December 25, 2014

SSL support for HLS, MPEG-DASH, Icecast, MPEG-TS and SLDP

Secure streaming is required in several scenarios in our customers' environments. This is why we are working on implementing security feature set. One of the high-demand features is SSL streaming for HLS, MPEG-DASH, MPEG-TS, Icecast, progressive download and SLDP via Nimble Streamer. In this case streams are available via HTTPS protocols stack.

Nimble Streamer team has implemented this feature.

To set up HTTPS streaming, you need to generate SSL certificate first. This is done separately and you can read articles here to see an example of such activity. Usually SSL certificates are purchased by some provider like GoDaddy and these companies provide plenty of information about this process.

In this article we assume:
  • you already have a certificate for further setup,
  • your certificate and its key are located at your server and 
  • they are ready for further usage.
You will need to make changes to Nimble Streamer settings to make it work for your media streaming. These settings are stored in /etc/nimble/nimble.conf file.

Follow the steps described below to enable SSL-powered streaming.

1. General parameters


ssl_port parameter - this is port number for SSL connections. Example:
ssl_port = 443
By default, Nimble Streamer handles connections via the port specified in config at "port" parameter. Usually it's port 8081. If you need Nimble Streamer to handle connections via SSL only, please set this parameter to 0, like this:
port = 0
If it has some other value, Nimble still handles streaming connections through 2 ports via both HTTP and HTTPS. If you remove "port" parameter, Nimble will use default value "8081"

ssl_protocols parameter specifies what SSL protocols are used. It requires the list of protocols separated by spaces, e.g.
ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
Full list is: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, default protocols are TLSv1, TLSv1.1 and TLSv1.2.


2. Certificates and domains


The following parameters define the usage of SSL certificate for your Nimble Streamer instance:
  • ssl_certificate is full path to certificate located at your server;
  • ssl_certificate_key is full path to certificate key located at your server;
  • ssl_certificate_key_pass - if you use encryption for your certificate key, you need to specify a password here. This is optional parameter, so if you don't use encryption, just don't add it into the config.


2.1 Multiple certificates


Besides server-wide certificate, you can assign specific certificates and keys to a certain set of domains. This is handled by adding appropriate ssl_server sections to the config. Each section may have the following items.
  • server_name describes server name patterns to apply certificate to - see the description below;
  • ssl_certificate, ssl_certificate_key and ssl_certificate_key_pass as described above.
server_name element defines the host names where the certificate will be applied to. Multiple names are separated by spaces.
There are 3 types of name patterns you may use:
  • exact match works when you specify the exact name of the host you want it to work for.
  • wildcard match name may contain an asterisk only on the name’s start, and only on a dot border. It will match all domains which start with anything before the asterisk with the exact name after it. So wildcard "*." may be used only once in one name pattern. Example: *.wmspanel.com matches for all <anything>.wmspanel.com host names.
  • regexp match starts with '~' character and consists of a Perl-compatible regular expression describing the name pattern for all required host names.
You may have any number of ssl_server sections in your Nimble Streamer config. The first section will be the default one in case of multiple server_name parameters match the same host.

Here's an example of SSL config parameters:
ssl_port = 443
ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
ssl_certificate = /conf/cert/default.crt
ssl_certificate_key = /conf/cert/default.key.dec
ssl_server {
    server_name = *.wmspanel.com ~^.*\.wmspanel.com$
    ssl_certificate = /conf/cert/wildcard_wmspanel_com.crt
    ssl_certificate_key = /conf/cert/wildcard_wmspanel_com.key.dec
}
ssl_server {
    server_name = wmspanel.com
    ssl_certificate = /conf/cert/wmspanel_com.crt
    ssl_certificate_key = /conf/cert/wmspanel_com.key.dec
}

3. Apply config


To apply config changes please re-start Nimble by running:
sudo service nimble restart

You can read more about Nimble Streamer parameters and their usage in this reference article.

4. SSL cache and control API 


Nimble Streamer has certificates cache. So it takes each SSL certificate from cache if it's already there, and it doesn't re-load it on each connection.

If you need to reload certificates in real-time without re-starting Nimble Streamer, you may use Nimble API. It has /manage/reload_ssl_certificates method for this. This method receives POST request and Nimble Streamer re-loads all current certificates. If they are loaded successfully, all new connections will use this new set, even though some of them may have been used previously. Currently connected clients will keep previous certificates for their current sessions until they are closed.

Example of API call:
curl -X POST http://127.0.0.1:8083/manage/reload_ssl_certificates

Troubleshooting


Some browsers or client software may fail to recognize your certificate even though it's valid. In this case you may need to get SSL certificate chain (root and intermediate certificates) combined into a single .crt file and use that file with Nimble Streamer. If you use Linux, you can do that by concatenating both files using this command:
cat your_site_certificate.crt root_certificate.crt > your_site_chained_certificate.crt



Please feel free to install Nimble Streamer to try this and other security-related features in action. Contact us in case of any questions or issues.

Related documentation


Nimble StreamerHotlink protection for Nimble StreamerPaywall for Nimble Streamer, Live streaming, VOD streamingSLDP low latency streaming,

No comments:

Post a Comment