I apologize in advance if this is the wrong section, but as we serve exclusively vod streams, i figure this is a good starting place.
We're using the latest version of wowza (3.5.2 i believe), along with jwplayer 6.2 in our setup.
We're serving HLS (for iOS), RTSP (for android, via a link outside of jwplayer), and RTMP streams (for flash user, the odd android user that has flash) in our setup.
Our website environment will be wordpress based, using a members management system that doesn't involve any .htaccess authenticated "members area", but rather limits access to pages / posts on the website based on member levels assigned to them within wordpress' user management (i.e. "Magic Members").
We're not concerned with actually protecting the content we stream, in fact underneath the media player we're providing download links to the files we stream.
What we are concerned with is the ability for people to just copy / paste our player code, and stream our content on their website / any external site outside of our network (i guess you would call it hotlinking).
Here is where our main issue lays: atm (we're still in dev stages for our site), we are linking to the "cloud hosted" version of jwplayer, and we were not able to get our streams working (cross domain issues) until we allowed the server domain that the cloud hosted player resides on in the crossdomain.xml file residing on our wowza setup.
This config though means that anybody can basically copy / paste our jwplayer code and serve it on their pages and the streams will work (i tried it on another domain), and so it obviously poses a really huge risk in terms of bandwidth usage / security.
What would be the recommended way of locking down these protocols (hls, rtsp, rtmp) not so much to prevent the ability of downloading the files, but for the purpose of limiting the domains that can stream the videos to very specific ones? Is there a way to tweak the crossdomain.xml (or another .xml config) so that it is only willing to serve streams not only to the domain where the swf player is located, but specific sites also?
note: ideally I want to avoid self hosting the jwplayer .swf file, but I'll do it if i have to (its just nice that they auto update the player to the most stable version, etc if we use their cloud hosted one).
p.s. please be as thorough / detailed with your response, as i am really quite novice to how all of this works.