Wowza Streaming Media Server Security Settings
Today, I want to share with you some security settings of the wowza Streaming Media Server. I have been using this software for a while, but I still feel that many problems exist. The biggest headache is anti-leech. As a powerful streaming media platform, wowza can provide live video streaming in multiple formats. These include commonly used rtmp, rtsp, http, and other streams, including flash f4m and Microsoft smooth streaming.
Here are some security measures for wowza:
1. Change the default streaming media port
Wowza default ports, including 80 and 554, are common and noteworthy ports. We recommend that you modify the default port so that it is not easily scanned.
Vi WowzaMediaServer/conf/VHost. xml
- !-- Separate multiple ports with commas -->
- <!-- 80: HTTP, RTMPT -->
- <!-- 554: RTSP -->
- <Port>10080</Port>
It is recommended to change it to a large port. Generally, after 10000, it will not cause a port conflict with other applications.
2. Add anti-leech settings for live streams
(1). user name and password-based authentication for RTMP and RTSP Streaming
In the streaming media platform, rtmp stream is a commonly used format. For rtmp, users and passwords can be used for authentication.
The ModuleRTMPAuthenticate module is used here. From Wowza Media Server 3.5.0, The ModuleRTMPAuthenticate module has been built into the Server. If you are using an earlier version, you must download MediaSecurity Addon to obtain this module. Download and uncompress the package, copy the wms-plugin-security.jar file under the/lib folder to the/lib folder of the Wowza Media Server, and then restart the Wowza Media Server
1. Open the [install-dir]/conf/[application]/Application. xml file, and add the following <Module> at the end of the <Modules> List:
- <Module>
- <Name>ModuleRTMPAuthenticate</Name>
- <Description>ModuleRTMPAuthenticate</Description>
- <Class>com.wowza.wms.security.ModuleRTMPAuthenticate</Class>
- </Module>
2. By default, the ModuleRTMPAuthenticate module is designed as a text file using [install-dir]/conf/publish. password to store the user name and password. Add a username and password to the new row in the file to verify the streaming. The following example shows how to add a user name and password.
- # Publish password file (format [username][space][password])
- # username password
- myuser mypassword
3. configure a user name and password for each application:
Copy the [install-dir]/conf/publish. password File to [install-dir]/conf/[application]/publish. password.
Add the following attributes in <Properties> at the bottom of the [install-dir]/conf/[application]/Application. xml file.
- <Property>
- <Name>rtmpEncoderAuthenticateFile</Name>
- <Value>${com.wowza.wms.context.VHostConfigHome}/conf/${com.wowza.wms.context.Application}/publish.password</Value>
- </Property>
(2). Use server APIs to control access to Http stream playback requests
1. Http-based Streaming Media Playback Technology in Wowza Media Server includes Cupertino (iOS hls), Microsoft Smooth (Silverlight), and San Jose (Flash HTTP ):
- import com.wowza.wms.httpstreamer.model.IHTTPStreamerSession;
- import com.wowza.wms.module.*;
- import com.wowza.wms.application.*;
- public class ModuleAccessControlHTTPStreaming extends ModuleBase
- {
- public void onHTTPSessionCreate(IHTTPStreamerSession httpSession)
- {
- boolean isGood = true;
- String ipAddressClient = httpSession.getIpAddress();
- String ipAddressServer = httpSession.getServerIp();
- String queryStr = httpSession.getQueryStr();
- String referrer = httpSession.getReferrer();
- String cookieStr = httpSession.getCookieStr();
- String userAgent = httpSession.getUserAgent();
- IApplicationInstance appInstance = httpSession.getAppInstance();
- String streamName = httpSession.getStreamName();
- // Here you can use the request and session information above to determine
- // if you want to reject the connection
- // isGood = true/false;
- getLogger().info("ModuleAccessControlHTTPStreaming.onHTTPSessionCreate["+appInstance.getContextStr()+":"+streamName+"]: accept:"+isGood);
- if (!isGood)
- httpSession.rejectSession();
- }
- }
2. Use Wowza IDE to compile the above Code and add this module to the module set of the/conf/[app-name]/Application. xml file:
- <Module>
- <Name>ModuleAccessControlHTTPStreaming</Name>
- <Description>Access control for HTTP streams</Description>
- <Class>com.wowza.wms.example.module.ModuleAccessControlHTTPStreaming</Class>
- </Module>
3. Disable the live stream format
Wowza can provide rtmp, rtsp, http, and other streams, including flash f4m and Microsoft smooth streaming. However, it may not be all used at ordinary times. We recommend that you enable the live stream format as needed. Generally, mobile live streaming media must support the rtmp, rtsp, and http Apple m3u8 formats. For flash f4m, Microsoft's smooth streaming stream may be used less, so you can consider turning it off. The specific settings are as follows:
Edit the [install-dir]/conf/[application]/Application. xml file,
Set the Streams/LiveStreamPacketizers attribute:
Remove the following two encoding formats: smoothstreamingpacketizer and sanjoseph streamingpacketizer"
- <LiveStreamPacketizers>cupertinostreamingpacketizer</LiveStreamPacketizers>
Set the HTTPStreamers attribute:
Remove the following two encoding formats: "smoothstreaming, sanjoseph streaming"
- <HTTPStreamers>cupertinostreaming</HTTPStreamers>
Of course, you can select the live stream encoding format as needed.
4. Update wowza software to the latest version in time
The company's streaming media platform uses the wowza Streaming Media Server. Currently, 3 is used. the version of X is Wowza Media Server 3, and the latest official version of wowza is Wowza Streaming Engine 4.0.4. You have noticed that the software name has changed after the upgrade to 4.0, instead of continuing the title of media server, we changed it to streaming engin. The official saying is that it provides a powerful and intuitive Web Management Interface: Wowza Streaming Engine Manager, in addition, a major change has been made to the software. Generally, according to the software update tradition, the new version fixes known or unknown bugs and should be upgraded to the latest version. However, there is a problem here. The originally purchased wowza serial number cannot be directly applied to the new wowoza streaming Engine. You need to cancel the original serial number first, and obtain a new authorization serial number. In addition, the value-added applications purchased in version 3.x cannot be compatible with version 4.x, so there is a risk of update. Be careful when upgrading the application. Ngin