Correct way to use authentication for the streamer?

guillem_liarte · April 15, 2021, 6:26pm

Hello!

Let’s say that we create a manual entry following these instructions:

kaltura/platform-install-packages/blob/Propus-16.15.0/doc/nginx-rtmp-live-streaming.md

# Live Streaming with Nginx and the RTMP module
Kaltura CE includes the kaltura-nginx package, which is compiled with the [Nginx RTMP module](https://github.com/arut/nginx-rtmp-module).

## Nginx RTMP Configuration
The paths to the configuration files for kaltura-nginx vary depending on rather you use the Deb or the RPM package.

For deb, the main file is here:
```
/opt/kaltura/nginx/conf/nginx.conf
```
For RHEL:
```
/etc/nginx/nginx.conf
```

```
rtmp {
    server {
      listen 1935; # Listen on standard RTMP port
      chunk_size 4000;

This file has been truncated. show original

BTW THANK YOU @jess

That all works amazingly.

Now, I am looking for ways to password protect the stream source, so if someone can guess the stream name could not hijack it.

This seems the only solution I found:

https://smartshitter.com/musings/2018/06/nginx-rtmp-streaming-with-slightly-improved-authentication/

And so we added a php endpoint in the application that works and returns correctly a 201 for good creds and a 404 for bad ones.

I try, in vain, to make use of it in the real case scenario.

in nginx.conf I have:

application kLive {
        live on; # Allows live input from above

        on_publish http://app.domain.com/auth/streamer_auth;

The auth works and returns 201:

`curl -is “http://app.domain.com/auth/streamer?name=user.name@domain.com&psk=secret” | head -1

HTTP/1.1 201 Created

`
Then, if I create a stream named ‘test’ and I want to password protect it, I see this flying in the logs:

94.252.xx.yy [15/Apr/2021:19:46:50 +0200] PUBLISH "kLive" "test" "name=user.name@domain.com&psk=secret" - 5352475 529 "" "FMLE/3.0 (compatible; FMSc/1.0)" (10s)

The stream would not start. I tried by passing the name and psk in the stream key ( after, like test?name=user.name@domain.com&psk=secret), etc. I tried also creating the stream to match the username, like name=user.name@domain.com?psk=secret

Nothing works so far.

What would be the correct way to implement this or other authentication method to protect the production of the streams?

Thanks!

david.eusse · April 22, 2021, 3:07pm

Hello,

We implemented the same solution but found out that it was possible to publish different streams with the same auth key.

So this is what we did:

rtmp {
server {
listen 1935; # Listen on standard RTMP port
chunk_size 4000;
on_connect http://utils.xxxx.com/stream/auth.php;
# This application is to accept incoming stream
application kLive {
live on; # Allows live input from above
allow publish all;
allow play 127.0.0.1;
deny play all;
#Stream validation
on_publish http://utils.xxxx.com/stream/auth_publish.php;
.
.
.
Basically, you need to go the AAA way in order to get it working correctly.

auth.php verifies the key
auth_publish.php verifies that both key and stream are correct.

Remember that different streamers may need different setups. This is how we setup OBS:

server: rtmp://live01.xxxx.com:1935/kLive?hash=myhashxxx
Stream key: mystreamkeyxxx

I hope this helps.

David

guillem_liarte · April 28, 2021, 7:42pm

@david.eusse thanks for the tips.

I am in the process of deploying a different back end, this time distributed. I am having all sorts of new issues.

I will try this once I am up and running.