August 10, 2015

Domain Lock techniques for media streaming in Nimble Streamer

Streaming process is closely related to your website promotion. You need to restrict the ability of copying your media-links for maximizing profits. This limitation is called Domain Lock and allows to keep your content unique. Here are basic techniques you can use for that.

Robust protection can be achieved via the Hotlinking protection. You need to add a media URL signature and this signed URL won't be played on other domains. For more information please check the "Hot-linking protection and domain locking" blog article. However, this type of protection requires to modify your front-end source.

Sometimes abusers act as "man-in-the-middle", requesting web page from viewer's IP address, taking URL from that page and pasting it into its own media player via special applications. In this case you need to use more complex protection (you can check the detailed information about this technique in "Protecting media links from web scraping" article in our blog).

In some cases it is sufficient to play a media file only from specific URL, which contains your domain name. There is a simplified method that doesn't require changing your front-end source and protects your content from viewing from third-party web pages. This method is based on checking the crossdomain.xml file by media player integrated in web page (see the Cross-domain policy and access control in Nimble Streamer blog article for details).

One more way to secure your stream is to use WMSAuth rules which is described below. This method allows to view video which has a specific domain name in the URL. This restricts the domain mapping to your domain and allows to track on which web resources URLs to your content is included.

You can also combine the above methods to create multi-level protection for your content. These methods completely cover more traditional approaches used in other security systems. They assume that you need to add specific domain names to restrict streaming while WMSPanel feature set is more flexible and powerful.

Let's see how Domain Lock can be implemented in Nimble Streamer using WMSAuth rules mentioned above.

You need to create two rules:
1. Allow viewing for your domain;
2. Deny viewing for other domains.

We assume that you already have streams those should be protected.

To set up streaming you could check the following articles:
HTTP Live Streaming (HLS) as live origin;
HTTP Live Streaming (HLS) for Video on Demand;
Streaming VOD from remote HTTP storage via Nimble Streamer.

Set up streaming rules

You need to specify the IP range before setting up the rules. We are going to allow all possible IP addresses for the first rule.

Set up IP range

Go to "Control" -> "WMSAuth paywall setup" and press the "MANAGE CUSTOM IP RANGES" link.

Press the "ADD IP RANGE" link in the appeared dialog.

Give the Name and the Description for your IP range, then press the "Save IP range" button.

Specify the IP address range using CIDR notation. To set all possible IP addresses type  and press the "Add range" button.

After you add the IP range for all possible IP addresses ( - you need to add your media server in WMSAuth group and set up the rules.

Adding media server in WMSAuth group

Go to "Control" -> "WMSAuth paywall setup".
Press the "Add WMSAuth group" button in upper-left corner of dialog.

Type the Name of your group (e.g. Domain Lock) and Description in the appeared dialog. Then press the "Greate WMSAuth group" button.

You need to assign one or more servers in the WMSAuth group in the appeared dialog.

Choose your media server in the dropdown list and press the "Assign server" button. You should see a message that server is already assigned. If you want to assign more media servers to this WMSAuth group just repeat the steps above.

Set up the allowing rule

Press the "Add rule" button.

First we should create the rule which allows access to media files only for your domain (e.g. Give a name to the rule (e.g. Allow streaming for

In the "Virtual Host" field specify the name of your domain (you can use POSIX regular expressions to specify parameters in this field).
Add the IP range which we created at the "Set up IP range" section in allow list. Choose the IP range ("All IP addresses" in our case)  and press the "<<Add" button. Our IP range should appear in "Allow countries and IP ranges" list. Press the "Create WMSAuth rule" button.

Next you should create the rule that deny access for all other domains.

Set up the denying rule

Press the "Add rule" button again.

Specify the rule name (e.g. Deny streaming for other domains). Scroll down to the "Links re-publishing protection" section and specify a strong enough password.

Press the "Create WMSAuth rule" button.

That's it!

As a result, we have two rules which allow viewing content only from your domain ( in our case) and block this ability for other domains.

Please contact us if you have any problems with installation. You are also welcome to suggest any improvements or ask any questions, we're opened for collaboration.
You can also read and post at WMSPanel company forum to find use cases and answers from other users and companies.

Related documentation

No comments:

Post a Comment