Secure your Nginx-RTMP Server

0

First of all, there are different options and methods available to secure your server. In this guide I will explain the “firewall” method by using the nginx.conf as well as a simple php script that checks the username and password you send on streaming. Other methods like htaccess, more complex php scripts or ways I cannot think of at the moment are also available. But now let us take a look at what we will need:

For Option A:

  • nginx

For Option B

  • nginx
  • PHP

And now let’s get started.

Option A:

The nginx server allows us to achieve this by simple code in location under server block. Here is examples to show you the available options:

In rtmp block put below code under your application.. notify method to use is GET.

 

Option B:

For our second option we need to grab the php binaries for windows and setup our nginx.conf file. This will allow us to use php files directly with nginx, alternatively you could also use your apache server or similar that has a working php implementation. With nginx we can configure it quite easily:

In the nginx.conf we have to add a php declaration to the http server part:


 

Check that the file locations are correct according to your nginx installation and then save the PHP script into your nginx\html folder as auth.php. If you use your apache server or similar, just make sure that the following path to the auth.php can be accessed by nginx. Next we need to make sure the script is being called as soon as someone tries to access our stream:


 

This example application first of all allows access for anyone to the publish and play directive, but in this case on_publish, so as soon as someone tries to start streaming to your server, the auth.php file is called. It will only allow access to users that enter the correct username and password (in this case they send it with their streamkey). If you remove the # also your possible viewers would have to send over the username and password before they would be allowed to watch your stream. In the current state, anyone is allowed to watch it. But this also gives us the option to setup a second auth.php with different settings for the viewers. So your viewers are not able to find out how to stream to your server.

 

A batch file with this line in it will sucessfully start a php server that listens on 127.0.0.1:9000 for requests (this IP-Address must fit to our earlier configured setting in the nginx http server part). If you are now wondering, how do I stream with OBS to the server now? Its actually pretty simple:

 

For the on_play directive you would have to change your jwplayer url for example:

 

Now you are ready to go. As mentioned earlier there are probably countless other options. But this should give you an idea and also a fast way for a quick security improvement.

 

Above method is working and tested by @Rohir Naik.

Leave A Reply