Aysad Kozanoglu - Mimarist

Server Howtos & Tutorials

nginx rtmp auth methode

12 November, 2018 | config Dateien
rtmp {
server {
listen 1935;
ping 30s;
notify_method get;

application stream {
live on;
on_publish http://localhost[:port]/auth;
on_play http://localhost[:port]/auth;
record off;
}
}
}

This just sets up the stream and then forces to trigger a certain url on_publish (i.e. if someone wants to stream to the server) and on_play (i.e. someone trying to play back the stream). Now, the stream or play request will only be accepted if the url given returns a HTTP 2xx status code, else the connection will be dropped.

We can work this to our advantage and just set up a quick and dirty server in the http section of nginx that directly checks for a given secret:

server {
listen <port>;
location /auth {
if ($arg_token = 'YOURPASSWORD') {
return 201;
}
return 404;
}

You could also implement multiple urls with different secrets for streaming and playing or you could let a script of your choosing answer the url request and check for a username and a password or id in a database. Once all is done you can access the stream via rtmp://host.tld/stream/user?token=YOURPASSWORD. Of course this sends your password via plaintext so you should take precautions and if your software supports it use rtmp via ssl/TLS.

 

 

rtmp with  PHP auth

 

Server side configuration

Starting from the old example, we set up a basic rtmp section:

rtmp {
server {
listen 1935;
ping 30s;
notify_method get;

application stream {
live on;
on_publish http://yourdomain.com/rtmp_auth.php;
record off;
}
}
}

The on_publish command can point to any web address that you like. It could be supplied via the nginx server as well or you could use an apache2 instance for that. You can also use a completely different server if you wish. For now, we assume that there is a php script rtmp_auth.php which sits in the webroot of your webserver.

The above line will do the following:

as soon as someone tries to publish a stream to your domain, the nginx rtmp module will issue a HTTP POST request to the on_publish url.
nginx will supply the script with the get variable “name” and fill it with whatever comes directly after your initial stream url
it will also pass on any further GET style variables via the standard ?var1=value1&var2=value2 syntax.
it will wait for a HTTP return code which either tells it that everything is fine and streaming should commence (201) or that something went wront and it should drop the connection (404)

Suppose someone uses the following url to connect to your rtmp server:

rtmp://yourdomain.com/stream/ahmet?token=PASSWORD

nginx will then call your rtmp_auth.php script like this:

http://yourdomain.com/rtmp_auth.php?name=ahmet&token=PASSWORD

Inside of your php script you then have access to the $_POST array which holds your values and you can do whatever you want with them. In the following example we will use a php array $valid_users to hold a list of allowed users and passwords. Of course, you could instead connect to a database and query for the username and password. The interesting part is all in the if-statement which follows after that.

<?php
$username = $_POST["name"]; # in our current example, this will be 'john'
$password = $_POST["token"]; # in our current example, this will be 'supersecret'
$valid_users = array("john" => "supersecret",
"winnie" => "thepooh",
"batman" => "nananananananana");
if ($valid_users[$username] == $password) {
http_response_code(201); # return 201 "Created"
} else {
http_response_code(404); # return 404 "Not Found"
}
?>

With this code, if the credentials check out, we return a 201 status code which tells nginx that whoever tries to connect is allowed to stream. If they do not, we issue a 404 and tell the client to get lost.

Client side configuration

Let us suppose your streaming client uses open broadcaster studio (OBS), which is a free and open source streaming utility which works with pretty much all major streaming sites and can also be configured to a custom site.

In OBS, you set the stream type to Custom Streaming Server and as the url you would use rtmp://yourdomain.com/stream/. As the stream key you would set ahmet?tkoen=PASSWORD or any other username / password combination. If you want to supply more information you can supply more GET style variables via appending &var1=value1&var2=value2 and so on. Anything you write before the ? in the stream key field will end up in the variable $_POST["name"] inside your php script.

 

 

Nützliche LInks:
https://smartshitter.com/musings/2018/06/nginx-rtmp-streaming-with-slightly-improved-authentication/

https://smartshitter.com/musings/2017/12/nginx-rtmp-streaming-with-simple-authentication/