February 25, 2015

Using WMSAuth paywall with CloudFlare and other proxies

WMSPanel provides wide paywall feature set which provides hotlink protection, pay-per-view framework and geo-location block. Hotlink protection is an extremely popular feature set for both Wowza and Nimble Streamer.

Hotlink protection is based on combination of viewer's IP address and a password defined via WMSPanel. So when our customer is using any proxy between the streaming server and a viewer, this may cause the block of connections because the IP of a user is not matching the actual IP. A popular example of such inconsistency is when our customer is using CloudFlare, a cloud-based protection solution against DDoS attacks.

To make it work properly, you may use the real address of a viewer which is passed among other headers to a web server. E.g. in PHP these headers may be accessed via $_SERVER system variable.

CloudFlare is passing HTTP_CF_CONNECTING_IP variable. If some other proxy is used, then a HTTP_X_FORWARDED_FOR may be used. X-Forwarded-For header may also be used by CloudFlare so check your $_SERVER variable output to see if this code may be simplified in your case.

However even those headers may be incorrect. That's why HTTP_X_REAL_IP and HTTP_CLIENT_IP headers may be used in addition.

Generally, the example below shows how this can be used:

if (!empty($_SERVER["HTTP_CF_CONNECTING_IP"])) {
} elseif (!empty($_SERVER['HTTP_X_REAL_IP'])) {
} elseif (!empty($_SERVER['HTTP_CLIENT_IP'])) {
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$commapos = strrpos($ip, ',');
$ip = trim( substr($ip, $commapos ? $commapos + 1 : 0) );

Complete hotlink protection signature source code with JWPlayer used for playback, can be found in our github page.

If your Nimble Streamer instance is also located behind the proxy or reverse proxy, you should also use cdn_origin configuration parameter to make Nimble work fine with it. Check this article for details.

You may also find useful the detailed information about our paywall solutions. And if you need help debugging WMSPanel-based paywall, please check our FAQ.

Also please check HLS AES-128 DRM encryption implemented in Nimble Streamer.

Related documentation

WMSPanel paywallWMSPanel github page, MPEG_DASH hotlinking protectionHLS AES-128 DRM encryption


  1. Is it work only for cloudflare? I am using https://cdnsun.com/, can i protect my connection by using these tips?

    1. Cloudflare is not a classical CDN, it's a "smart proxy" DN. If you'd like to protect your content you should ask your CDN to use our software on edge servers.

  2. And how does one apply this to an ipv6 configuration?

  3. Hi,
    you should enable ipv6 support in your server configuration http://blog.wmspanel.com/p/nimble-streamer-configuration.html and then sign url as usual using your ipv6 ip address.

  4. На сервере с использованием CF нужно использовать: https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx
    Актуальные IP CF: https://www.cloudflare.com/ips/

    Реальное определение IP, если нет доступа к NGINX/APACHE: https://pastebin.com/2arAy2w2
    Использовать: echo getRealIP();


If you face any specific issue or want to ask some question to our team,

This will give much faster and precise response.
Thank you.

Note: Only a member of this blog may post a comment.