disqus4u Latest Questions

How can I secure HLS streams in Ant Media server?

MikeDee
Begginer

What is the best way to secure HLS & DASH streams in Ant Media Server. I would like to prevent third-party sites from embedding my live streams

Related Questions

  1. This answer was edited.

    Ant Media HLS and DASH streams can be secured by setting up Nginx reverse proxy and adding the following block in the configuration file:

      user nginx;
    worker_processes auto;
    pid /var/run/nginx.pid;
    worker_rlimit_nofile 1048576;
    
    events {
        worker_connections 1048576;
        multi_accept on;
        use epoll;
    }
    
    http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        server_tokens off;
        keepalive_timeout 300s;
        types_hash_max_size 2048;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
    
        # ssl settings
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
    
        # logs settings
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"'
                          '"$hostname" "upstream: $upstream_addr"';
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
    
        # gzip
        gzip on;
        gzip_disable "msie6";
        gzip_http_version 1.1;
        gzip_comp_level 6;
        gzip_types text/plain text/css application/json application/javascript text/javascript application/x-javascript text/xml application/xml application/xml+rss application/vnd.ms-fontobject application/x-font-ttf font/opentype font/x-woff image/svg+xml image/x-icon;
    
        # proxy settings
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_read_timeout 10s;
        proxy_send_timeout 10s;
        proxy_connect_timeout 10s;
         
        #redirect all http requests to https
        server {
            listen 80 default_server;
            server_name _;
            return 301 https://$host$request_uri;
        }  
    
        #Origin Configuration
        #Change {YOUR_DOMAIN} with your fully qualified domain name. 
        server {
                listen 443 ssl;
                ssl_certificate /etc/letsencrypt/live/{YOUR_DOMAIN}/fullchain.pem;
                ssl_certificate_key /etc/letsencrypt/live/{YOUR_DOMAIN}/privkey.pem;
                server_name yourdomain.com;
    
                location / {
                  if ($http_referer !~* "^https?://(www\.)?Whitelisted-domain-name\.com"){
                  return 403;
            }
                    proxy_pass http://AMS-server-IP:5080;
                    proxy_http_version 1.1;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $host;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "Upgrade";
                }
            }
        
        #Dashboard Configuration (To allow access to your AMS dashboard on different port which should be allowed only for specific IPs)
        #Change {YOUR_DOMAIN} with your fully qualified domain name. 
        server {
                listen 4444 ssl;
                ssl_certificate /etc/letsencrypt/live/{YOUR_DOMAIN}/fullchain.pem;
                ssl_certificate_key /etc/letsencrypt/live/{YOUR_DOMAIN}/privkey.pem;
                server_name yourdomain.com;
    
                location / {
                    proxy_pass http://AMS-Server-IP:5080;
                    proxy_http_version 1.1;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $host;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "Upgrade";
                }
            }
        }

    From the above, you will have to find the following block and insert your Whitelisted-domain-nameĀ 

       location / {
              if ($http_referer !~* "^https?://(www\.)?Whitelisted-domain-name\.com"){
              return 403;
        }

    To understand the full implementation of this method, you need to read this step-by-step guide on this topic

     

Leave an answer

Leave an answer