Wowza Community

Secure HLS streaming

Hello, I’m using Wowza edge server (4.0.2) for HLS streaming. I secured url to streams with URL sign from WMSPanel. I have big problem with this. Access to main manifest (m3u8) is secured and can’t be access without key send in URL query (http://x.x.x.x:1935/live/xxxxxxxxxxx?playlist.m3u8). Unfortunatelly, you can access stream with urls to next segments of stream (http://x.x.x.x:1935/live/xxxxxxxxxxx/chunklist_w852822719.m3u8). Those urls include Wowza session ID as I mean and only user who started session should have access to them. Is it kind of error in your HLS implementation. Is any way to avoid for this?

If you implement any security Module that handles onHttpSessionCreate event result will be the same. Module intercepts only create session event and server responsible for the rest session logic. Wowza cannot strict session id to tcp session and to particular ip address as this will not always works especially for mobiles.

We cannot fix it from Wmspanel side too.

Ok. As I understand, I can’t secure HLS streams with wowza server. Is it really true?

You can, just write a simple serverSide Module.