Results 1 to 7 of 7

Thread: Is partial implementation of security features possible across an Origin/Edge setup?

  1. #1
    Join Date
    Mar 2013
    Posts
    8

    Question Is partial implementation of security features possible across an Origin/Edge setup?

    I have been slogging through the proverbial mud on this for a while now, and decided to finally come to the forums.. I can post specific configuration information as I go, but the basic gist of my question is this:

    Is it possible for me to use one method to 'secure' the publishing side (using SecureURLParams) between my encoder (OBS) and my Origin (Wowza 3.5.2) and use another method (SecureToken) to secure the connection between an Edge (Wowza 3.5.2) and the viewer (using a compiled player.swf)?? It seems like SecureToken is either enabled across the board or not at all.

    The problem I seem to have run into is that I can't seem to use non-'SecureURLParam' methods with Open Broadcaster Software ('OBS') or with Xsplit, which are two of my available software encoders for testing purposes. Frankly I don't think I can even use SecureURLParams with Xsplit. As a result, I have tried to avoid using SecureToken for securing publishing.

    What is the "optimal configuration"? Is it RTMPAuthenticate\SecureToken between encoder and Origin/transcoder, RTMPAuthenticate\SecureToken between Origin and Edge, and RTMPAuthenticate\SecureToken+requireSecureConnection? Where does RTMPS with the free SSL fit in?

    I guess that's where I'll leave this for now, I'm just trying to determine where to devote my energies. Hooray my first official post is done..

  2. #2
    Join Date
    Dec 2007
    Posts
    21,962

    Default

    That's all correct. If you can't use ModuleRTMPAuthenticate for the RTMP live encoder, you should be able to use ModuleSecureURLParams. I think that will work with xsplit, if it is sending rtmp live stream to Wowza, it should work.

    Between edge and origin, use SecureToken, as detailed in here:
    http://www.wowza.com/forums/content....t#secureOrigin

    For the RTMP client, use ModuleSecureToken, ModuleRequireSecureConnection, and RTMPE or RTMPS protocols. Having done all that, if you do not want to allow embedding of your player you will also want to use ModuleHotlinkDenial

    SecureToken ensures that only your player is used to connect to your server. RTMPE or RTMPS ensures that the stream is encrypted so users can't download once they have access to your player. Hotlinkdenial ensures that other web admins can't use your secured player and secure stream in their site my hotlinking your player in their web site.

    http://www.wowza.com/forums/content....urity-overview

    Richard

  3. #3
    Join Date
    Mar 2013
    Posts
    8

    Default

    Quote Originally Posted by rrlanham View Post
    That's all correct. If you can't use ModuleRTMPAuthenticate for the RTMP live encoder, you should be able to use ModuleSecureURLParams. I think that will work with xsplit, if it is sending rtmp live stream to Wowza, it should work.

    Between edge and origin, use SecureToken, as detailed in here:
    http://www.wowza.com/forums/content....t#secureOrigin
    The problem I seem to run into is that I can't use SecureToken between the Edge and the Origin exclusively.. If I follow the instructions you linked, I can no longer publish to the origin. I get messages indicating "invalid stream channel / stream key" for example. Perhaps my software encoders are all simply not supported. I don't see how to pass authentication information (except secureURLParams) to them. Don't know the syntax..

    Quote Originally Posted by rrlanham View Post
    For the RTMP client, use ModuleSecureToken, ModuleRequireSecureConnection, and RTMPE or RTMPS protocols. Having done all that, if you do not want to allow embedding of your player you will also want to use ModuleHotlinkDenial
    Which thing are you referring to as the 'RTMP client' in this instance? For my particular setup, the viewer is accessing player files (hosted on Cloudfront) from an html page on a web server. The jwplayer parameters point to the Edge stream (ideally) and the Edge gets its information from the Origin. The Origin obviously receives from the encoder.

  4. #4
    Join Date
    Dec 2007
    Posts
    21,962

    Default

    If you are not using an encoder that supports RTMP authentication then change the origin Application.xml ModuleRTMPAuthenticate to ModuleSecureToken.

    <Module>
    	<Name>ModuleSecureToken</Name>
    	<Description>ModuleSecureToken</Description>
    	<Class>com.wowza.wms.security.ModuleSecureToken</Class>
    </Module>
    You can also Use ModuleSecureURLParams as alternative to ModuleRTMPAuthenticate to secure publishing:

    http://www.wowza.com/forums/content....cureURLParams)

    Richard

  5. #5
    Join Date
    Mar 2013
    Posts
    8

    Default

    Quote Originally Posted by rrlanham View Post
    If you are not using an encoder that supports RTMP authentication then change the origin Application.xml ModuleRTMPAuthenticate to ModuleSecureToken.
    Will just having the ModuleSecuretoken in there make it ignore the publishing side of things?

    Quote Originally Posted by rrlanham View Post
    You can also Use ModuleSecureURLParams as alternative to ModuleRTMPAuthenticate to secure publishing:
    http://www.wowza.com/forums/content....cureURLParams)
    About that, I've read through the documentation and done some searching but so far I haven't found a guide for which parameters I can use -- I did find doPublish. Is there some resource I'm missing for the syntax of in-line functions like doPublish or authentication?

  6. #6
    Join Date
    Mar 2013
    Posts
    8

    Default

    I did as you instructed, changed the Origin's /conf/liveorigin/Application.xml file to contain ModuleSecureToken instead of RTMPAuthentication. I also added in SecureURLParams.

    I get this in my access log:
    2013-03-13 15:24:30 PDT comment session ERROR 403 1119879701 ModuleSecureToken.onConnect: Action before response received: kill connection: clientId:1119879701 _defaultVHost_ liveorigin _definst_ 0.747 [any] 1935 rtmpe://XXX.XXX.XXX.XXX:1935/liveorigin?doPublish=ZZZZZ YYY.YYY.YYY.YYY rtmp - FMLE/3.0 (compatible; FMSc/1.0) 1119879701 3401 3501 - - - - - - - - - - - - - rtmpe://XXX.XXX.XXX.XXX:1935/liveorigin doPublish=ZZZZZ


    Where of course, the X string = origin's IP, Y string = source (encoder) incoming IP, and Z string = doPublish string. Each one reflects the proper information. What am I missing? How does ModuleSecureToken interact with the incoming encoder connection and do I have to manually change things to prevent it? In all the docs I've read I haven't seen anything about configuring the encoder for SecureToken..

  7. #7
    Join Date
    Dec 2007
    Posts
    21,962

    Default

    Right, sorry, I guess we are painted into a corner this way. I guess it can be done with just SecureURLParams, using that between edge and origin as well.

    I tried it, this works between edge and origin: Make sure you only have ModuleSecureURLParams enabled in the origin Application.xml, then add this Property to the Properties container at the bottom of that file:

    <Property>
    	<Name>secureurlparams.connect</Name>
    	<Value>12345.doConnect</Value>
    </Property>
    Then in the edge Application.xml add the querystring to the /Repeater /QueryString like this:

    <Repeater>
    	<OriginURL></OriginURL>
    	<QueryString><![CDATA[doConnect=12345]]></QueryString>
    </Repeater>
    You can use .stream files or the /OriginURL method of connecting to the origin.

    Richard

Similar Threads

  1. Origin Edge Security
    By asaf32 in forum Live Streaming and Encoder Discussion
    Replies: 1
    Last Post: 10-09-2013, 06:01 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •