July 30, 2020

Streaming SRT via OBS Studio with Nimble Streamer and Larix Broadcaster

OBS Studio team added support for SRT in their software recently. That is a great improvement and we highly recommend using that protocol for your delivery to and from OBS.

In this article we're going to show how you can use OBS with two products of our team. Here are the scenarios we'll cover:
  • Set up OBS Studio to receive SRT.
  • Set up Larix Broadcaster to send SRT to OBS Studio.
  • Set up OBS Studio to send out SRT stream.
  • Set up Nimble Streamer to receive streams from OBS Studio.
This will make a complete pipe from your mobile device through OBS to a software media server located wherever you need it.

We assume you already installed all three products: the latest version (25.0.8+) of OBS on your local computer, Larix Broadcaster on your mobile and Nimble Streamer on one of your servers.


Set up Larix Broadcaster


Open Larix Broadcaster, click on gear icon to enter Settings menu. Tap on Connections.



In our example we already have some connections so let's add a new one by tapping on New connection.



Name field can be defined to distinct a new connection from existing ones.
URL field has to be similar to "srt://192.168.0.106:10000" - that is your computer IP and the port which you defined on previous step.

Save setting to see it in the list, then tap on its check box. This will enable this connection for streaming.



Now you can get back to video preview and tap on big red Recording button to start streaming to OBS.

Please refer to Larix documentation reference page for other articles and videos of Larix setup and usage.

Set OBS for SRT input from Larix Broadcaster


Open OBS and check Sources area.


Add new or change existing Media Source.




Enter a URL like this into Input field.
srt://192.168.0.114:10000?mode=listener
In our case 192.168.0.114 is the IP of your computer. You need to change IP address to the IP of your own computer. If you'd like to use some other port, you need to change it as well.

Don't forget to allow incoming UDP traffic in the firewall settings for the specified port.

That's it, click on OK to save the media source. If you have Larix Broadcaster streaming, you'll see the picture.

Set OBS for SRT output to Nimble Streamer


Once you have some stream in your OBS, you can publish it to Nimble Streamer. Here's what you need to do for that.
Here are the steps to follow:
  1. Go to File -> Settings menu.
  2. Open Output tab.
  3. In Output mode field choose Advanced.
  4. Choose Recording tab.
  5. Select Type as Custom Output.
  6. In FFMpeg Output Type select Output to URL.
  7. In output URL enter "srt://192.168.0.106:2020" or IP/port which you're going to use with Nimble Streamer - we'll define that in the next section. In this example 192.168.0.106 is the IP address of your Nimble Streamer instance.
  8. Set Container format to "mpegts".
  9. You can use default encoders and decoders, or select the one you want to use, such as libx264.
Here are the settings we have as we complete them:



That's it. Now let's set up Nimble.

Set Nimble Streamer


Nimble Streamer has full support for SRT. This article describes full SRT setup in Nimble Streamer and you should refer to it for all details.

Now open Nimble Streamer -> Live streams setting menu, choose MPEGTS In tab and click on Add SRT stream button.

You see this dialog:


Here's what we do in our case:
  1. Set Receiver mode to Listen.
  2. Local IP can be set to "0.0.0.0" to process streams from all interfaces.
  3. Local port should be whatever you can use on your server. In our case it's "2020".
  4. Alias can be set to something you will see for this stream identification going forward in setup.
  5. If you click on Add outgoing stream and enter app and stream name, WMSPanel will create the outgoing stream automatically using the names which you provided.
Once you save, you'll have it all set.

To start streaming from OBS, pressing Start Recording button.

Once you do that, Nimble will provide the outgoing stream.

E.g. if HLS is enabled for this server instance, your HLS stream URL would be http://192.168.0.106:8080/obs/stream/playlist.m3u8

If you need to make further streaming via RTMP, check RMTP digest page and related articles there like RTMP republishing setup.

Please refer to full SRT setup instruction to see what else you can do with SRT setup or further re-streaming. Also, check Glass-to-glass delivery setup to see another example of SRT usage with our products.



Related documentation



July 29, 2020

Slice-wide permissions in WMSPanel

WMSPanel cloud service provides full set of capabilities for controlling Nimble Streamer behavior as well as reporting its stats. The main instrument to split stats is a data slice which allows defining servers and respective applications or streams to get stats from.

The hierarchy of users in WMSPanel account is simple - admin users ("admins") can do anything, non-admin users (or "users") are allowed to see the stats in the data slices where they are assigned. However if you need to give some non-admin a permission to do something with server setting, you can define individual permissions, it's described in this article.

There are cases when you need to define some set of permissions to an entire set of non-admin users.

Now WMSPanel provides this option using data slices. The main idea is as follows:
  • Create a slice.
  • Assign a set of servers which you want to give control to.
  • Assign non-admin users which you want to give permissions to.
  • Define permissions.
Those permissions will be applied to all users and they will be allowed to make specific set of operations over the servers assigned to this particular slice.

When a non-admin user switches to particular slices, he or she gets access to servers and as allowed by slice' permissions list.

Data slice permissions and per-user permissions (defined as described here) are combined together in a white-list manner. So, if you set "Incoming streams" in per-user permissions list and "Outgoing streams" in a data slice permissions list, a given user will access incoming streams in any slice and outgoing streams in that particular slice only.

We strongly recommend to enable 2-factor authorization for all admin users and non-admins with special set of permissions to improve the level of your security.

Let's see how it's set up.

Go to slices management page by clicking on Manage link under the top menu. Create a new slice if you haven't created it yet.


For the designated slices, click on "gears" icon on the right from the slice details, it's there among other icons. You will see a dialog like this.


Once you click on "0 permissions" you'll see a list of permissions for a particular server. Just click on check boxes for required features.


You can do that for all servers from those assigned to the slice.
Clicking on a check box near server name checks all features.



That's it. Once you save settings, they will be applied to your slice and your users will be able to use selected features.

Related documentation


July 23, 2020

Vote! Streaming Media European Readers' Choice Awards 2020

Streaming Media European Readers' Choice Awards of 2020 is now opened for voting. Softvelum products are represented in 4 categories:
  • Analytics/Quality of Service Platform: Softvelum - Qosifire
  • Encoding/Transcoding Service: Softvelum - Nimble Live Transcoder
  • Hardware/Software Server: Softvelum - Nimble Streamer
  • Mobile Video App or Solution: Softvelum - Larix Broadcaster


Here's where you can find us:


Support our team by giving your vote for us!



July 16, 2020

NDI support in Nimble Streamer

NDI® is a free protocol for video delivery over IP. It's widely adopted by industry professionals in a variety of products used in live production.

NDI is a technology which was implemented with these ideas in mind:
  • Live video is produced and processed by professional production teams in local networks prior to outer-world delivery.
  • Various solutions from various vendors are fully interoperable using the same protocol.
  • Network topology doesn't matter, making it easy to find and capture video streams.
  • Video source is abstracted from video destinations, it just sends out the data into the network.
  • The video content is moderately compressed with 10x factor down to 100 MBps making it easy to deliver over local networks.
  • It's a replacement for SDI technology.

1. Nimble NDI features overview


Softvelum Nimble Streamer software media server is used by a lot of customers from live production industry for efficient delivery of live streams among production sites and from production to the viewers using all general-purpose protocols like SRT, RTMP, MPEG-TS and others.

Now NDI is available in Nimble Streamer to provide even more capabilities for live delivery.

Receive NDI signal as input. Nimble gets the stream and decodes it for further usage. You can do various further processing:
  • get NDI from local network;
  • transform with Live Transcoder: re-sizing, re-sampling etc
  • encode into H.264/AVC, H.265/HEVC, VP8, VP9 with supported encoder libraries;
  • re-package into other protocols for further delivery: SRT, HLS, MPEG-DASH, RTMP etc;
  • record and play with DVR;
  • handle heavy duty when serving streams to multiple viewers.
Send NDI signal as output. Nimble produces an NDI stream:
  • take any content input via supported protocols like SRT or RTMP;
  • transcode and send the content via NDI into local network.
So Nimble Streamer is not a production-level mixing and editing tool but rather is a "bridge" between live production environments and global networks.

NDI monitoring tool. Along with implementing NDI in Nimble Streamer, we've made a console tool for diagnosing NDI streams. This helped us test and debug our solution, so we are sure it also will help our customers debugging their setup of Nimble and NDI streams in general.

Now let's look at NDI setup and usage in our products.

2. Installation


Handling NDI requires Live Transcoder for Nimble Streamer because the streams must be either decoded from or encoded to NDI format.

So before moving forward, you need to install the following products of Softvelum and make subscription where it's required.
  1. Sign up for WMSPanel account.
  2. Install Nimble Streamer on a proper server and register it in WMSPanel. If you'd like to install SRT package, please also refer to proper instructions.
  3. Subscribe for WMSPanel account, the price starts from 30 USD per month.
  4. Create Live Transcoder license and subscribe. This short video shows the process. It costs 50 USD per month per server.
  5. Install Live Transcoder package and register the license on the server with Nimble Streamer instance.
Once you're finished, you will have a paid WMSPanel account, a running instance of Nimble Streamer with Live Transcoder package, ready to transcode streams. For more details about Live Transcoder usage please refer to documentation reference and our video tutorials.

3. Set up NDI input


To get the NDI stream in, you need to create a Transcoder scenario. In your WMSPanel account, click on Transcoders menu to open scenarios page, then click on Create new scenario button. You'll be redirected into an empty scenario.

Now drag a blue video source element, then select NDI option.


In NDI name field you need to enter your source NDI stream. It can have both host name and stream name, but you may use just stream name. In our example the NDI source is "SOURCE HOST (stream)" which means host ("SOURCE HOST") and stream name ("stream"). Please also check NDI tool described in section 5, its output provides NDI source names which you can use for your input.

Now you can create the video output element, just drag the green element and keep the output type as "Stream".


Application and stream name define the naming of your output stream for further reuse. You may leave other values by default if you find them appropriate or define other parameters and values, like different codec or encoder library. Once you save encoder settings, you need to link decoder and encoder elements, just drag an arrow from the decoder to the encoder.

You may also put any filters between decoder and encoder in case you need to additionally transform the content, like to split the stream and make various renditions.

Once you're done with video pipe, you need to do the same for audio part of your input content. Drag audio source and select NDI stream as input. You need to define the same input stream name as you did for video.


Now add audio encoder element.


Here you specify the same output app and stream name, then you may choose codec and encoder. Once you save settings. You need to connect decoder and encoder, unless you want to apply some filters like volume changer.


That's it. Now once you save scenario, it will sync up with Nimble Streamer within several seconds and your server instance will start receiving NDI stream to process it and generate the output stream.

You can now handle this stream according to your use case, like re-publish it via SRT or RTMP. The SRT publication setup is described in this article and RTMP re-publishing described here.
You can also try playback to make sure the stream is available. The example of HLS output stream URL will be http://yourhost/live/output/playlist.m3u8 for default settings.

In addition to the aforementioned "direct output" transcoding pipe, you can add more filters and generate multiple outputs. Check this scenario example.


It has video split filter after NDI decoder, then it makes direct output with original rendition, scales down to 480p and down to 240p, and encodes all 3 outputs. The decoded audio is also split into 3 output streams.
You can also check other examples of transcoder workflow in our YouTube playlist.

4. Set up NDI output


Setting NDI output is somewhat similar to input setup process.

First, make your live stream input available for further processing, read our documentation for details:
You can check other protocols and use cases on live streaming digest page.

Once you have your input stream ready and tested, you can proceed with NDI setup.

Go to your transcoder setup and create a new scenario.

Video input will have your processed incoming stream application and stream name. You may choose another decoder if you want as well.


Drag and drop encoder element and select NDI as output option.


Now specify output stream name, this is how it will be recognized by other NDI recipients in this network. You may also define this stream's key frame alignment.

Save this and connect video input and output. 


Now add audio input having the same stream app and stream name.


Then add encoder element with NDI selected in it.


The stream name needs to be the same as you specified in video output. When you save audio output, connect input and output.


When you save this scenario, it will be synced within several seconds.

Once the scenario settings are synced, your Nimble Streamer will start sending NDI output with the content defined by our scenario.

Just like you saw in section 3, you may create more complex scenarios.


In this example the audio in encoded without changes while the video is scaled down and then custom "fps" filter is applied to change the framerate.

5. NDI monitoring tool usage


In addition to implementing NDI in Nimble Streamer and Live Transcoder we've created a tool which helped us debugging NDI workflow. It's a command line utility called "nimble_ndi". It works if Nimble Streamer and Nimble Live Transcoder are installed with no need for registering Nimble instance or Transcoder license.

It provides two functions: getting the list of available streams and getting full details about a particular stream.

5.1 Get active NDI streams list

Log into the server where Nimble Streamer is installed and run this command:
nimble_ndi
It will show the list of streams as "host name (stream name)" with IP and port, e.g.

camera1 (stream)                  10.208.14.1:6961
camera2 (stream)                  10.208.14.2:6961
producer (main)                   10.208.15.1:6961
producer (secondary)              10.208.15.1:6962
OSA-VM-WIN10 (vMix - Output 1)    192.168.0.201:5961
OSA-VM-WIN10 (vMix - Output 2)    192.168.0.201:5962
That information can be used as a reference for NDI setup in previous sections. For example, having this output, you can sue host and stream ("OSA-VM-WIN10 (vMix - Output 1)") for your NDI input setting.

5.2 Get NDI stream details

If you want to have full info on the frames of specific stream, run this command:
nimble_ndi --show-frames="host (stream)"
E.g.
nimble_ndi --show_frames="camera1 (stream)"
It will produce the output like this:

video: timecode=107080000 timestamp=15943425579304024 av_sync_ms=0 fps=24/1
audio: timecode=107310000 timestamp=15943425579707145 av_sync_ms=40 no_samples=1024 sample_rate=48000
audio: timecode=107520000 timestamp=15943425579708666 av_sync_ms=40 no_samples=1024 sample_rate=48000
video: timecode=107500000 timestamp=15943425579712332 av_sync_ms=0 fps=24/1
audio: timecode=107730000 timestamp=15943425580115564 av_sync_ms=40 no_samples=1024 sample_rate=48000
audio: timecode=107950000 timestamp=15943425580117047 av_sync_ms=40 no_samples=1024 sample_rate=48000

Each line represents a frame of either video or audio with these parameters:
  • timecode: it's optional but Nimble generates it for he tools which need it;
  • timestamp: time which NDI library provides us with;
  • av_sync_ms: a delta from previous frame of either video or audio, in milliseconds;
  • no_samples: number of audio samples, it's for audio frames only;
  • sample_rate: it's audio frames only;
  • fps: for video frames only.
That allows easily tracking NDI streams in your network.

6. Video step-by-step tutorial


We've made a video showing the setup process, take a look at it.



7. Troubleshooting


If you'd like to have NDI|HX® support on Ubuntu, please do the following.
  1. Go to NewTek NDI|HX driver page and download the file into some temporary directory
  2. Run the downloaded file to obtain required files.
  3. Copy the extracted files into /usr/lib/x86_64-linux-gnu directory.
  4. Re-start Nimble Streamer.
The following filed will be copied:
libavcodec-ndi.so.58
libavdevice-ndi.so.58
libavfilter-ndi.so.7
libavformat-ndi.so.58
libavutil-ndi.so.56
libndihx.so
libswresample-ndi.so.3
libswscale-ndi.so.5
On Windows, no additional activities are needed.


If you have any problems with NDI, check that your host is configured to have respective ports opened. Here's an example of UFW rules for Ubuntu host with properly configures ports.

> sudo ufw status
Status: active
To                      Action  From
--                      ------  ----
6960                    ALLOW    192.168.0.0/24
6961                    ALLOW    192.168.0.0/24
6962                    ALLOW    192.168.0.0/24
6963                    ALLOW    192.168.0.0/24
6964                    ALLOW    192.168.0.0/24
6965                    ALLOW    192.168.0.0/24
6966                    ALLOW    192.168.0.0/24

If you have other issues with NDI configuration, please refer to General NDI Troubleshooting page from NewTek knowledge base.

Contact us if you have any questions regarding NDI support in Nimble Streamer.


NDI® is a registered trademark of NewTek, Inc.


Related documentation


July 8, 2020

Instant inactivity disconnect for SRT and other MPEGTS-based streams

Nimble Streamer supports a wide range of transport protocols which use MPEG-TS container such as SRT, RISTHLSMPEG2TS over UDP and over HTTP.

Part of default behavior for MPEGTS-based streams in Nimble Streamer is that when the input is interrupted for some reason, the output stream is still available. Here's an example. The SRT stream is published, then it's interrupted, however the HLS chunklist is still available having only old chunks.
This goes on until the 30 seconds timeout stops the stream, or the input is resumed.

There is now an option to interrupt the output streaming right at the moment when the input is interrupted. This is enabled on a server level via this config parameter:
mpeg2ts_instant_camera_remove = true
Read our parameters reference page for more details on operating server parameters.

This feature covers the following input protocols:
  • SRT input in all modes.
  • RIST input in all modes.
  • Pulled MPEG2TS over HTTP.
  • Pulled HLS.
The following protocols do not support this feature
  • MPEGTS over UDP, as there's no protocol capability for that.

Having that feature enabled, you will also be able to use Streams failover hot swap and Emergency streams hot swap features for on-the-fly transparent streams replacement.


Let us know if you have questions about this feature.

Related documentation


July 1, 2020

Q2 2020 news: SRT PASSet, RIST, DRM and Larix Broadcaster on Drafts

Softvelum team kept working during this intense Q2 of 2020 and we have several important updates for our products.


Nimble Streamer

First we'd like to address a Nimble Streamer issue which appeared back in May. Our external dependency package - libjson - introduced a fatal issue which caused multiple malfunctions across the entire Ubuntu users community. Within a few hours we detected a problem and released a fix which allowed us to overcome any consequences. We sent proper announcement to our Linux users so our clients got proper assistance on time, so most of them were not affected by this. 
That's just one of the advantages of being our subscribed customer.

Now let's see some new features.

Nimble Streamer SRT Publisher Assistance Security Set (SRT PASSet) is our new security and management framework for SRT. These are major capabilities:
  • Process incoming streamid.
  • Make per-server, per-application and per-stream authentication with user and password.
  • Apply any SRT parameters to every individual publisher and each individual stream.
  • Apply allow and deny lists for IP addresses on server and stream level.
  • Manage published streams via the publish control framework.
This provides our customers with great flexibility for publication control, especially for handling mobile publishers. Read these articles for more details:

Speaking of SRT, we've also added Forward Errors Correction support as part of our freeware feature set. FEC filter is still under development by the SRT community and we've added it per requests from our customers, so please use FEC filter feature at your own risk.

Nimble DRM has finally become available this quarter. It covers these features:
  • Google Widevine™ support to protect MPEG-DASH.
  • Microsoft Playready™ support to protect MPEG-DASH.
  • Apple FairPlay™ support to protect HLS.
  • Widevine Cloud Service support with key rotation.
  • EZDRM’s DRM-as-a-Service support for Widevine, FairPlay and Playready.
  • Verimatrix™ VCAS key management support to protect HLS with AES.
DRM is a premium feature set of Nimble Streamer.

Both SRT PASSet and Nimble DRM are part of Nimble Addenda - a premium package which also covers Nimble Advertizer. Package license costs just 50 USD per month per server and gives extended feature set with proper support.

RIST protocol support. A new protocol has been introduced by RIST Forum. RIST provides an open, interoperable and technically robust solution for low-latency live video over unmanaged networks.
Read this setup article to try it in action.

Last but not least, we've released an article on Handling fuzzy FPS to get proper bitrate output with some sources that produce streams with uncertain frame rate, like mobile encoders.


Larix Broadcaster

Our mobile team made a number of updates.

Larix Broadcaster app was mentioned in a few articles on SVG News:
Softvelum team was very proud to see Larix Broadcaster in such awesome use cases.

Now, let's look at new features.

We've released Larix Grove - an easy to use format which allows distributing streaming setup details. You use our web wizard to create a URL and a QR code to send to your publishers. It's supported in Larix for Android and iOS.

Larix Broadcaster for iOS is now able to provide Dual/Triple camera system support on iPhone 11+, including wide-angle and telephoto camera.
We also have multiple cameras streaming (via picture-in-picture and side-by-side) on modern supported devices in our beta version. You can use this link to install TestFlight and try it in action.

Larix for Android now has USB OTG camera support if the hardware vendors give that capability.
You can also go to Google Play and Join Beta to get early access to new features like multiple physical cameras on Android 10+.

Our YouTube channel also has a number of new videos explaining some of Larix features and other company updates



If you'd like to get our future news and updates, please consider following our social networks: Telegram channelTwitter, Facebook, LinkedIn and YouTube.

June 28, 2020

Setting per-stream authentication and parameters with SRT PASSet

SRT Publisher Assistance Security Set - or SRT PASSet - is a premium feature set of Nimble Streamer which allows extending authentication and control capabilities for SRT input.

The key capabilities of SRT PASSet are as follows:
  1. Accept streamid parameter.
  2. Make per-server, per-application and per-stream authentication with user and password.
  3. Apply any SRT parameters to each individual stream and even individual publisher.
  4. Apply allow and deny lists for IP addresses on server and stream level.
  5. Manage published streams via publish control framework.
We have an article about per-user authentication for per-server and per-application processing and publish control the same way it's available for RTMP and RTSP, you can use that approach for various cases. However, more complicated cases of per-stream authorization and SRT parameters require different approach.

This article describes the following capabilities setup:
  • Accepting "streamid" parameter in "<application>/<stream>" format.
  • Creating configuration file for controlling per-stream settings.
  • Setting server-wide allow and deny lists or IP ranges.
  • Setting per-stream settings with allow/deny lists, user/password authentication and custom per-stream SRT parameters.

The key element of this feature set is a separate configuration file which has JSON-based format for describing all settings on global and per-stream level. So this article describes how this feature is enabled and set up.

A few notes
These features are applied when Nimble Streamer works as a receiver of SRT in Listen mode. Other receiving modes such as Pull and Rendezvous are not supported by PASSet feature set.
Current article assumes you have a WMSPanel account, you have a Nimble Streamer instance registered in your account and that instance is capable of receiving SRT streams via a designated port.

1. Activate Nimble Addenda


SRT PASSet is available as part of Nimble Addenda premium package and it requires a license to operate and a subscription to cover that license. That license also enables a number of other features like DRM and server-side ads insertion.

So if you don't have Addenda license yet, follow these steps:
  1. Go to Settings menu and open Addenda licenses tab
  2. Click on New Addenda subscription and select number of licenses, then click Next and once you see final cost, click on Pay now button.
  3. Follow the payment procedure and once you complete it, you’ll see your active licenses.
  4. Click on the license to see the registration procedure.
  5. Log into the server which has Nimble Streamer installed and which you will use as your host.
  6. Use the registration procedure to make it work.
That's it. Now all features described below will become available.

2. Set up SRT listener


In your WMSPanel account, click on Nimble Streamer -> Live Streams Settings menu and open MPEG-TS In tab.


Here you need to click on Add SRT stream button to see the following dialog.



Make the following setup:
  1. Set Receive mode to Listen. This feature doesn't work for other modes.
  2. Define Local IP and port. By default we recommend using 0.0.0.0 IP address.
  3. Alias is a name of this setting for further usage in other setup areas. 
  4. Un-check Add outgoing stream checkbox.
  5. Finally, you need to add "nimble-srt-password-path" custom parameter with full path to a JSON text configuration file located on the same server where Nimble Streamer is running.
Save this setting and it will be synced to the Nimble Streamer instance within a few seconds.

Now let's look at how you can operate this JSON configuration file the path to which you've specified in listener socket settings.

3. JSON configuration file


First thing to notice is that the configuration file must have at least "read" permissions for a user which Nimble Streamer is running under.

This file is requested by Nimble Streamer every time when a new publisher is trying to connect to Nimble Streamer. So you may change the rules any time you need, either manually or via some script according to your business logic.

If the file is specified in listener settings but it doesn't exist or cannot be accessed or it has a malformed JSON then no publishers will be allowed to publish to this listener.

Here is the top-level structure of this JSON file:
{
"publishers": {
},
"streams": {
}
}
Both "publishers" and "streams" sections can be used alone, so you can define only one of them if needed.

3.1 "publishers" section 

The publishers section gives ability to define server-wide allow and deny rules for IP addresses of publishers. Those IP ranges are defined as CIDR ranges. You can define one range, several ranges or none of them for allow and deny lists.

The "deny" list defines the ranges of IPs to deny connection from. If a publisher with denied IP tries to connect then it will be rejected, and you'll find a proper line in Nimble log (see "Troubleshooting with logs" section for details).

If the "allow" list is added into the config then only publishers from allowed IP ranges will be able to connect.

Let's check an example.
{
"publishers": {
"deny": "127.0.0.1/32, 192.0.0.2/32",
“allow":"127.0.0.0/24, 192.0.0.0/24"
  }
}
With these rules, all publisher from 127.0.0.0/24 and 192.0.0.0/24 allowed ranges can publish, except for 127.0.0.1 and 192.0.0.2 from deny list. Publishers from any other IPs will be rejected.

Both IPv4 and IPv6 IP addresses are supported.

If "publishers" section is not available then publishers from any IPs can publish unless something else is defined for specific stream in "streams" section.


3.2 "streams" section 

All stream which you want to allow for publishing must be described in this section.

Every stream has "allow", "deny" and "users" section. Both "allow" and "deny" sections work the same way as it's described in section 3.1. All allow/deny rules from "publishers" section will be applied first, then corresponding rules for a stream will be applied. Then if a publisher is allowed to publish then "users" section is applied.

Let's look at this example.
{
  "streams": {
    "live/stream": {
      "allow":"192.168.0.1/32",
       users": {
         user_id": {"passphrase": "123456789"}
       }
    }
  }
}
Here, only "live/stream" is allowed to be published into this listener, any other streams will be rejected. Also, only a publisher from 192.168.0.1 is allowed to stream, any other IP will be rejected.

The "users" section defines a list of users allowed to publish into particular stream. Each user can be assigned the SRT parameters which will be applied to that particular user.

Let's check another example.
{
  "streams": {
    "live/srtstream": {
      "allow":"127.0.0.1/32,::1/128",
      "users": {
        "srt_user": {"passphrase": "1234567890"},
        "ID_1": {"passphrase": "0987654321"}
      }
    },
    "srtlive/srtstream": {
      "allow":"127.0.0.1/32,::1/128",
      "users": {
        "srt_user": {"passphrase": "1234567890"}
      }
    }
  }
}
In this example, both "srt_user" and "ID_1" users can publish into "live/srtstream" and only "srt_user" can publish into "srtlive/srtstream".

There may be any unique "passphrase" parameter set to each individual user.
Also, any supported custom SRT parameters can be used for each user, e.g. latency, maxbw and pbkeylen.

Let's check another example:
{
  "streams": {
    "live/srtstream": {
      "users": {
        "user_1": {"passphrase": "1234567890", "latency": "2000"},
        "user_2": {"passphrase": "0987654321", "latency", "1000"}
      }
    } }
Here you see "user_1" has SRT latency set to 2000ms and "user_2" has 1000ms latency.

3.3 Listener socket parameters vs. user parameters

If you define some SRT parameters in listener settings, they will be applied to all users unless you re-define them on user level in JSON config file.
E.g. if "latency" is set to "2000" in listener socket and then a user is set latency as "1000" then this user will connect with 1000ms latency. And if some user doesn't have "latency" parameter then it will have 2000ms latency.

This applies to all SRT custom parameters, including "passphrase".

4. Authorization options when using JSON configuration file


If you use JSON configuration file you have two options for authorizing your publishers.

4.1 Login authorization

This way you will authorize users with their respective passphrases.

Here's a JSON example:
{
  "streams": {
  "live/stream": {
    "users": {
      "user_1": {"passphrase": "0123456789"}
    }
  }
}
Your publisher can use this command to connect:
ffmpeg -re -i video.mp4 -codec copy -f mpegts pipe:1 | ./srt-live-transmit -v file://con "srt://127.0.0.1:2020?passphrase=0123456789&streamid=/live/stream?srtauth=user_1"
The "srtauth" parameter has only a user name which is listed in our config. The "passphrase" is used as a password for authorization. If you try to publish to any other stream, the publication will be rejected and you'll see a record in Nimble log. If publisher uses a user not specified in the config then it will be rejected as well.

The output application and stream will be created automatically based on "streamid" like this:
http://localhost:8080/live/stream/playlist.m3u8
If you want to pass SRT parameters, you can add them like this:
ffmpeg -re -i video.mp4 -codec copy -f mpegts pipe:1 | ./srt-live-transmit -v file://con "srt://127.0.0.1:2020?passphrase=0123456789&latency=1000&streamid=/live/stream?srtauth=user_1"
Here a publisher will pass a "latency" parameter with "1000" value.

4.2 Publish control authorization

The second option is to use publish control framework signature with user ID in it. The publish control signature is created the same way as described in section 5 of this article.

Here's a config example:
{
  "streams": {
  "live/srtstream": {
    "users": {
      "srt_user": {"passphrase": "0123456789"}
      "ID_1": {"passphrase": "0987654321"}
    }
  }
}

The publication command would be 
ffmpeg -re -i video.mp4 -codec copy -f mpegts pipe:1 | ./srt-live-transmit -v file://con "srt://127.0.0.1:2020?passphrase=0987654321&streamid=/live/srtstream?publishsign=aWQ9SURfMSZzaWduPWc5U093SGFJK2x2d3ZVd0FMMG9wcmc9PSZpcD06OjE="

If you decode base64 from publishsign you'll see "id=ID_1" and this is the user which will be taken for authorization with "passphrase" of "0987654321".

Read publish control framework overview, detailed setup description and PASSet per-user authorization setup articles to learn about full context of this control feature usage.

5. Troubleshooting with logs


We've made SRT PASSet feature as easy for you to analyse as possible.

Check logs. Nimble Streamer logs are very verbose for SRT PASSet use cases and they will include description of all errors which you may face. Read this article to see more details on server logs.

Make sure your stream to publish is described in JSON config. If you don't have respective stream there, you'll get a message in your log.

Then make sure you have a user and a password assigned to that stream.

Please check server logs in case of any problems. If you still have questions, please feel free to contact our helpdesk.

If you use Larix Broadcaster for publishing, we recommend using Larix Grove format for passing connection details including host and port, streamid, passphrase and other parameters.

Further reading



June 24, 2020

Setting SRT user and password authentication with SRT PASSet

SRT Publisher Assistance Security Set - or SRT PASSet - is a premium feature set of Nimble Streamer which allows extending authentication and control capabilities for SRT input.

The key capabilities of SRT PASSet are as follows:
  1. Accept streamid parameter.
  2. Make per-server, per-application and per-stream authentication with user and password.
  3. Apply any SRT parameters to each individual stream and even individual publisher.
  4. Apply allow and deny lists for IP addresses on server and stream level.
  5. Manage published streams via publish control framework.

Receiver in Listen mode. These features are applied when Nimble Streamer works as a receiver of SRT in Listen mode. Other receiving modes such as Pull and Rendezvous do not support PASSet feature set.

This article describes the following capabilities setup:
  • Accepting "streamid" parameter in "<application>/<stream>" format.
  • Setting server-wide user and password authentication.
  • Setting per-application user and password authentication.
  • Publish control framework signature.

Other capabilities will be described in related articles, see "Further reading" section below.

Let's see how the feature is enabled and used.

Notice that the current article assumes you have a WMSPanel account, you have a Nimble Streamer instance registered in your account and that instance is capable of receiving SRT streams via a designated port.

1. Activate Nimble Addenda


SRT PASSet is available as part of Nimble Addenda premium package and it requires a license to operate and a subscription to cover that license. That license also enables a number of other features like DRM and SSAI.

So if you don't have Addenda license yet, follow these steps:
  1. Go to Settings menu and open Addenda licenses tab
  2. Click on New Addenda subscription and select number of licenses, then click Next and once you see final cost, click on Pay now button.
  3. Follow the payment procedure and once you complete it, you’ll see your active licenses.
  4. Click on the license to see the registration procedure.
  5. Log into the server which has Nimble Streamer installed and which you will use as your host.
  6. Use the registration procedure to make it work.
That's it. Now all features described below will become available.

2. Set up SRT listener


In your WMSPanel account, click on Nimble Streamer -> Live Streams Settings menu and open MPEG-TS In tab.


Here you need to click on Add SRT stream button to see the following dialog.




Make the following setup:
  1. Set Receive mode to Listen. This feature doesn't work for other modes.
  2. Define Local IP and port. By default we recommend using 0.0.0.0 IP address.
  3. Alias is a name of this setting for further usage in other setup areas. 
  4. Add "nimble-srt-password-path" custom parameter and set it to "none". This parameter is required to enable this feature.
  5. Also, un-check Add outgoing stream checkbox.
Save this setting and it will be synced to the Nimble Streamer instance within a few seconds.

Custom SRT parameters. You may also set any other SRT parameters you need, they will be applied to all incoming streams processed under the settings described further. For example, passphrase will encrypt all connections regardless of users and passwords which you define further.
If you need to set different passphrases or other parameters to different users separately then you need to use a different part of PASSet feature set which will be described in a different article soon.

The "streamid" is the parameter which we use for defining the publication business logic as described below.

3. Publish without authentication


Now when the Listener setup is ready, you can start publishing at your sender side using streamid parameter. The streamid value must have "<application name>/<stream name>" format similar to RTMP and RTSP naming. To demonstrate sender behavior, we'll use srt-live-transmit tool with input from ffmpeg.

Here is an example of publication command:
ffmpeg -re -i video.mp4 -codec copy -f mpegts pipe:1 | ./srt-live-transmit -v file://con "srt://127.0.0.1:2020?streamid=live/stream"
The output will be generated just like you normally see it with RTMP and RTSP. Here you see "live" is application name and "stream" is stream name. In our example it will be a stream from localhost, for HLS this will generate the output stream with this URL:
http://localhost:8080/live/stream/playlist.m3u8
Each application may have any number of separate streams, just like you have with RTMP or RTSP. So your first contributor may publish with streamid=live/stream1 and the second one may use streamid=live/stream2, that will generate two separate output streams: http://localhost:8080/live/stream1/playlist.m3u8 and http://localhost:8080/live/stream2/playlist.m3u8.

Now let's see how you can set up user authentication.

4. Server and per-application settings


4.1 Setting input authentication


Now switch to Global tab. Here you can set up settings which are applied on a server level.



You can see Push login and Push password fields where you can define user and password for publication.

You can also define what protocols will be produced for output streams, along with HLS and MPEG-DASH parameters.

If you'd like to setup specific settings for specific applications, go to Applications tab


Click on Add application settings button to see the following dialog.



All parameters are the same as you saw in Global tab except that it also has Application name field. It defines part of the "streamid" parameter utilized as application name.

Once you click on Save, the settings will be applied to the designated server in a few seconds.




Global settings publishing example

Here is an example of SRT publishing using a global server setting.
ffmpeg -re -i video.mp4 -codec copy -f mpegts pipe:1 | ./srt-live-transmit -v file://con "srt://127.0.0.1:2020?streamid=live/stream?srtauth=global_user:pass"
You can see streamid parameter set to live/stream?srtauth=global_user:pass where "live" is application name, "stream" is stream name and "srtauth" has user and password which we defined earlier in Global tab.

The output will be generated just like you saw in section 3, e.g. for HLS this will be http://localhost:8080/live/stream/playlst.m3u8.

Application settings publish example

The same applies to specific app name. Here's an example of SRT publication to srt_stream application:
ffmpeg -re -i video.mp4 -codec copy -f mpegts pipe:1 | ./srt-live-transmit -v file://con "srt://127.0.0.1:2020?streamid=srt_steam/input?srtauth=user2:pass"
You can see streamid parameter containing srt_steam application with input stream having "user2" user with respective password. The result stream will have corresponding app and stream, here's the example of MPEG-DASH stream:
http://localhost:8080/srt_stream/input/manifest.mpd

Each application may have any number of separate streams, just like it was described in section 3.

4.2 Combining global and application settings


Each individual application setting overrides global settings. So if you globally define a full set of protocols and then create an application setting with just one particular protocol and separate user and password then this application will produce only that specific protocol when it gets an SRT stream published into that application.

The only exception is password. If an application has empty user or password then a global user and password will be taken. This way you cannot set up a global user and password and leave some specific application without authorization.

With that application override approach, you can combine global and application settings for the purpose of specific setup for specific cases.

For example, you can set some random user and password for a global setting, and then create applications for specific users. This way you'll forbid publication from anyone except for the people which you want to explicitly give access to. In addition to that, you may provide different set of output protocols, i.e. someone premium users can have low latency output (Low Latency HLS and SLDP) while others will have just conventional HLS.

5. Publish control framework


Adding a user/password setting enables the ability to use a publish control framework. It allows the following:
  • Add publishing signature to authenticate publisher to make sure that your publisher is exactly the one you are expecting to produce the stream.
  • Use an external handler to verify a caller. The handler is your own web application which is able to control the initial connection process according to your business logic.
  • Control the streaming process. You can create a separate web app or a script which will request a server instance to check current streaming sessions against your rules and to make an immediate interruption of any on-going streams.
In case of SRT you add publication signature into streamid along with other parameters. Here is an example of publishing command:
ffmpeg -re -i video.mp4 -codec copy -f mpegts pipe:1 | ./srt-live-transmit -v file://con "srt://127.0.0.1:2020?streamid=/live/srtstream?publishsign=aWQ9SURfMSZzaWduPVQ3SzVlMkMySlRxRExmSTdybVdibVE9PSZpcD0xMjcuMC4wLjE="
The publishsign parameter contains the signature required by this feature. You can read this overview article to get familiar with all publish control capabilities and read detailed setup description.

6. Troubleshooting with logs


We've made SRT PASSet feature as easy for you to analyse as possible.

Check logs. Nimble Streamer logs are very verbose for SRT PASSet use cases and they will include description of all errors which you may face. Read this article to see more details on server logs.

Log examples. If you have incorrect user and password authentication you will see the following message in logs
url auth failed, streamid=[live/stream?srtauth=wrong:password],ip=[127.0.0.1],client=1038565310
If you try to publish without user and password while your setting have then on global or application level you will see something like this:
url auth failed, streamid=[live/stream],ip=[127.0.0.1],client=1038565318
So please check server logs in case of problems. If you still have questions, please feel free to contact our helpdesk.


Further reading


Use a custom rules file. You can define rules to apply SRT parameters and setup authorization on each individual user and stream as well as define deny and allow lists of IP addresses. This functionality is described in this separate article.


June 22, 2020

SRT Publisher Assistance Security Set

SRT is the protocol which many professionals consider as a replacement for RTMP for content delivery among encoders, decoders, origin and edge servers. SRT has a tremendous set of features which make it great for reliable streaming, and we see comprehensive adoption of SRT among our customers for those use cases.

Softvelum was an early adopter of SRT with Nimble Streamer and most of SRT-related features were implemented within the first year after Haivision opened the spec and the SRT library source code. The feature set covered all transmission modes and protocol parameters which allowed our customers to try the technology and start transitioning to SRT easily.


However the technology evolved and Haivision as the leader of SRT Alliance followed the feedback to add features like "streamid" parameter and other improvements which made SRT the replacement to RTMP for publication use cases.

Filling the gap in Nimble Streamer


As our customers adopted the technology, they continuously gave a lot of great feedback, especially from use cases where they got user-generated content into their delivery networks. They compared Nimble Streamer RTMP implementation for securing and managing the publication process, and asked for the same extended support for SRT.

Main concerns were related to a few key areas. First one was to support for "streamid" parameter and give abstract layers of "application name" and "stream name" to perform processing of multiple streams on the same host and port. Second one was to give user name and password for each application and stream to have more authentication options. Advanced users wanted to be able to apply publish control framework to SRT like they did for RTMP and RTSP, which would allow controlling publishers all along the streaming process. So our team wanted to solve these problems by utilizing the latest features of SRT to fill the gap in our functionality.

Softvelum now has a premium SRT Publisher Assistance Security Set - or SRT PASSet - to cover those concerns.

Here are key capabilities of SRT PASSet which are applied when Nimble Streamer works as a receiver of SRT in Listen mode:
  1. Accept streamid parameter.
  2. Make per-serverper-application and per-stream authentication with user and password.
  3. Apply any SRT parameters to each individual stream and even individual publisher.
  4. Apply allow and deny lists for IP addresses on server and stream level.
  5. Manage published streams via publish control framework.
Let's have a bird-eye view on how these features work. Detailed technical articles will be published shortly.

Per-server and per-application SRT authentication via user and password


With SRT PASSet enabled, Nimble Streamer allows setting server-wide and per-application processing settings. This was available for RTMP and RTSP, now you can go to WMSPanel and define all that for SRT published streams too. You can define:
  • authentication details - user and password;
  • output protocols set and their details like HLS chunk size.
This combination of server and application levels gives wide capabilities for providing proper security levels for your publishers and create various service levels.


Publish control framework for SRT


With per-app settings in place you can get tighter control over the publication process using publish control framework. It's a functionality to authorize and control a publisher using custom business logic. It has several levels of control capabilities.

A. Add publishing signature to authenticate publisher. It allows making sure that your publisher is exactly the one you are expecting to produce the stream.

B. Use an external handler to verify a caller. The handler is your own web application which is able to control the initial connection process according to your business logic.

C. Control the streaming process. You can create a separate web app or a script which will request a server instance to check current streaming sessions against your rules and to make an immediate interruption of any on-going streams.

Read overview of Publish control framework
 to learn more about this feature set and setup details article showing the process step by step.

Those levels of authentication and control provide a flexible framework itself, however you can go even further.

Your rules: Per-stream per-user and global SRT parameters


Besides providing the authentication and control functionality similar to RTMP, we also developed separate SRT-specific mechanics which would cover SRT-related use cases. A separate file with rules definition is placed on the server where the Nimble Streamer instance is running. Here are the key features.

Global server-level allow and deny lists of publishers' IP addresses with IPv4 and IPv6 supported.

Stream-level settings can be used to define parameters for each individual stream:
  • Allow and deny lists for publishers' IPs for each stream and per-server.
  • Per-user settings. If callers specify user name or user ID, then each user can be associated with any available SRT parameters, such as passphrase, pbkeylen, latency, maxbw and any other.
  • SRT Listener socket parameters can be combined with per-user parameters. E.g. you can define socket-level default latency and then re-define it for individual users.
Rules control can also be automated so you could update them according to your business logic.


Premium flexibility


The features which you saw above give true flexibility for handling SRT publishers. If you manage or build a streaming infrastructure relying on SRT-based delivery, they are must-have for your use cases. 

All the above SRT PASSet functionality is delivered as part of Nimble Addenda premium package which provides a number of extra capabilities which you may find interesting.

More articles with setup details and usage examples are coming soon.

Stay tuned for updates and follow us in TwitterFacebook, LinkedIn, YouTube and Telegram to get further updates.