August 13, 2015

Hotlinking protection in case of dynamically changing IP address



Streaming protection is crucial for companies selling premium access to their content. In most cases it is enough to use Hotlinking protection to allow viewing your media for authorized users only. This method is very reliable and is used for years, but sometimes it might require additional settings procedure.

Quite often, a viewer's ISP performs connection via proxy chain. In this case it is necessary to extract client's IP address from the request headers to set up Hotlinking protection. You can check the "Using WMSAuth paywall with CloudFlare and other proxies" blog article for more information about this technique.

In rare instances, ISP changes client's IP address for every request to media server. In this situation media server blocks access to stream, because media URL signature isn't correct due to viewer's IP address mismatch. Therefore, even authorized users can't access media content.

You can use Pay Per View framework (PPV) to protect your content and allow viewing video for authorized users in this case. It allows to specify any unique user identifier instead of IP address to generate media URL signature.

Hotlinking protection is based on signature generated in the following way:

<?php
$today = gmdate("n/j/Y g:i:s A");
$initial_url = "rtsp://ec2-test-ip.compute.amazonaws.com:1935/live";
$video_url = "/Stream1";
$ip = $_SERVER['REMOTE_ADDR'];
$key = "defaultpassword";
$validminutes = 7;
$str2hash = $ip . $key . $today . $validminutes;
$md5raw = md5($str2hash, true);
$base64hash = base64_encode($md5raw);
$urlsignature = "server_time=" . $today ."&hash_value=" . $base64hash. "&validminutes=$validminutes";
$base64urlsignature = base64_encode($urlsignature);
$signedurlwithvalidinterval = $initial_url . "?wmsAuthSign=$base64urlsignature" . $video_url;
?>

The signature depends on the viewer's IP address. If IP address is dynamically changed during the session, then signature becomes incorrect and media server blocks access to requested content.

The distinction of PPV framework is that instead of IP address the $id parameter is used.

<?php
$today = gmdate("n/j/Y g:i:s A");
// URL of media we want to handle with pay-per-view
$initial_url = "http://video.wmspanel.com:8081/vod/sample.mp4/playlist.m3u8";
// client ID which is defined based on customer's database of users
$id = "5";
// A password entered in WMSAuth rule via web interface
$key = "defaultpassword";
// How long the link would be valid for start playback
$validminutes = 7;
$str2hash = $id . $key . $today . $validminutes;
$md5raw = md5($str2hash, true);
$base64hash = base64_encode($md5raw);
$urlsignature = 'server_time=' . $today . '&hash_value=' . $base64hash . '&validminutes=' . $validminutes . '&id=' . $id;
$base64urlsignature = base64_encode($urlsignature);
$signedurlwithvalidinterval = $initial_url . "?wmsAuthSign=$base64urlsignature";
?>

You can use registered login, e-mail or any combination of login, platform (web, Android, iOS) and device id as the $id parameter. A good example is described in "The Paranoid’s Guide to Internet Video Streaming" article.


You need to create your own PPV handler for using Pay Per View framework functionality. Your media server will synchronize with this handler on periodical basis to receive the list of ids which must be blocked from accessing media. For detailed information about configuration of Pay Per View framework and creating your own handler, please read "Pay-per-view for Wowza Media Server" and "Pay-per-view for Nimble Streamer" articles, and also check the Pay Per View framework section on WMSPanel.com.

Note, when you use Hotlinking protection, a media server makes decision about allowing access based on viewer's IP address match. When you use PPV framework your handler makes the decision based on business logic that you have defined for it. Media server sends periodical sync requests containing IDs of current viewers to your handler and waits for response containing the list of denied IDs.

PPV handler debugging approach is described in "Debugging WMSPanel push API for pay-per-view and alerts" blog article. 

The procedure of implementing you handler takes certain time. To protect your links and allow authorized users to view your content without working PPV handler, you can use already configured Hotlinking protection code with some changes. Just replace the $ip parameter with the $id to make correct URL media signature. Don't forget to add this parameter explicitly in your URL ('&id=' . $id).

In this case your media will be protected from unauthorized copying. If an abuser copies you media link signed using the $id parameter, this link will be valid during time specified in the $validminutes parameter.  You can also create WMSAuth rule to apply Hotlinking protection based on the $id parameter for specific ISP's IP range.

Using PPV framework you have the ability to collect detailed per-user viewing statistics (view time, number of simultaneous connections count, bandwidth) and control you streaming in compliance with your business logic.

Related documentation

Защита от вставки прямых ссылок в случае динамически меняющихся IP адресов

No comments:

Post a Comment