All pages
Powered by GitBook
1 of 3

Access Control

SignedPolicy

Overview

SignedPolicy is a module that limits the user's privileges and time. For example, operators can distribute RTMP URLs that can be accessed for 60 seconds to authorized users, and limit RTMP transmission to 1 hour. The provided URL will be destroyed after 60 seconds, and transmission will automatically stop after 1 hour. Users who are provided with a SignedPolicy URL cannot access resources other than the provided URL. This is because the SignedPolicy URL is authenticated.

SignedPolicy URL consists of the query string of the streaming URL with Policy and Signature as shown below. If SignedPolicy is enabled in the configuration of OvenMediaEngine, access to URLs with no signature or invalid signature is not allowed. Signature uses HMAC-SHA1 to authenticate all URLs except signature.

Policy

Policy is in json format and provides the following properties.

url_expire means the time the URL is valid, so if you connect before the URL expires, you can continue to use it, and sessions that have already been connected will not be deleted even if the time expires. However, stream_expire forcibly terminates the session when the time expires even if it is already playing.

Signature

The URL entered into HMAC to generate the Signature must include :port.

When creating a signature, you cannot omit the default port such as http port 80, https port 443, or rtmp port 1935. This is because when OvenMediaEngine creates a signature for checking the signature, it is created by putting the port value.

When using SignedPolicy with SRT providers, only use the streamid portion of the URL, e.g. srt://myserver:9999?streamid=srt://myserver:9999/app/stream?policy=abc123

Configuration

To enable SignedPolicy, you need to add the following <SignedPolicy> setting in Server.xml under <VirtualHost>.

Make SignedPolicy URL with a script

We provide a script that can easily generate SignedPolicy URL. The script can be found in the path below.

Here's how to use this script:

For example, you can use it like this:

Make SignedPolicy URL manually

Encoding policy

Base64URL Encoded {Policy}
eyJ1cmxfZXhwaXJlIjoxMzk5NzIxNTgxfQ

Policy encoded with Base64URL is added as a query string to the existing streaming URL. (The query string key is set in Server.xml.)

ws://192.168.0.100:3333/app/stream?policy=eyJ1cmxfZXhwaXJlIjoxMzk5NzIxNTgxfQ

Signature

Signature hashes the entire URL including the policy in HMAC (SHA-1) method, encodes it as Base64URL, and includes it in the query string.

URL input to signature generation
ws://192.168.0.100:3333/app/stream?policy=eyJ1cmxfZXhwaXJlIjoxMzk5NzIxNTgxfQ

Create a hash using the secret key (1kU^b6 in the example) and the URL above using HMAC-SHA1.

Base64URL encoded { HMAC-SHA1 <KEY : 1kU^b6> (URL) }
dvVdBpoxAeCPl94Kt5RoiqLI0YE

If you include it as a signature query string (query string key is set in Server.xml), the following SignedPolicy URL is finally generated.

URL with signature
ws://192.168.0.100/app/stream?policy=eyJ1cmxfZXhwaXJlIjoxMzk5NzIxNTgxfQ&signature=dvVdBpoxAeCPl94Kt5RoiqLI0YE

Usage examples

Applying SignedPolicy in OBS

Generate SignedPolicy URL with the script.

Separate the URL based on "app" as shown in the example below and enter all the parts under the stream in the Stream Key.

Loading...