trim().substring(1);
    if (ipAddressClient.endsWith(lock))
    {
    isGood = true;
    }
    }
    else if (ipAddressClient.equalsIgnoreCase(domainLocks[i].trim()))
    {
    isGood = true;
    }
    }
    }
    catch(Exception ex)
    {
    isGood = false;
    }
    if (isGood)
    {
    getLogger().info("Client Rejected. IP: " + httpSession.getIpAddress());
    httpSession.rejectSession();
    }

    if (!isGood)
    httpSession.rejectSession();
    }
    }

    -Mamoor

  9. #9

    Default

    What, you guys don't like my ideas? Disclaimer: I haven't tried it.

    "We want the user to visit our website and only then the RTSP or HTTP/HLS link should work."
    "If Anyone try to hotlink the temporary URL it would not work and he should be required a new working link."

    My suggestion accomplishes this. It functions as hotlink denial too. To start with just append the IP and timestamp to the URI you present to the client, then check the values in the module on connect. Worry about the hash/encryption algorithm later. You could put the code in the OverridePlay script which has code for RTMP, HTTP, and RTSP. The getReferer method might not work for all clients, but this should.

    I mentioned keeping track of IPs at first. That's one way. This second way doesn't track IPs. It just makes sure that the URI being played is being played by the correct IP.

    Eventually, you will want to generate the cipher on the server (cgi-bin), as opposed to javascript, then present the encoded URI to the client.

  10. Default

    Hell Randall,
    Its not that ur idea is not good but any example coding is appreciated.


    -Mamoor

Page 1 of 2 12 LastLast

Similar Threads

  1. How can i secure HLS stream and run rtsp for android
    By maivietanh2000 in forum Video On Demand Streaming Discussion
    Replies: 2
    Last Post: 01-02-2014, 01:04 PM
  2. Replies: 2
    Last Post: 10-08-2012, 05:46 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •