October 10, 2014

Hotlink protection with stream-based signature

One of WMSPanel key capabilities is WMSAuth security feature set for streaming protection and restriction. Hotlinking protection is one of our most popular features, as it prevents media streams theft.

We've got requests for improvements of this feature and one of the most popular ones was to add stream name into stream signature to make it unique for each stream.

And so we did. In addition to existing functionality, a couple of new parameters were added to cover this use case. Let's go step by step to see how it's deployed.

Caution. You need to apply this instruction to the test applications and streams first before running it in production mode.

1. Set up WMSAuth


Install Nimble Streamer and then follow hotlink protection setup instruction.


2. Test your solution


Please test the basic hotlink protection before continuing to the next step.
  1. Your stream must be playing with the WMSAuth signature
  2. Your stream must not play when the signature is removed.

Then follow the final step.

3. Add stream parameter


Now you need to add new $signed_stream variable and strm_len parameter to the source code which generates the signature.

The $signed_stream variable needs to have the name of the stream which you protect. You may also use part of the name if you need to protect streams by pattern.

The strm_len parameter is just a length of the stream which you selected. You can calculate it with the basic string length function of your programming language.

Take a look at the code example below.


<?php $today = gmdate("n/j/Y g:i:s A");
$initial_url = "http://video.wmspanel.com/live/stream/playlist.m3u8";
$signed_stream = "live/stream";
$ip = $_SERVER['REMOTE_ADDR'];
$key = "defaultpassword";
$validminutes = 20;
$str2hash = $ip . $key . $today . $validminutes . $signed_stream;
$md5raw = md5($str2hash, true);
$base64hash = base64_encode($md5raw);
$urlsignature = "server_time=" . $today ."&hash_value=" 
. $base64hash. "&validminutes=$validminutes" 
. "&strm_len=" . strlen($signed_stream);
$base64urlsignature = base64_encode($urlsignature);
$signedurlwithvalidinterval = $initial_url . "?wmsAuthSign=$base64urlsignature";
?>

You can also download this example from our github repository.

Now when the change is made, please test your solution.
  1. Your stream must be playing with the WMSAuth signature.
  2. Your stream must not play when the signature is removed.
  3. When the signature is applied to another stream, it must not play.
If all tests pass, then you're ready to apply this instruction to the production stream and stream to the audience.

If you need more sophisticated protection for HLS, please consider using HLS AES-128 DRM encryption supported by Nimble.

If you need any help, check our FAQ first and contact us in case of other questions.

Related documentation


WMSPanelNimble StreamerHotlink protection for Nimble StreamerWMSAuth security feature set articles, Paywall for Nimble StreamerPaywall FAQ


No comments:

Post a Comment