Secure streaming is required in several scenarios in our customers' environments. This is why we are working on implementing security feature set. One of the high-demand features is SSL streaming for HLS, MPEG-DASH, MPEG-TS, Icecast, progressive download and SLDP via Nimble Streamer. In this case streams are available via HTTPS protocols stack.
Nimble Streamer team has implemented this feature.
To set up HTTPS streaming, you need to generate SSL certificate first. Usually SSL certificates are purchased by some provider like GoDaddy and these companies provide plenty of information about this process.
In this article we assume:
Follow the steps described below to enable SSL-powered streaming.
Nimble Streamer team has implemented this feature.
To set up HTTPS streaming, you need to generate SSL certificate first. Usually SSL certificates are purchased by some provider like GoDaddy and these companies provide plenty of information about this process.
In this article we assume:
- you already have a certificate for further setup,
- your certificate and its key are located at your server and
- they are ready for further usage.
Follow the steps described below to enable SSL-powered streaming.
Notice that Nimble Streamer supports Lets Encrypt certificates. Read this article for full setup details.
1. General parameters
ssl_port parameter - this is port number for SSL connections. Example:
ssl_port = 443
By default, Nimble Streamer handles connections via the port specified in config at "port" parameter. Usually it's port 8081. If you need Nimble Streamer to handle connections via SSL only, please set this parameter to 0, like this:
port = 0
If it has some other value, Nimble still handles streaming connections through 2 ports via both HTTP and HTTPS. If you remove "port" parameter, Nimble will use default value "8081"
ssl_protocols parameter specifies what SSL protocols are used. It requires the list of protocols separated by spaces, e.g.
ssl_protocols parameter specifies what SSL protocols are used. It requires the list of protocols separated by spaces, e.g.
ssl_protocols = TLSv1 TLSv1.1 TLSv1.2Full list is: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, default protocols are TLSv1, TLSv1.1 and TLSv1.2.
HTTP/2 is supported by Nimble Streamer and it can be used only when streaming over HTTPS. In order to process HTTP/2 requests, use this parameter:
ssl_http2_enabled = trueRead this article for more details on HTTP/2 usage.
2. Certificates and domains
2.1 Single certificate
The following parameters define the usage of SSL certificate for your Nimble Streamer instance:
- ssl_certificate is full path to certificate located at your server;
- ssl_certificate_key is full path to certificate's private key located at your server;
- ssl_certificate_key_pass - if you use encryption for your certificate key, you need to specify a password here. This is optional parameter, so if you don't use encryption, just don't add it into the config.
Here's an example of SSL config parameters:
These settings will work for entire server.ssl_port = 443
ssl_certificate = /conf/cert/default.crt
ssl_certificate_key = /conf/cert/default.key.dec
2.2 Multiple certificates
Besides server-wide certificate, you can assign specific certificates and keys to a certain set of domains. This is handled by adding appropriate ssl_server sections to the config. Each section may have the following items.
- server_name describes server name patterns to apply certificate to - see the description below;
- ssl_certificate, ssl_certificate_key, ssl_certificate_key_pass and ssl_http2_enabled as described above.
server_name element defines the host names where the certificate will be applied to. Multiple names are separated by spaces.
There are 3 types of name patterns you may use:
- exact match works when you specify the exact name of the host you want it to work for.
- wildcard match name may contain an asterisk only on the name’s start, and only on a dot border. It will match all domains which start with anything before the asterisk with the exact name after it. So wildcard "*." may be used only once in one name pattern. Example: *.wmspanel.com matches for all <anything>.wmspanel.com host names.
- regexp match starts with '~' character and consists of a Perl-compatible regular expression describing the name pattern for all required host names.
You may have any number of ssl_server sections in your Nimble Streamer config. The first section will be the default one in case of multiple server_name parameters match the same host.
Here's an example of SSL config parameters:
Here's an example of SSL config parameters:
ssl_port = 443
ssl_certificate = /conf/cert/default.crt
ssl_certificate_key = /conf/cert/default.key.dec
ssl_server {
server_name = *.wmspanel.com ~^.*\.wmspanel.com$
ssl_certificate = /conf/cert/wildcard_wmspanel_com.crt
ssl_certificate_key = /conf/cert/wildcard_wmspanel_com.key.dec
}
ssl_server {
server_name = wmspanel.com
ssl_certificate = /conf/cert/wmspanel_com.crt
ssl_certificate_key = /conf/cert/wmspanel_com.key.dec
ssl_http2_enabled = true
}
Notice that ssl_http2_enabled needs to be specified in each individual ssl_server section if you need to use it.
3. Apply config
To apply config changes please re-start Nimble by running:
sudo service nimble restart
4. SSL cache and control API
Nimble Streamer has certificates cache. So it takes each SSL certificate from cache if it's already there, and it doesn't re-load it on each connection.
If you need to reload certificates in real-time without re-starting Nimble Streamer, you may use Nimble API. It has /manage/reload_ssl_certificates method for this. This method receives POST request and Nimble Streamer re-loads all current certificates. If they are loaded successfully, all new connections will use this new set, even though some of them may have been used previously. Currently connected clients will keep previous certificates for their current sessions until they are closed.
Example of API call:
curl -X POST http://127.0.0.1:8083/manage/reload_ssl_certificates
Let's Encrypt Certbot
Nimble Streamer supports Lets Encrypt certificate and allows Certbot auto-renewal. Read this article for full setup details.
Troubleshooting
Some browsers or client software may fail to recognize your certificate even though it's valid. In this case you may need to get SSL certificate chain (root and intermediate certificates) combined into a single .crt file and use that file with Nimble Streamer. If you use Linux, you can do that by concatenating both files using this command:
cat your_site_certificate.crt root_certificate.crt > your_site_chained_certificate.crt
Please feel free to install Nimble Streamer to try this and other security-related features in action. Contact us in case of any questions or issues.
Follow us in social media to get updates about our new features and products: YouTube, Twitter, Facebook, LinkedIn, Reddit, Telegram
Nimble Streamer, Hotlink protection for Nimble Streamer, Paywall for Nimble Streamer, Live streaming, VOD streaming, SLDP low latency streaming,
Related documentation
Nimble Streamer, Hotlink protection for Nimble Streamer, Paywall for Nimble Streamer, Live streaming, VOD streaming, SLDP low latency streaming,
No comments:
Post a Comment
If you face any specific issue or want to ask some question to our team,
PLEASE USE OUR HELPDESK
This will give much faster and precise response.
Thank you.
Note: Only a member of this blog may post a comment.