November 5, 2013

Hot-linking protection for Nimble Streamer

Nimble Streamer paywall capabilities cover several aspects of content protection. The most popular case for abusers is to take the link from the source - e.g. from your website - and insert the link into their webpages. So they take the content while you don't get any profits from it.

Hence we implemented the protection against links republishing ("hi-jacking"), or hotlink protection.

The protection consists of 3 parts

  1. Nimble Streamer
  2. code snippet on a web page which generates a signature for the streaming media
  3. the interface to control the protection.

The protection is integrated in two steps. They are:
  1. Change media player web page to have a signature of media URL.
  2. Set up protection via WMSPanel.
Nimble Streamer and WMSPanel do the rest. If you haven't yet installed Nimble Streamer, you need to follow this simple installation procedure.

Here's a workflow chart for the basic scenario.
Nimble Streamer hotlinking protection flow.

1. Make media signature


To sign media URL for further recognition and handling, the web page with media player must be slightly modified.

As example, you have this URL for your live stream:
http://stream.company.com:8081/vod/sample.mp4/playlist.m3u8 
The modified URL would be:
http://stream.company.com:8081/vod/sample.mp4/playlist.m3u8?wmsAuthSign=c2VydmVyX3RpbWU9NS80LzIwMTIgODozMzowNSBBTSZoYXNoX3ZhbHVlPXE3MjN6aEVmdGFUOUJoWjBQTmw1TVE9PSZ2YWxpZG1pbnV0ZXM9MjA2
To generate signature you need to modify your front-end source to include snippet like this one below written in PHP.

<?php
$today = gmdate("n/j/Y g:i:s A");
$initial_url = "http://stream.company.com:8081/vod/sample.mp4/playlist.m3u8";
$ip = $_SERVER['REMOTE_ADDR'];
$key = "defaultpassword"; //this is also set up in WMSPanel rule
$validminutes = 20;

$str2hash = $ip . $key . $today . $validminutes;
$md5raw = md5($str2hash, true);
$base64hash = base64_encode($md5raw);
$urlsignature = "server_time=" . $today ."&hash_value=" . $base64hash. "&validminutes=$validminutes";
$base64urlsignature = base64_encode($urlsignature);

$signedurlwithvalidinterval = "$initial_url?wmsAuthSign=$base64urlsignature";
?>

Here, a key means a password which will be used later for setting up rule in control panel. The validminutes parameter means number of minutes while this signed link will be valid. This is done for the cases when people read the page and then start the playback with some delay.

You can find more samples in WMSAuth samples github repository and adapt them for your use case.

2. Make control panel settings


After the code is set on web server side, Nimble Streamer must be notified about protection settings. Re-streaming protection is provided as part of WMSAuth feature set.

Click on Control -> WMSAuth paywall setup top menu to start the setup process.

2.1 WMSAuth group


In WMSAuth, every restriction may be applied to a group of servers. So the first thing to do is to create a group and assign one or more Nimble servers to it. Check the screenshot below for details.



You can create any number of groups and assign each server into any of them. Of course you can add multiple servers into each group.

2.2 WMSAuth rule


Within a group, there may be several rules, each working with its set of streaming entities (like streams). Just click on "Add rule" to enter rule creation page. 

First you enter rule name and then go to section called "What do you want to restrict". Check the screenshot to see where you can specify application or stream regular expression. Since we use the same interface for controlling Wowza and Nimble WMSAuth, you can see application instance as well - you should skip it for Nimble.

The Virtual host is used for specifying the domain name or host which is used for accessing media in its URL. Thus you can apply settings for a specific host in case you need different rules for different interfaces or hosts.


Specifying application or stream to be protected against hotlinking.

The last thing to specify is a key (a password), which was inserted into the media signature on web server side in section "1. Make media signature" above. Time tolerance parameter allows setting up a maximum difference between web server and media server. Ideally they need to match but if you know that they may differ by several seconds - use this field to set the amount of seconds for that difference.

After you save the rule, it will be applied to the server within a few seconds.

Entering a key and a time tolerance to make media URL signature.

Now when the protection rule is enabled, the media is protected from hot-linking.

If you use CloudFlare or any other proxy, please consider this code and config update for CloudFlare usage.

Please also consider hotlinking protection with stream-based signature which allows making unique signatures for any stream. Hot-linking protection may work fine with Pay-per-view for Nimble Streamer which allows creating custom workflow based on detailed streaming real-time information to your own handler.

Also, hotlinking technique may be used as a replacement for domain lock, read this article for explanation.

You can block viewers by HTTP User-Agent header in addition to geo-location block as well as block them by HTTP Referer header.

If you need more protection for HLS, please consider using HLS AES-128 DRM encryption supported by Nimble.


Nimble Streamer is capable of several other features which are described on the Nimble Streamer website. If you want to know how to integrate this feature set into your workflow or you have any questions, feel free to contact us.

Related documentation


No comments:

Post a Comment