Setting SRT user and password authentication with SRT PASSet

SRT Publisher Assistance Security Set - or SRT PASSet - is a premium feature set of Nimble Streamer which allows extending authentication and control capabilities for SRT input.

The key capabilities of SRT PASSet are as follows:

1. Accept streamid parameter.
2. Make per-server, per-application and per-stream authentication with user and password.
3. Apply any SRT parameters to each individual stream and even individual publisher.
4. Apply allow and deny lists for IP addresses on server and stream level.
5. Manage published streams via publish control framework.

Receiver in Listen mode. These features are applied when Nimble Streamer works as a receiver of SRT in Listen mode. Other receiving modes such as Pull and Rendezvous do not support PASSet feature set.

This article describes the following capabilities setup:

• Accepting "streamid" parameter in "<application>/<stream>" format.
• Setting server-wide user and password authentication.
• Setting per-application user and password authentication.
• Publish control framework signature.

Other capabilities will be described in related articles, see "Further reading" section below.

Let's see how the feature is enabled and used.

Notice that the current article assumes you have a WMSPanel account, you have a Nimble Streamer instance registered in your account and that instance is capable of receiving SRT streams via a designated port.

1. Activate Nimble Addenda

SRT PASSet is available as part of Nimble Addenda premium package and it requires a license to operate and a subscription to cover that license. That license also enables a number of other features like DRM and SSAI.

So if you don't have Addenda license yet, follow these steps:

1. Go to Settings menu and open Addenda licenses tab
2. Click on New Addenda subscription and select number of licenses, then click Next and once you see final cost, click on Pay now button.
3. Follow the payment procedure and once you complete it, you’ll see your active licenses.
4. Click on the license to see the registration procedure.
5. Log into the server which has Nimble Streamer installed and which you will use as your host.
6. Use the registration procedure to make it work.

That's it. Now all features described below will become available.

2. Set up SRT listener

In your WMSPanel account, click on Nimble Streamer -> Live Streams Settings menu and open MPEG-TS In tab.

Here you need to click on Add SRT stream button to see the following dialog.

Make the following setup:

1. Set Receive mode to Listen. This feature doesn't work for other modes.
2. Define Local IP and port. By default we recommend using 0.0.0.0 IP address.
3. Alias is a name of this setting for further usage in other setup areas. 
4. Add "nimble-srt-password-path" custom parameter and set it to "none". This parameter is required to enable this feature.
5. Also, un-check Add outgoing stream checkbox.

Save this setting and it will be synced to the Nimble Streamer instance within a few seconds.

Custom SRT parameters. You may also set any other SRT parameters you need, they will be applied to all incoming streams processed under the settings described further. For example, passphrase will encrypt all connections regardless of users and passwords which you define further.

If you need to set different passphrases or other parameters to different users separately then you need to use a different part of PASSet feature set which is described in this article.

The "streamid" is the parameter which we use for defining the publication business logic as described below.

3. Publish without authentication

Now when the Listener setup is ready, you can start publishing at your sender side using streamid parameter. The streamid value must have "<application name>/<stream name>" format similar to RTMP and RTSP naming. To demonstrate sender behavior, we'll use srt-live-transmit tool with input from ffmpeg.

Here is an example of publication command:

ffmpeg -re -i video.mp4 -codec copy -f mpegts pipe:1 | ./srt-live-transmit -v file://con "srt://127.0.0.1:2020?streamid=live/stream"

The output will be generated just like you normally see it with RTMP and RTSP. Here you see "live" is application name and "stream" is stream name. In our example it will be a stream from localhost, for HLS this will generate the output stream with this URL:

http://localhost:8080/live/stream/playlist.m3u8

Each application may have any number of separate streams, just like you have with RTMP or RTSP. So your first contributor may publish with streamid=live/stream1 and the second one may use streamid=live/stream2, that will generate two separate output streams: http://localhost:8080/live/stream1/playlist.m3u8 and http://localhost:8080/live/stream2/playlist.m3u8.

Now let's see how you can set up user authentication.

4. Server and per-application settings

4.1 Setting input authentication

Now switch to Global tab. Here you can set up settings which are applied on a server level.

You can see Push login and Push password fields where you can define user and password for publication.

You can also define what protocols will be produced for output streams, along with HLS and MPEG-DASH parameters.

If you'd like to setup specific settings for specific applications, go to Applications tab. 

Click on Add application settings button to see the following dialog.

All parameters are the same as you saw in Global tab except that it also has Application name field. It defines part of the "streamid" parameter utilized as application name.

Once you click on Save, the settings will be applied to the designated server in a few seconds.

Global settings publishing example

Here is an example of SRT publishing using a global server setting.

ffmpeg -re -i video.mp4 -codec copy -f mpegts pipe:1 | ./srt-live-transmit -v file://con "srt://127.0.0.1:2020?streamid=live/stream?srtauth=global_user:pass"

You can see streamid parameter set to live/stream?srtauth=global_user:pass where "live" is application name, "stream" is stream name and "srtauth" has user and password which we defined earlier in Global tab.

The output will be generated just like you saw in section 3, e.g. for HLS this will be http://localhost:8080/live/stream/playlst.m3u8.

Application settings publish example

The same applies to specific app name. Here's an example of SRT publication to srt_stream application:

ffmpeg -re -i video.mp4 -codec copy -f mpegts pipe:1 | ./srt-live-transmit -v file://con "srt://127.0.0.1:2020?streamid=srt_steam/input?srtauth=user2:pass"

You can see streamid parameter containing srt_steam application with input stream having "user2" user with respective password. The result stream will have corresponding app and stream, here's the example of MPEG-DASH stream:

http://localhost:8080/srt_stream/input/manifest.mpd

Each application may have any number of separate streams, just like it was described in section 3.

4.2 Combining global and application settings

Each individual application setting overrides global settings. So if you globally define a full set of protocols and then create an application setting with just one particular protocol and separate user and password then this application will produce only that specific protocol when it gets an SRT stream published into that application.

The only exception is password. If an application has empty user or password then a global user and password will be taken. This way you cannot set up a global user and password and leave some specific application without authorization.

With that application override approach, you can combine global and application settings for the purpose of specific setup for specific cases.

For example, you can set some random user and password for a global setting, and then create applications for specific users. This way you'll forbid publication from anyone except for the people which you want to explicitly give access to. In addition to that, you may provide different set of output protocols, i.e. someone premium users can have low latency output (Low Latency HLS and SLDP) while others will have just conventional HLS.

5. Publish control framework

Adding a user/password setting enables the ability to use a publish control framework. It allows the following:

• Add publishing signature to authenticate publisher to make sure that your publisher is exactly the one you are expecting to produce the stream.
• Use an external handler to verify a caller. The handler is your own web application which is able to control the initial connection process according to your business logic.
• Control the streaming process. You can create a separate web app or a script which will request a server instance to check current streaming sessions against your rules and to make an immediate interruption of any on-going streams.

In case of SRT you add publication signature into streamid along with other parameters. Here is an example of publishing command:

ffmpeg -re -i video.mp4 -codec copy -f mpegts pipe:1 | ./srt-live-transmit -v file://con "srt://127.0.0.1:2020?streamid=/live/srtstream?publishsign=aWQ9SURfMSZzaWduPVQ3SzVlMkMySlRxRExmSTdybVdibVE9PSZpcD0xMjcuMC4wLjE="

The publishsign parameter contains the signature required by this feature. You can read this overview article to get familiar with all publish control capabilities and read detailed setup description.

6. Troubleshooting with logs

We've made SRT PASSet feature as easy for you to analyse as possible.

Check logs. Nimble Streamer logs are very verbose for SRT PASSet use cases and they will include description of all errors which you may face. Read this article to see more details on server logs.

Log examples. If you have incorrect user and password authentication you will see the following message in logs

url auth failed, streamid=[live/stream?srtauth=wrong:password],ip=[127.0.0.1],client=1038565310

If you try to publish without user and password while your setting have then on global or application level you will see something like this:

url auth failed, streamid=[live/stream],ip=[127.0.0.1],client=1038565318

So please check server logs in case of problems. If you still have questions, please feel free to contact our helpdesk.

Further reading

Use a custom rules file. You can define rules to apply SRT parameters and setup authorization on each individual user and stream as well as define deny and allow lists of IP addresses. This functionality is described in this separate article.

Also please take a look at Nimble Streamer SRT feature set and Softvelum SRT-powered products.