September 5, 2012

Restriction solution for geo, IP range and connections for Wowza

Restriction of streaming by some criteria is an often required feature in media industry. This is why we're often asked about this type of control capability. So here it WMSAuth, a new centralized way of controlling your Wowza Streaming Engine and Nimble Streamer restrictions.

What does WMSPanel allow to restrict?
  • Simultaneous connections count;
  • Maximum bandwidth allowed;
  • Limit the countries where your visitors are from;
  • Lock the IP ranges of your visitors;
  • Make links re-publishing protection;
  • Both allow and deny rules for geo and IP ranges may be applied.
WMSAuth is also an entry and setup point for Pay-per-view framework for Wowza.

These restrictions may be applied to any of those Wowza entities:
  • Server;
  • Virtual host;
  • Application;
  • Application instance;
  • Stream.
Geo location updates are automatically downloaded from WMSPanel and your system administrator may forget about maintenance - we handle it.

Let's see how those things map together. Here's a brief model of our authentication rules.
WMSAuth groups model (click to zoom)
Pay-per-view framework.
Geo-location restriction flowchart.

So let's see how it works.


To set up any restrictions you need to create one or more WMSAuth groups. Just go to Control -> WMSAuth payment setup top menu.



There may be unlimited number of auth groups.
Groups list shows basic information about existing groups and their purpose.

Each group has:
  • one or more assigned servers which are going to be used for restricting their content
  • one or more rules that describe what and how we will make restrictions
Servers list is taken from the existing servers which are already added to the panel. So when you add a new group, you are asked to assign a server.

You can select any server that have been previously added to the panel.
Each rule has the following fields:
  • Group name to identify it;
  • Wowza entities definition;
  • Max simultaneous connections count;
  • Max bandwidth allowed;
  • Allow and deny rules for geo location and IP ranges;
  • WMSAuth re-publishing protection settings.

Any rule has a name.
"Rule name" may be any string you'd like to use for displaying.

"What do you want to restrict?" section allows to define Wowza entities which you want to apply your rules to. The entities are:
  • Virtual host;
  • Application;
  • Application instance;
  • Stream.
You may define 1 set of entities per rule. If you need to define several entities, you can create several rules within WMSAuth group. Entities are described as POSIX regular expressions. So if you need to describe "stream1", "stream2" and "stream3" in a single rule you can fill this string in Stream field: "stream\d+". Or simply "stream", this would cover cases like "streams" or "live_stream".

Any Wowza entity may be used as a target for control.

Entities descriptions "work together". E.g. if you have servers "S1" and "S2" assigned to the group, and you have a rule having Application set to "live_app" and Stream to "live_stream" that would mean that described restrictions will be applied to "live_stream" that is part of "live_app" located at S1 and S2 servers.
But if you remove "live_app" from Application field, this would mean that all "live_stream" streams will be affected by the restriction rule.
The same for app name. If you leave all fields blank, but enter "live_app" in Application, this would mean that all streams for all app instances of live_app will be affected regardless of the vhosts.

If you leave all fields blank, restrictions from current rule will be applied to all vHosts, applications, instances and streams from the servers which are assigned to current WMSAuth group.

"Connections restriction" sets up a number of simultaneous connections and bandwidth allowed for selected entities. Just enter a number in "Connections count limit" and/or "Bandwidth limit". It has the topmost priority over rules defined below. For example if you set the limit to 1000 then once a 1001st connection will be attempted to establish, it will not be allowed to do it. The same applies for bandwidth: incoming connections are allowed unless current bandwidth is higher than the limit. Read some details here.

Setting connections count and bandwidth limitation.

"Geo and IP-based restrictions" section defines 2 set of rules: Allow and Deny. For each section you can add both countries and pre-defined IP ranges. Deny list has top priority over allow list.

Set of countries and IP ranges may be used within allow and deny sections.
You can select countries from drop-down list. Each country may be either in deny or allow list.

Keep in mind that WMSPanel agent does not have geo mapping data by default. The latest-and-greatest database is downloaded right after creation of first geo-location rule. This might take up to 10 minutes but after that your server agent will have the freshest information available. We update it using MaxMind database which is considered as industry standard these days.

IP ranges access is the next thing you may control over our panel. You can define a named set of IP addresses which may be used in allow/deny lists. Go to "Manage custom IP ranges" page and add one or more range in CIDR notation. The ranges which you define will be used across all WMSAuth groups with the name which you define during it creation or edit.

CIDR is used for entering IP ranges.
As mentioned earlier, allow rules have top priority over deny rules.

"Links re-publishing protection" is a re-use of existing functionality for protecting you streams against hot-linking.


After small changing of server side code along with enabling WMSAuth in WMSPanel, it allows preventing stealing your content by complicating re-streaming.
Read more about it in this Wowza streaming protection blog post.

Working together, this simple structure brings a centralized solution for controlling access to your media  services. We'll be enhancing this functionality so if you miss any feature, let us know so we could improve it together.

FAQ: How do I allow my stream for just one country and forbid for all others?

Say you need people from Antigua and Barbuda watch your live broadcast and hide it from all other countries. Then just add the country to allow list, then scroll down to re-publishing protection, check all protocols and enter any non-zero length password. So if someone comes from Antigua, he (or she) will pass the check for allow list and will be allowed to watch the stream. Any guy from, say, Jamaica, will pass the check for country (as Jamaica is neither in allow or deny list) but will fail the check for re-publishing protection.

FAQ: What if WMSPanel becomes inaccessible due to network failure?

No problem, WMSPanel agent still will be able to work. All settings are stored on Wowza server side, including GeoIP database, so the restrictions will apply without interruptions and your assets will be protected regardless of WMSPanel accessibility.


Please check FAQ and Troubleshooting section for other questions.


WMSAuth functionality comes free of charge for all subscribed users. You can try our service today and contact us for enabling this feature set.

Related documentation


WMSPanel paywall framework for Wowza and Nimble StreamerWowza hotlinking re-publishing and re-streaming protectionDomain hotlinking protection, Integrating WMSAuth to your websiteBandwidth limitation for WowzaPay-per-view for Wowza Media ServerAdding Dispersa server IP range to allow listHotlinking protection with stream-based signature


This product includes GeoLite data created by MaxMind(c), available from http://www.maxmind.com

4 comments:

  1. Hello, is it possible to create user and password for accessing the stream? I need this kind of restriction. It's for private content audio streaming.

    ReplyDelete
    Replies
    1. Hi,

      You can always use WMSAuth in addition to your user authentication scheme. Once you authorize a person, you can provide a signed URL which will not be re-used by anyone else.

      Delete
  2. There are some website stealing our streaming to put on their website. Can WMSAuth block those website? Will it affect client side?

    Thank you.

    ReplyDelete
    Replies
    1. Hi Vichea,

      If those people re-stream using your original link, then WMSAuth will definitely help you.

      Delete