Restriction of streaming by some criteria is an often required feature in media industry. This is why we're often asked about this type of control capability. So here it is, a new centralized way of controlling your Wowza Media Server streaming restrictions.
What does WMSPanel allow to restrict?
- Simultaneous connections count;
- Maximum bandwidth allowed;
- Limit the countries where your visitors are from;
- Lock the IP ranges of your visitors;
- Make links re-publishing protection;
- Both allow and deny rules for geo and IP ranges may be applied.
- Virtual host;
- Application instance;
Let's see how those things map together. Here's a brief model of our authentication rules.
|WMSAuth groups model (click to zoom)|
To set up any restrictions you need to create one or more WMSAuth groups. Just go to WMSAuth top menu.
There may be unlimited number of auth groups.
|Groups list shows basic information about existing groups and their purpose.|
Each group has:
- one or more assigned servers which are going to be used for restricting their content
- one or more rules that describe what and how we will make restrictions
|You can select any server that have been previously added to the panel.|
- Group name to identify it;
- Wowza entities definition;
- Max simultaneous connections count;
- Max bandwidth allowed;
- Allow and deny rules for geo location and IP ranges;
- WMSAuth re-publishing protection settings.
|Any rule has a name.|
"What do you want to restrict?" section allows to define Wowza entities which you want to apply your rules to. The entities are:
- Virtual host;
- Application instance;
|Any Wowza entity may be used as a target for control.|
Entities descriptions "work together". E.g. if you have servers "S1" and "S2" assigned to the group, and you have a rule having Application set to "live_app" and Stream to "live_stream" that would mean that described restrictions will be applied to "live_stream" that is part of "live_app" located at S1 and S2 servers.
But if you remove "live_app" from Application field, this would mean that all "live_stream" streams will be affected by the restriction rule.
The same for app name. If you leave all fields blank, but enter "live_app" in Application, this would mean that all streams for all app instances of live_app will be affected regardless of the vhosts.
If you leave all fields blank, restrictions from current rule will be applied to all vHosts, applications, instances and streams from the servers which are assigned to current WMSAuth group.
"Connections restriction" sets up a number of simultaneous connections and bandwidth allowed for selected entities. Just enter a number in "Connections count limit" and/or "Bandwidth limit". It has the topmost priority over rules defined below. For example if you set the limit to 1000 then once a 1001st connection will be attempted to establish, it will not be allowed to do it. The same applies for bandwidth: incoming connections are allowed unless current bandwidth is higher than the limit. Read some details here.
|Setting connections count and bandwidth limitation.|
"Geo and IP-based restrictions" section defines 2 set of rules: Allow and Deny. For each section you can add both countries and pre-defined IP ranges. Allow list has top priority over deny list.
|Set of countries and IP ranges may be used within allow and deny sections.|
Keep in mind that WMSPanel agent does not have geo mapping data by default because the latest-and-greatest database is downloaded right after creation of first geo-location rule. So this might take up to 10 minutes but after that your server agent will have the freshest information available. We update it using MaxMind database which is considered as industry standard these days.
IP ranges access is the next thing you may control over our panel. You can define a named set of IP addresses which may be used in allow/deny lists. Go to "Manage custom IP ranges" page and add one or more range in CIDR notation. The ranges which you define will be used across all WMSAuth groups with the name which you define during it creation or edit.
|CIDR is used for entering IP ranges.|
"Links re-publishing protection" is a re-use of existing functionality for protecting you streams against hot-linking.
After small changing of server side code along with enabling WMSAuth in WMSPanel, it allows preventing stealing your content by complicating re-streaming.
Read more about it in this Wowza streaming protection blog post.
Working together, this simple structure brings a centralized solution for controlling access to your media services. We'll be enhancing this functionality so if you miss any feature, let us know so we could improve it together.
FAQ: How do I allow my stream for just one country and forbid for all others?
Say you need people from Antigua and Barbuda watch your live broadcast and hide it from all other countries. Then just add "Antigua and Barbuda" to allow list, then scroll down to re-publishing protection, check all protocols and enter any non-zero length password. So if someone comes from Antigua, he (or she) will pass the check for allow list and will be allowed to watch the stream. Any guy from, say, Jamaica, will pass the check for country (as Jamaica is neither in allow or deny list) but will fail the check for re-publishing protection.
WMSAuth functionality comes free of charge for all subscribed users. You can try our service today and contact us for enabling this feature set.
This product includes GeoLite data created by MaxMind(c), available from http://www.maxmind.com