Private streamkey

[Scrimson]

Hi,

I found this project on my search for a solution to mask the streamkey. https://groups.google.com/forum/#!topic/nginx-rtmp/t4XQIzQI9YA

But I have problems understanding how your solution stops exposing the stream key to the viewers. Would you try to explain it to me? Maybe point me in the right direction. I browsed through your code but cannot find the actual parts that do the magic.

Thanks in regards.

[Fenrirthviti]

It's explained in the comments here: https://github.com/Fenrirthviti/stream-site/blob/master/lib/streamauth.php

A simple rundown is that you submit the stream key as a GET param (?key=whatever) and this (or any other params you want) is passed to nginx as an array. For example, the full RTMP url of rtmp://site.com/app/Name?key=key will submit the array of:

Array( [app] => app [flashver] => FMLE/3.0 (compatible; FMSc/1.0) [swfurl] => rtmp://site.com/app [tcurl] => rtmp://site.com/app [pageurl] => [addr] => 10.0.0.1 [clientid] => 5437628 [call] => publish [name] => Name [type] => live [key] => key )

This array is passed via GET (or POST, as configurable in nginx-rtmp, but I haven't tested this as get works fine) to your on_publish target. If you check my nginx config code here: https://github.com/Fenrirthviti/stream-site/blob/master/src/nginx/conf.d/rtmp.conf#L16-L20

You can see where it's being passed to the streamauth.php file, which then just parses the array to validate against my database. Let me know if you have any further questions, I'm happy to share anything I've learned while working on this project, as many of the challenges I've had to overcome are poorly documented or not documented at all.

[Scrimson]

Yes I understand that part, I have a similar solution for validating if a user is allowed to publish to my rtmp server. The issue is that the key is also used to serve the rtmp stream to the visitor. The viewer is therefore able to hijack the stream by using the same key.

Broadcaster:

Stream software setup (for example OBS) Server URL: rtmp://site.com/app/ Stream key: $secret_key

Nginx-rtmp uses on_publish to check if the secret_key is allowed to publish. This works all fine. 400 code if not allowed, 200 code if allowed.

Visitor:

The website player (for example clappr) uses something like this: source: 'rtmp://site.com/app/$secret_key'

Or in case of HLS: source: 'http://site.com/app/$secret_key.m3u8'

to access and serve the stream to the visitor.

The visitor now knows the secret_key the broadcaster uses to stream to the server and can hijack the stream.

It should be something like:

rtmp://site.com/app/$masked_key HLS: http://site.com/app/$masked_key.m3u8

that resolves to the actual source rtmp://site.com/app/$secret_key HLS: http://site.com/app/$secret_key.m3u8

without exposing the actual stream key to the visitors.

I feel like I'm missing something very simple. Is there a way to name the rtmp / HLS stream other than using the stream key

[Fenrirthviti]

Yeah, what you're missing is that you don't pass the secret key as the actual stream name, you pass it as a GET param. So what you would need to do is:

rtmp://site.com/app/public_key?key=private_key

The ?key=private_key part is ONLY passed to the server, and you can validate it with on_publish.

For playback, you only need to do rtmp(http)://site.com/app/public_key(.m3u8)

[Scrimson]

huh damn, I think I understand now. Let me try it! I'll tell you if I can make it work.

Thanks a lot!

[Scrimson]

Works like a charm! Now I feel kinda stupid for not realizing earlier. It's not really a pretty streaming key, but that's okay as long as it works :)

Thanks for helping me, and btw I agree many of the challenges you have to overcome on projects like this are poorly documented. But I think you're doing a great job here!

Best regards!