Comments (5)
It's explained in the comments here: https://github.com/Fenrirthviti/stream-site/blob/master/lib/streamauth.php
A simple rundown is that you submit the stream key as a GET param (?key=whatever) and this (or any other params you want) is passed to nginx as an array. For example, the full RTMP url of rtmp://site.com/app/Name?key=key will submit the array of:
Array(
[app] => app
[flashver] => FMLE/3.0 (compatible; FMSc/1.0)
[swfurl] => rtmp://site.com/app
[tcurl] => rtmp://site.com/app
[pageurl] =>
[addr] => 10.0.0.1
[clientid] => 5437628
[call] => publish
[name] => Name
[type] => live
[key] => key
)
This array is passed via GET (or POST, as configurable in nginx-rtmp, but I haven't tested this as get works fine) to your on_publish target. If you check my nginx config code here: https://github.com/Fenrirthviti/stream-site/blob/master/src/nginx/conf.d/rtmp.conf#L16-L20
You can see where it's being passed to the streamauth.php file, which then just parses the array to validate against my database. Let me know if you have any further questions, I'm happy to share anything I've learned while working on this project, as many of the challenges I've had to overcome are poorly documented or not documented at all.
from stream-site.
Yes I understand that part, I have a similar solution for validating if a user is allowed to publish to my rtmp server. The issue is that the key is also used to serve the rtmp stream to the visitor. The viewer is therefore able to hijack the stream by using the same key.
Broadcaster:
Stream software setup (for example OBS)
Server URL: rtmp://site.com/app/
Stream key: $secret_key
Nginx-rtmp uses on_publish to check if the secret_key is allowed to publish. This works all fine. 400 code if not allowed, 200 code if allowed.
Visitor:
The website player (for example clappr) uses something like this:
source: 'rtmp://site.com/app/$secret_key'
Or in case of HLS:
source: 'http://site.com/app/$secret_key.m3u8'
to access and serve the stream to the visitor.
The visitor now knows the secret_key the broadcaster uses to stream to the server and can hijack the stream.
It should be something like:
rtmp://site.com/app/$masked_key
HLS: http://site.com/app/$masked_key.m3u8
that resolves to the actual source
rtmp://site.com/app/$secret_key
HLS: http://site.com/app/$secret_key.m3u8
without exposing the actual stream key to the visitors.
I feel like I'm missing something very simple. Is there a way to name the rtmp / HLS stream other than using the stream key
from stream-site.
Yeah, what you're missing is that you don't pass the secret key as the actual stream name, you pass it as a GET param. So what you would need to do is:
rtmp://site.com/app/public_key?key=private_key
The ?key=private_key part is ONLY passed to the server, and you can validate it with on_publish.
For playback, you only need to do rtmp(http)://site.com/app/public_key(.m3u8)
from stream-site.
huh damn, I think I understand now.
Let me try it! I'll tell you if I can make it work.
Thanks a lot!
from stream-site.
Works like a charm! Now I feel kinda stupid for not realizing earlier.
It's not really a pretty streaming key, but that's okay as long as it works :)
Thanks for helping me, and btw I agree many of the challenges you have to overcome on projects like this are poorly documented. But I think you're doing a great job here!
Best regards!
from stream-site.
Related Issues (20)
- vidoe.js: player going fullscreen causes scroll bar position to reset HOT 1
- [Suggest]Stream Offline Image HOT 5
- sql error HOT 2
- Error HOT 5
- stop SSL HOT 7
- Share streaming HOT 1
- Stream to over services too HOT 7
- P2P-Streaming? HOT 1
- Route /watch 404 HOT 2
- Alternative to Flash for viewers HOT 2
- Migrate to nginx-http-flv-module and flv.js HOT 7
- Warning: pg_query_params(): Query failed: HOT 2
- Non-FLV, Unsupported media type! HOT 4
- Upstream services HOT 3
- php 7.4 HOT 10
- Connection refused when configured with SSL (self-signed) HOT 1
- Update scripts HOT 9
- No RTMP key - No E-mail sended HOT 1
- Impossible to watch a live stream. HOT 1
- fetchChannels not working HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from stream-site.