SignedPolicy is a module that limits the user's privileges and time. For example, operators can distribute RTMP URLs that can be accessed for 60 seconds to authorized users, and limit RTMP transmission to 1 hour. The provided URL will be destroyed after 60 seconds, and transmission will automatically stop after 1 hour. Users who are provided with a SingedPolicy URL cannot access resources other than the provided URL. This is because the SignedPolicy URL is authenticated.
SingedPolicy URL consists of the query string of the streaming URL with Policy and Signature as shown below. If SignedPolicy is enabled in the configuration of OvenMediaEngine, access to URLs with no signature or invalid signature is not allowed. Signature uses HMAC-SHA1 to authenticate all URLs except signature.
Policy is in json format and provides the following properties.
1
{
2
"url_activate":1399711581,
3
"url_expire":1399721581,
4
"stream_expire":1399821581,
5
"allow_ip":"192.168.100.5/32"
6
}
Copied!
Key
Value
Description
url_expire
(Required)
<Number> Milliseconds since unix epoch
The time the URL expires
Reject on request after the expiration
url_activate
(Optional)
<Number> Milliseconds since unix epoch
The time the URL activates
Reject on request before activation
stream_expire
(Optional)
<Number> Milliseconds since unix epoch
The time the Stream expires
Transmission and playback stop when the time expires
allow_ip
(Optional)
<String> IPv4 CIDR
Allowed IP address range, 192.168.0.0/24
url_expire means the time the URL is valid, so if you connect before the URL expires, you can continue to use it, and sessions that have already been connected will not be deleted even if the time expires. However, stream_expire forcibly terminates the session when the time expires even if it is already playing.
Signature
Signature is generated by HMAC-SHA1 encoding all URLs except signature query string. The generated Signature is encoded using Base64URL and included as a query string of the existing URL.
The URL entered into HMAC to generate the Signature must include :port.
When creating a signature, you cannot omit the default port such as http port 80, https port 443, or rtmp port 1935. This is because when OvenMediaEngine creates a signature for checking the signature, it is created by putting the port value.
When using SignedPolicy with SRT providers, only use the streamid portion of the URL, e.g. srt://myserver:9999?streamid=srt://myserver:9999/app/stream?policy=abc123
Configuration
To enable SignedPolicy, you need to add the following <SingedPolicy> setting in Server.xml under <VirtualHost>.
The query string key name in the URL pointing to the policy value
SignatureQueryKeyName
The query string key name in the URL pointing to the signature value
SecretKey
The secret key used when encoding with HMAC-SHA1
Enables
List of providers and publishers to enable SignedPolicy. Currently, SingedPolicy supports rtmp among providers, and among publishers, WebRTC, HLS, MPEG-DASH, and Low-Latency MPEG-DASH (LLDASH) are supported.
Make SignedPolicy URL with a script
We provide a script that can easily generate SingedPolicy URL. The script can be found in the path below.
We hope to provide SignedPolicy URL Generator Library in various languages. If you have created the SignedPolicy URL Generator Library in another language, please send a Pull Request to our GITHUB. Thank you for your open source contributions.
Encoding policy
In order to include the policy in the URL, it must be encoded with Base64URL.
Plain {Policy}
1
{"url_expire":1399721581}
Copied!
Base64URL Encoded {Policy}
1
eyJ1cmxfZXhwaXJlIjoxMzk5NzIxNTgxfQ
Copied!
Policy encoded with Base64URL is added as a query string to the existing streaming URL. (The query string key is set in Server.xml.)