Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
OvenMediaEngine provides Docker images from AirenSoft's Docker Hub (airensoft/ovenmediaengine) repository. You can easily use OvenMediaEngine server by using Docker image. See Getting Started with Docker for details.
OvenMediaEngine can work with a variety of open-sources and libraries. First, install them on your clean Linux machine as described below. We think that OME can support most Linux packages, but the tested platforms we use are Ubuntu 18+, Fedora 28+, Rocky Linux 9+, and AlmaLinux 9+.
If the prerequisites.sh script fails, try to run sudo apt-get update
and rerun it. If it's not enough proceed with the manual installation.
You can build the OvenMediaEngine source using the following command:
if systemctl start ovenmediaengine
fails in Fedora, SELinux may be the cause. See Check SELinux section of Troubleshooting.
The default configuration uses the following ports, so you need to open it in your firewall settings.
1935/TCP
RTMP Input
9999/UDP
SRT Input
4000/UDP
MPEG-2 TS Input
9000/TCP
Origin Server (OVT)
3333/TCP 3334/TLS
LLHLS Streaming * Streaming over Non-TLS is not allowed with modern browsers.
3333/TCP 3334/TLS
WebRTC Signaling (both ingest and streaming)
3478/TCP
WebRTC TCP relay (TURN Server, both ingest and streaming)
10000 - 10009/UDP
WebRTC Ice candidate (both ingest and streaming)
To use TLS, you must set up a certificate. See TLS Encryption for more information.
You can open firewall ports as in the following example:
OvenMediaEngine provides the Docker image from AirenSoft's Docker Hub (airensoft/ovenmediaengine) repository. After installing Docker, you can simply run the following command:
If a certificate is not installed in OvenMediaEngine, some functions (WebRTC Ingest, LLHLS playback) may not work due to the browser's security policy. Please refer to Complex Configuration section to install the certificate.
You can set the following environment variables.
OME_HOST_IP
*
OME_ORIGIN_PORT
9000
OME_RTMP_PROV_PORT
1935
OME_SRT_PROV_PORT
9999/udp
OME_MPEGTS_PROV_PORT
4000/udp
OME_LLHLS_STREAM_PORT
3333
OME_LLHLS_STREAM_TLS_PORT
3334
OME_WEBRTC_SIGNALLING_PORT
3333
OME_WEBRTC_SIGNALLING_TLS_PORT
3334
OME_WEBRTC_TCP_RELAY_PORT
3478
OME_WEBRTC_CANDIDATE_PORT
10000-10004/udp
When you need to install a certificate in OME or apply a complex configuration, you can do it by following the procedure below to modify Server.xml inside Docker.
OvenMediaEngine docker container loads configuration files from the following path.
Server.xml
/opt/ovenmediaengine/bin/origin_conf/Server.xml
Logger.xml
/opt/ovenmediaengine/bin/origin_conf/Logger.xml
Server Certificate
/opt/ovenmediaengine/bin/origin_conf/cert.crt
Server certificate file in PEM format. The intermediate certificate must not be included.
Private Key
/opt/ovenmediaengine/bin/origin_conf/cert.key
This is the private key file of the certificate.
CA Bundle
/opt/ovenmediaengine/bin/origin_conf/cert.ca-bundle
A file containing root and intermediate certificates.
There are many ways to change files inside a Docker container, but this document describes how to change them using Docker's bind mounts.
Copy your PEM certificate files to the path below if you need to enable TLS. The destination file names must match if using the default configuration. If you want to change the file name, you can do so by editing the Server.xml configuration file. See TLS Encryption for details.
The command below will make your OvenMediaEngine docker container run with $OME_DOCKER_HOME/conf/Server.xml and $OME_DOCKER_HOME/conf/Logger.xml files on your host. It will also create $OME_DOCKER_HOME/logs/ovenmediaengine.log file.
OvenMediaEngine supports multiple protocols for input from various live sources, without compromising basic usability. This allows you to publish a variety of live sources with sub-second latency. See the sub-page for more information.
OvenMediaEngine (OME) is a Sub-Second Latency Live Streaming Server with Large-Scale and High-Definition. With OME, you can create platforms/services/systems that transmit high-definition video to hundreds-thousand viewers with sub-second latency and be scalable, depending on the number of concurrent viewers.
OvenMediaEngine can receive a video/audio, video, or audio source from encoders and cameras such as OvenLiveKit, OBS, XSplit, and more, to WebRTC, SRT, RTMP, MPEG-2 TS, and RTSP as Input. Then, OME transmits this source using LLHLS (Low Latency HLS) and WebRTC as output. Also, we provide OvenPlayer, an Open-Source and JavaScript-based WebRTC/LLHLS Player for OvenMediaEngine.
Our goal is to make it easier for you to build a stable broadcasting/streaming service with sub-second latency.
Ingest
Push: WebRTC, WHIP, SRT, RTMP, MPEG-2 TS
Pull: RTSP
Scheduled Channel (Pre-recorded Live)
Multiplex Channel (Duplicate stream / Mux tracks)
Adaptive Bitrate Streaming (ABR) for HLS, LLHLS and WebRTC
Low-Latency Streaming using LLHLS
DVR (Live Rewind)
Dump for VoD
ID3v2 timed metadata
DRM (Widevine, Fairplay)
Sub-Second Latency Streaming using WebRTC
WebRTC over TCP (with embedded TURN server)
Embedded WebRTC Signaling Server (WebSocket based)
Retransmission with NACK
ULPFEC (Uneven Level Protection Forward Error Correction)
VP8, H.264
In-band FEC (Forward Error Correction)
Opus
HLS (version 3) Streaming support for legacy devices
MPEG-2 TS Container
Audio/Video Muxed
DVR (Live Rewind)
Embedded Live Transcoder
Video: VP8, H.264, H.265(Hardware encoder only), Pass-through
Audio: Opus, AAC, Pass-through
Clustering (Origin-Edge Structure)
Monitoring
Access Control
AdmissionWebhooks
SignedPolicy
File Recording
Push Publishing using SRT, RTMP and MPEG2-TS (Re-streaming)
Thumbnail
REST API
We have tested OvenMediaEngine on platforms, listed below. However, we think it can work with other Linux packages as well:
Ubuntu 18+
Rocky Linux 9+
AlmaLinux 9+
Fedora 28+
Please read Getting Started chapter in the tutorials.
Thank you so much for being so interested in OvenMediaEngine.
We need your help to keep and develop our open-source project, and we want to tell you that you can contribute in many ways. Please see our Guidelines, Rules, and Contribute.
We always hope that OvenMediaEngine will give you good inspiration.
Test Player
Without TLS: http://demo.ovenplayer.com
With TLS: https://demo.ovenplayer.com
OvenMediaEngine is licensed under the AGPL-3.0-only. However, if you need another license, please feel free to email us at contact@airensoft.com.
This page provides the fastest way to check playback of WebRTC and LLHLS using OvenMediaEngine. For installation and detailed settings, please refer to other pages.
Run docker with the command below. OME_HOST_IP
must be an IP address accessible by the player.
Publish your live stream to OvenMediaEngine using a live encoder like OBS.
The RTMP publishing address is :
Server rtmp://Your.Docker.Host.IP:1935/app
Stream Key stream
The settings below are recommended for ultra-low latency.
Keyframe Interval
1s (DO NOT set it to 0)
CPU Usage Preset
ultrafast
Profile
baseline
Tune
zerolatency
Open the installed OvenPlayer Demo page in your browser.
http://Your.Docker.Host.IP:8090/
Add ws://Your.Docker.Host.IP:3333/app/stream
to the Playback URL and click the ADD SOURCE and LOAD PLAYER button to play the live stream with WebRTC.
Add http://Your.Docker.Host.IP:3333/app/stream/llhls.m3u8
to the Playback URL and click the ADD SOURCE and LOAD PLAYER button to play the live stream with LLHLS.
Most browsers can't load resources via HTTP and WS (WebSocket) from HTTPS web pages secured with TLS. Therefore, if the player is on an HTTPS page, the player must request streaming through "https" and "wss" URLs secured with TLS. In this case, you must apply the TLS certificate to the OvenMediaEngine.
You can set the port for TLS in TLSPort
. Currently, LLHLS and WebRTC Signaling support TLS.
Add your certificate files to as follows:
To enable HTTP for HLS and WebRTC signaling servers, you must enable the TLS element and install the certificate file in PEM format. This involves indicating a server certificate through the CertPath
, as well as a private key file through the KeyPath
. These paths can be specified as either absolute or relative paths from the executable. However, if the server certificate was issued using an intermediate certificate, some browsers may raise concerns about the certificate's authenticity. To address this, a bundle of chained certificates provided by a Certificate Authority can be set in the ChainCertPath
.
We provide online demos of OvenPlayer(WebRTC/LLHLS Player) and OvenLiveKit(WebRTC Live Encoder) so that users can easily test out OvenMediaEngine.
To connect to your OvenMediaEngine in the online demo, you will need to install a certificate and use either the HTTPS or WSS protocol. Unsecured HTTP or WS protocols could not work in online demos due to browser security policies.
OvenSpace offers a fast and easy way to experience the powerful tools of OvenMediaEngine, OvenPlayer, and OvenLiveKit in action.
With OvenSpace, you can quickly and easily stream content with sub-second latency using WebRTC technology, or take advantage of Apple's LLHLS specification to deliver low-latency live streaming. The platform allows you to stream from various sources, including your webcam, microphone, screen, or an external live encoder that supports RTMP and SRT.
The OME Docker Launcher is a tool that simplifies the process of deploying and managing the OvenMediaEngine (OME) application using Docker containers. This tool can be used by developers and system administrators who want to quickly deploy and test the OME application in a Docker environment.
The OME Docker Launcher provides a set of commands that allow users to easily manage the OME Docker container. These commands include:
This command pulls the OME Docker image(airensoft/ovenmediaengine:latest
) from the Docker registry and copies the necessary configuration files to a specified location. This command needs to be run before starting the OME Docker container.
This command creates and starts the Docker container. Once the container is started, the OME application can be accessed through a web browser using the container's IP address.
This command launches a bash shell inside the running OME Docker container, allowing users to execute commands and interact with the container.
This command displays the status of the running OME Docker container, including information such as the container name, and running status.
This command stops the running OME Docker container.
This command stops and then starts the OME Docker container.
Using the OME Docker Launcher, you can easily set up and manage an OME Docker container, without having to manually configure and manage the Docker container. This can save time and effort, especially for users who are not familiar with Docker or who do not want to spend time manually setting up and configuring the OME application.
OME Docker Launcher has not been tested in various environments yet. Therefore, sharing any issues that occur while using it is always welcome.
Run the following command in your Linux shell.
Below is an example of execution:
OME Docker Launcher can be executed in the following format:
setup
The setup
command pulls the OME Docker image from the Docker registry and copies the necessary configuration files to the host's /usr/share/ovenmediaengine
directory. Additionally, it initializes the log path and crash dump path that will be mounted into the container when it is run.
This command prepares the host environment for running the OME Docker container and sets up the necessary directories and configurations for the container to run correctly.
If you run the "setup" command, the following files and directories will be created:
/usr/share/ovenmediaengine/conf
This directory contains the OME configuration files and is mounted into the container when it is run.
/usr/share/ovenmediaengine/logs
This directory is the log path for OME and is mounted into the container when it is run. Log files generated by OME will be stored in this directory.
/usr/share/ovenmediaengine/dumps
This directory is the crash dump path for OME and is mounted into the container when it is run. Crash dumps generated by OME will be stored in this directory.
If you want to change the configuration of OME, you can edit the /usr/share/ovenmediaengine/conf/Server.xml
file. This file contains the server configuration settings for OME, such as the server's IP address, port, and SSL settings. Once you have made changes to this file, you will need to restart the OME Docker container for the changes to take effect. You can do this by running the restart
command provided by the OME Docker Launcher.
To install a certificate in OvenMediaEngine, copy the certificate files to /usr/share/ovenmediaengine/conf with the following names:
If you want to change the file names, you can modify Server.xml.
start
Once the setup
phase is complete, you can use the start
command to run the OME Docker container. The start
command creates and starts the Docker container, enabling the OME application to receive stream packets using protocols such as RTMP and SRT. Before running the start
command, ensure that the necessary configuration files have been copied to the host's /usr/share/ovenmediaengine
directory by running the setup
command.
When running the OME Docker Launcher, you can specify the IP to be used as an ICE Candidate by using the OME_HOST_IP
environment variable. For instance, specifying the OME_HOST_IP
as shown below will propagate the ICE Candidate to that particular address.
The OME Docker Launcher automatically detects a list of port numbers specified in the Server.xml
file and passes them to the Docker -p
option. However, if you use the include
attribute inside the <Providers>
or <Publishers>
element, the launcher may not detect them correctly.
If you have declared the following environment variable in the shell where you run the OME Docker Launcher, this value will be used to bind the port and passed into the Docker container. This enables you to dynamically set configuration values using environment variables.
sh
The sh
command allows you to enter into the shell of the running container. You can use this command for troubleshooting purpose. Once you enter into the container's shell, you can execute any commands just like you do in a normal Linux shell. This allows you to inspect the container's internal state and debug any issues that you might be facing with the container or the application running inside it.
status
The status
command shows the current execution status of the container. If the container is running, it displays the ID and name of the container. This command helps you to verify whether the container is up and running or not. If the container is not running, you can use the start
command to start the container.
stop
The stop
command stops the running container and removes it from the list of Docker containers.
restart
The restart
command restarts the container. This is useful when you need to apply changes to the Server.xml
.
If you encounter any problems during the execution, try using the -d
option in the [OPTIONS]
to view detailed logs. This option shows the command sets and their results that are executed internally.
If OME terminates abnormally, providing the crash dump to the OME team can be helpful. The crash dump is stored in the /usr/share/ovenmediaengine/dumps
directory, which is created during the setup
phase. You can find the dump file named crash_<yyyymmdd>.dump
in this directory.
Sharing those log and dump file would be greatly appreciated and helpful for the development of OME.
Assuming the certificate settings are correctly configured, WebRTC streaming can then be played via the wss://url protocol, while LLHLS streaming can be accessed via .
OvenSpace is available online, so you can try it out for yourself at . You'll get a hands-on experience of how OvenMediaEngine, OvenPlayer, and OvenLiveKit work together seamlessly to deliver top-quality streaming, whether you're a developer looking to build a media service or someone who wants to experience sub-second or low-latency streaming firsthand.
OvenSpace is also available on as open source. It will be a good reference when developing media services using OvenMediaEngine, OvenPlayer and OvenLiveKit.
Site URL
Description
OvenPlayer demo (TLS not enabled)
OvenPlayer demo
OvenLiveKit (WebRTC Live Encoder) demo
Certificate
cert.crt
Private Key
cert.key
CA Bundle
cert.ca-bundle
From version 0.10.4, MPEG-2 TS input is supported. The supported codecs are H.264, AAC(ADTS). Supported codecs will continue to be added. And the current version only supports basic MPEG-2 TS with 188 bytes packet size. Since the information about the input stream is obtained using PAT and PMT, the client must send this table information as required.
To enable MPEG-2 TS, you must bind the ports fist and map the bound ports and streams.
To use multiple streams, it is necessary to bind multiple ports, so we provide a way to bind multiple ports as in the example below. You can use the dash to specify the port as a range, such as Start port-End port
, and multiple ports using commas.
First, name the stream and map the port bound above. The macro ${Port} is provided to map multiple streams at once. Check out the example below.
This is an example of publishing using FFMPEG.
Giving the -pes_payload_size 0 option to the AAC codec is very important for AV synchronization and low latency. If this option is not given, FFMPEG bundles several ADTSs and is transmitted at once, which may cause high latency and AV synchronization errors.
Starting from version OME v0.15.1, IPv6 is supported.
To use IPv6, you need to change the settings of the Server.xml
file as follows:
You can use /Server/IP
to support IPv6. In versions prior to v0.15.0, only one /Server/IP
setting could be specified, but in versions after v0.15.1, multiple settings can be specified. That is, if you add an /Server/IP
element for IPv6 to the existing configuration as follows, you can accept IPv6 requests from clients:
*
means 0.0.0.0
(INADDR_ANY
) in IPv4, and ::
means ::0
(in6addr_any
) in IPv6.
Of course, you can also specify a specific IP address of an interface instead of ::
.
OME listens to the 1935 port for RTMP as follows:
OME listens to the 1935 port for RTMP as follows:
OME listens to the 1935 port for RTMP as follows:
IceCandidates
(for WebRTC)When you specify IPv6 interface /Server/IP
, most Providers/Publishers will work with IPv6, but WebRTC will not. While the WebSocket server used as the WebRTC Signalling server works well with the above setting, but more setting is required for ICE Candidates that actually transmit/receive data.
To use IPv6 ICE Candidate, you need to add an IPv6 IceCandidate
to /Server/Bind/(Providers|Publishers)/WebRTC/IceCandidates
.
To support IPv6 in URL format settings, use [::]
instead of ::
The IceCandidate
settings for Providers and Publishers are the same.
By setting up as above, OME is ready to use ICE Candidates for IPv6 as well as IPv4. The ICE Candidate generated here can be viewed in the signaling step of the web browser.
<Origin>
Now you can set up the OME edge to look at an origin with an IPv6 IP address. To do this, you can set /Server/VirtualHosts/VirtualHost/Origins/Origin/Pass/Urls/Url
as follows:
This configuration creates a stream that refers an RTSP source provided on port 1234 of an origin which has an IPv6 address of 1:2:3:4:5:6:7:8
.
<AdmissionWebhooks>
You can also specify an IPv6 address for the server that AdmissionWebhooks
is using. To do this, set the value of /Server/VirtualHosts/VirtualHost/AdmissionWebhooks/ControlServerUrl
as follows:
The above configuration asks whether the client has the permission to publish or playback using http://[1:2:3:4:5:6:7:8]:7000/a/b/c
.
Secure Reliable Transport (or SRT in short) is an open source video transport protocol and technology stack that optimizes streaming performance across unpredictable networks with secure streams and easy firewall traversal, bringing the best quality live video over the worst networks. We consider SRT to be one of the great alternatives to RTMP, and OvenMediaEngine can receive video streaming over SRT. For more information on SRT, please visit the SRT Alliance website.
SRT uses the MPEG-TS format when transmitting live streams. This means that unlike RTMP, it can support many codecs. Currently, OvenMediaEngine supports H.264, H.265, and AAC codecs received by SRT.
Set the SRT listen port as follows:
SRT input can be turned on/off for each application. As follows Setting enables the SRT input function of the application.
There are various encoders that support SRT such as FFMPEG, OBS Studio, and srt-live-transmit. Please check the specifications of each encoder on how to transmit streams through SRT from the encoder. We describe an example using OBS Studio.
OvenMediaEngine classifies each stream using SRT's streamid. This means that unlike MEPG-TS/udp, OvenMediaEngine can receive multiple SRT streams through one port. For more information on streamid, see Haivision's official documentation.
Therefore, in order for the SRT encoder to transmit a stream to OvenMediaEngine, the following information must be included in the streamid as percent encoded.
streamid = percent_encoding("srt://{host}[:port]/{app name}/{stream name}[?query=value]")
The streamid contains the URL format, so it must be percent encoded****
OBS Studio 25.0 or later supports SRT. Please refer to the OBS official documentation for more information. Enter the address of OvenMediaEngine in OBS Studio's Server as follows: When using SRT in OBS, leave the Stream Key blank.
srt://{full domain or IP address}:port?streamid=srt%3A%2F%2F{full domain or IP address}[%3APort]%2F{App name}%2F{Stream name}&latency=2000000
The streamid
has to be the urlencoded address of the server name as specified in the ome server configuration plus the app name and the stream name, each separated by /
. The latency
configures the size of the server-side recive buffer and the time limit for SRT in nanoseconds. Typical value for latency are 150000 (150ms) for stremaing to a server in the local network, 600000 (600ms) for streaming to a server over the internet in the local region, and 2000000 (2 seconds) when stremaing over long distance.
For configuring a Blackmagic Web Presenter, ATEM Mini Pro or similar device to stream to OvenMediaEngine over SRT, choose the "Custom URL H264/H265" platform option with the following syntax:
The default streaming profiles work well, and there are more advanced configuration options available if you edit the streaming.xml settings file
You can configure SRT's socket options of the OvenMediaEngine server using <Options>
. This is particularly useful when setting the encryption for SRT, and you can specify a passphrase by configuring as follows:
For more information on SRT socket options, please refer to https://github.com/Haivision/srt/blob/master/docs/API/API-socket-options.md#list-of-options.
Providers
ingests streams that come from a media source. OvenMediaEngine supports RTMP protocol. You can set it in the configuration as follows:
When a live source inputs to the <Application>
, a stream is automatically created in the <Application>
. The created stream is passed to Encoder and Publisher.
If you set up a live stream using an RTMP-based encoder, you need to set the following in Server.xml
:
<BlockDuplicateStreamName>
is a policy for streams that are inputted as overlaps.
<BlockDuplicateStreamName>
works with the following rules:
To allow the duplicated stream name feature can cause several problems. When a new stream is an input the player may be disconnected. Most encoders have the ability to automatically reconnect when it is disconnected from the server. As a result, two encoders compete and disconnect each other, which can cause serious problems in playback.
If you want to publish the source stream, you need to set the following in the Encoder:
URL
RTMP://<OvenMediaEngine IP>[:<RTMP Listen Port>]/<App Name]>
Stream Key
Stream Name
If you use the default configuration, the <RTMP><ListenPort>
is 1935, which is the default port for RTMP. So it can be omitted. Also, since the Application named app
is created by default in the default configuration, you can enter app
in the [App Name]
. You can define a Stream Key and use it in the Encoder, and the Streaming URL will change according to the Stream Key.
Moreover, some encoders can include a stream key in the URL, and if you use these encoders, you need to set it as follows:
URL
RTMP://<OvenMediaEngine IP>[:<RTMP Listen Port>/<App Name>/<Stream Name>
If you are using the default configuration, press the URL button in the top right corner of OvenStreamEnoder, and enter the URL as shown below:
Also, <App name>
and <Stream name>
can be changed and used as desired in the configuration.
If you use the default configuration, set the OBS as follows:
You can set the Stream Key to any name you like at any time.
TranscodeWebhook allows OvenMediaEngine to use OutputProfiles from the Control Server's response instead of the OutputProfiles in the local configuration (Server.xml). OvenMediaEngine requests OutputProfiles from the Control Server when streams are created, enabling the specification of different profiles for each individual stream.
Enable (required) You can enable or disable TranscodeWebhook settings.
ControlServerUrl (required) It's the URL of the Control Server, and it supports both HTTP and HTTPS.
SecretKey (optional) This is the Secret Key used to pass authentication for the Control Server. To pass security authentication, an HMAC-SHA1 encrypted value of the HTTP Payload is added to the HTTP Header's X-OME-Signature. This Key is used for generating this value.
Timeout (optional, default: 1500) This is the Timeout value used when connecting to the Control Server.
UseLocalProfilesOnConnectionFailure(optional, default: true) This determines whether to use the OutputProfiles from Local settings in case of communication failure with the Control Server. If it's set to "false," a communication failure with the Control Server will result in a failure to create the Output stream.
UseLocalProfilesOnServerDisallow (optional, default: false) When the Control Server responds with a 200 OK, but "allowed" is set to "false," this policy is followed.
UseLocalProfilesOnErrorResponse (optional, default: false) When the Control Server responds with error status codes such as 400 Bad Request, 404 Not Found, 500 Internal Error, OvenMediaEngine follows this policy.
OvenMediaEngine sends requests to the Control Server in the following format.
The Control Server responds in the following format to specify OutputProfiles for the respective stream.
The "outputProfiles" in the JSON is identical to the configuration in Server.xml, and the format is as follows.
OvenMediaEngine supports GPU-based hardware decoding and encoding. Currently supported GPU acceleration devices are Intel's QuickSync and NVIDIA. This article explains how to install the drivers for OvenMediaEngine and set up the configuration to use your GPU.
Please refer to the link for how to build and run.
Intructions on running Docker
you must include the --gpus all option when running Docker
To use hardware acceleration, set the HardwareAcceleration option to true under OutputProfiles. If this option is enabled, a hardware codec is automatically used when creating a stream, and if it is unavailable due to insufficient hardware resources, it is replaced with a software codec.
The codecs available using hardware accelerators in OvenMediaEngine are as shown in the table below. Different GPUs support different codecs. If the hardware codec is not available, you should check if your GPU device supports the codec.
D : Decoding, E : Encoding
Now with Multiplex Channel, you can configure ABR by combining multiple input streams into one, or duplicate external streams and send them to other applications.
Multiplex Channel takes tracks from other local streams and organizes them into its own tracks. This will pull in tracks that have already been encoded, which can be useful if you want to change codecs or adjust the quality once again. And the Multiplex Channel is sent to the publisher, unconditionally bypassing the encoder.
To use this feature, enable Multiplex Provider in Server.xml.
Multiplex Channels are created through .mux files or API. MuxFilesDir is the path where the .mux files are located and can be set to an absolute system path or relative to the path where the Server.xml configuration is located.
The Multiplex Provider monitors the MuxFilesDir path, and when a mux file is created, it parses the file and creates a multiplex channel. When the mux file is modified, the channel is deleted and created again, and when the mux file is deleted, the channel is deleted.
mux files can be created or deleted while the system is running. This works dynamically. The mux file has the format below.
OutputStream
This is information about the stream to be newly created. It must be the same as the file name. <stream name>.mux
SourceStreams
Specifies the internal stream to be muxed. You can also load streams from other VHosts or applications in the format stream://<vhost name>/<app name>/<stream name>
. Because multiple streams are muxed into one stream, track names may be duplicated. Therefore, it is necessary to change the Track name for each SourceStream through <TrackMap>
. <SourceTrackName>
is either <OutputProfile><Encodes><Video><Name>
or <OutputProfile><Encodes><Audio><Name>
.
Playlist
The same format as <OutputProfile>
must be used, and the Playlist must be constructed using the newly mapped Track name in SourceStreams' TrackMap. The Playlist configured here exists only in this stream. The Playlist's FileName must be unique throughout the application.
MultiplexChannel can also be controlled via API. Please refer to the page below.
Scheduled Channel that allows you to create a live channel by scheduling pre-recorded files has been added to OvenMediaEngine. Other services or software call this Pre-recorded Live or File Live, but OvenMediaEngine plans to expand the function to organize live channels as a source, so we named it Scheduled Channel.
To use this feature, activate Schedule Provider as follows.
MediaRootDir
Root path where media files are located. If you specify a relative path, the directory where the config file is located is root.
ScheduleFileDir
Root path where the schedule file is located. If you specify a relative path, the directory where the config file is located is root.
Scheduled Channel creates/updates/deletes streams by creating/editing/deleting files with the .sch extension in the ScheduleFileDir path. Schedule files (.sch) use the following XML format. When a <Stream Name>.sch
file is created in ScheduleFileDir, OvenMediaEngine analyzes the file and creates a Schedule Channel with <Stream Name>
. If the contents of <Stream Name>.sch
are changed, the Schedule Channel is updated, and if the file is deleted, the stream is deleted.
Stream (required)
This is the stream information that the Channel needs to create.
Stream.Name (optional)
It's the stream's name. This is a reference value extracted from the file name for usage. It's recommended to set it same for consistency, although it's for reference purposes.
Stream.BypassTranscoder (optional, default: false)
Set to true if transcoding is not desired.
Stream.VideoTrack (optional, default: true)
Determines whether to use the video track. If VideoTrack is set to true and there's no video track in the Item, an error will occur.
Stream.AudioTrack (optional, default: true)
Determines whether to use the audio track. If AudioTrack is set to true and there's no audio track in the Item, an error will occur.
FallbackProgram (optional)
It is a program that switches automatically when there is no program scheduled at the current time or an error occurs in an item. If the program is updated at the current time or the item returns to normal, it will fail back to the original program. Both files and live can be used for items in FallbackProgram. However, it is recommended to use a stable file.
Program (optional)
Schedules a program. The name
is an optional reference value. If not set, a random name will be assigned. Set the start time in ISO8601 format in the scheduled
attribute. Decide whether to repeat the Items
when its playback ends.
Program.Item (optional)
Configures the media source to broadcast.
The url
points to the location of the media source. If it starts with file://
, it refers to a file within the MediaRootDir directory. If it starts with stream://
, it refers to another stream within the same OvenMediaEngine. stream:// has the following format: stream://vhost_name/app_name/stream_name
For 'file' cases, the start
attribute can be set in milliseconds to indicate where in the file playback should start.
duration
indicates the playback time of that item in milliseconds. After the duration ends, it moves to the next item.
Both 'start' and 'duration' are optional. If not set, start
defaults to 0, and duration
defaults to the file's duration; if not specified, the media file will be played until its full duration.
This function is a scheduling channel, but it can be used for applications such as creating a permanent stream as follows.
This channel normally plays default/app/input
, but when live input is stopped, it plays the file in FallbackProgram. This will last forever until the .sch file is deleted. One trick was to set the origin program's schedule time to year 2000 so that this stream would play unconditionally.
You may experience some buffering when going from file to live. This is unavoidable due to the nature of the function and low latency. If this is inconvenient, buffering issues can disappear if you add a little delay in advance by setting PartHoldBack in LLHLS to 5 or more. It is a choice between delay and buffering.
ScheduledChannel can also be controlled via API. Please refer to the page below.
User can send video/audio from web browser to OvenMediaEngine via WebRTC without plug-in. Of course, you can use any encoder that supports WebRTC transmission as well as a browser.
You can set the port to use for signaling in <Bind><Provider><WebRTC><Signaling>
. <Port>
is for setting an unsecured HTTP port, and <TLSPort>
is for setting a secured HTTP port that is encrypted with TLS.
For WebRTC ingest, you must set the ICE candidates of the OvenMediaEnigne server to <IceCandidates>
. The candidates set in <IceCandate>
are delivered to the WebRTC peer, and the peer requests communication with this candidate. Therefore, you must set the IP that the peer can access. If the IP is specified as *, OvenMediaEngine gathers all IPs of the server and delivers them to the peer.
WebRTC input can be turned on/off for each application. As follows Setting enables the WebRTC input function of the application. The <CrossDomains>
setting is used in WebRTC signaling.
OvenMediaEnigne supports self-defined signaling protocol and WHIP for WebRTC ingest.
The signaling URL for WebRTC ingest uses the query string ?direction=send
as follows to distinguish it from the url for WebRTC playback. Since the self-defined WebRTC signaling protocol is based on WebSocket, you must specify ws[s] as the scheme.
ws[s]://<host>[:signaling port]/<app name>/<stream name>?direction=send
For ingest from the WHIP client, put ?direction=whip
in the query string in the signaling URL as in the example below. Since WHIP is based on HTTP, you must specify http[s] as the scheme.
http[s]://<host>[:signaling port]/<app name>/<stream name>?direction=whip
ws[s]://<host>[:port]/<app name>/<stream name>?direction=send&transport=tcp
http[s]://<host>[:port]/<app name>/<stream name>?direction=whip&transport=tcp
To use WebRTC/tcp, <TcpRelay>
must be turned on in <Bind>
setting.
If <TcpForce>
is set to true, it works over TCP even if you omit the ?transport=tcp
query string from the URL.
We provide a demo page so you can easily test your WebRTC input. You can access the demo page at the URL below.
If you are using an NVIDIA graphics card, please refer to the following guide to install the driver. The OS that supports installation with the provided script are CentOS 7/8 and Ubuntu 18/20 versions. If you want to install the driver in another OS, please refer to the manual installation guide document.
CentOS environment requires the process of uninstalling the nouveau driver. After uninstalling the driver, the first reboot is required, and a new NVIDIA driver must be installed and rebooted. Therefore, two install scripts must be executed.
How to check driver installation
After the driver installation is complete, check whether the driver is operating normally with the nvidia-smi command.
If you have finished installing the driver to use the GPU, you need to reinstall the open source library using Prerequisites.sh . The purpose is to allow external libraries to use the installed graphics driver.
Please refer to the NVIDIA Driver installation guide written previously.
To use GPU acceleration in Docker, you need to install NVIDIA drivers on your host OS and install the NVIDIA Container Toolkit. This toolkit includes container runtime libraries and utilities for using NVIDIA GPUs in Docker containers.
A Docker Image build script that supports NVIDIA GPU is provided separately. Please refer to the previous guide for how to build
If you are using an Intel CPU that supports QuickSync, please refer to the following guide to install the driver. The OSes that support installation using the provided scripts are CentOS 7/8 and Ubuntu 18/20 versions. If you want to install the driver on a different OS, please refer to the Manual Installation Guide document.
When the Intel QuickSync driver installation is complete, the OS must be rebooted for normal operation.
How to check driver installation
After the driver installation is complete, check whether the driver operates normally with the Matrix Monitor program.
If you have finished installing the driver to use the GPU, you need to reinstall the open source library using Prerequisites.sh . The purpose is to allow external libraries to use the installed graphics driver.
Please refer to the Netint documentation to install XCODER.
How to check driver installation
After the driver installation is complete, check if the libxcoder exist: the CLI must return something like libxcoder_logan.so (libc6,x86-64) => /usr/local/lib/libxcoder_logan.so
If you have finished installing the driver to use the VPU, you need to reinstall the open source library using Prerequisites.sh . The purpose is to allow external libraries to use the installed graphics driver. You also have to unzip the ffmpeg patch provide by netint in a specfic path
Quick Sync Video Format :
NVIDIA NVDEC Video Format :
NVIDIA NVENV Video Format :
CUDA Toolkit Installation Guide :
NVIDIA Container Toolkit :
Quick Sync Video format support:
OvenMediaEngine supports self-defined signaling protocol and for WebRTC ingest.
<TcpRelay>
means OvenMediaEngine's built-in TURN Server. When this is enabled, the address of this turn server is passed to the peer via self-defined signaling protocol or WHIP, and the peer communicates with this turn server over TCP. This allows OvenMediaEngine to support WebRTC/TCP itself. For more information on URL settings, check out .
WebRTC transmission is sensitive to packet loss because it affects all players who access the stream. Therefore, it is recommended to provide WebRTC transmission over TCP. OvenMediaEngine has a built-in TURN server for WebRTC/TCP, and receives or transmits streams using the TCP session that the player's TURN client connects to the TURN server as it is. To use WebRTC/TCP, use transport=tcp query string as in WebRTC playback. See for more information.
The getUserMedia API to access the local device only works in a . So, the WebRTC Input demo page can only work on the https site **** . This means that due to you have to install the certificate in OvenMediaEngine and use the signaling URL as wss to test this. If you can't install the certificate in OvenMediaEngine, you can temporarily test it by allowing the insecure content of the demo.ovenplayer.com URL in your browser.
To create a custom WebRTC Producer, you need to implement OvenMediaEngine's Self-defined Signaling Protocol or WHIP. Self-defined protocol is structured in a simple format and uses the.
When the player connects to ws[s]://host:port/app/stream?direction=send through a web socket and sends a request offer command, the server responds to the offer sdp. If transport=tcp exists in the query string of the URL, information is included in offer sdp, which contains the information of OvenMediaEngine's built-in TURN server, so you need to set this in RTCPeerConnection to use WebRTC/TCP. The player then setsRemoteDescription and addIceCandidate offer sdp, generates an answer sdp, and responds to the server.
true
Default
Rejects the new stream inputted as overlap and maintains the existing stream.
false
Accepts a new stream inputted as overlap and disconnects the existing stream.
QuickSync
D / E
D / E
-
-
NVIDIA
D / E
D / E
-
-
Docker on NVIDIA Container Toolkit
D / E
D / E
-
-
OvenMediaEngine can pull RTSP Stream in two ways. The first way is to use the Stream creation API, and the second way is to use OriginMap or OriginMapStore. The supported codecs are H.264, AAC(ADTS). Supported codecs will continue to be added.
You can create a stream by pulling an RTSP stream using the Stream Creation API. For more information on using the REST API, check out that chapter.
If OriginMapStore is configured and Redis Server provides an rtsp URL, OvenMediaEngine pulls the RTSP URL when a playback request comes in. Check out OriginMapStore for more details.
RTSP Pull is provided through OriginMap configuration. OriginMap is the rule that the Edge server pulls the stream of the Origin server. Edge server can pull a stream of origin with RTSP and OVT (protocol defined by OvenMediaEngine for Origin-Edge) protocol. See the Clustering section for more information about OVT.
For example, in the above setup, when a player requests "ws://ome.com/app_name/rtsp_stream_name" to stream WebRTC, it pulls the stream from "rtsp://192.168.0.200:554" and publishes it to WebRTC.
If the app name set in Location isn't created, OvenMediaEngine creates the app with default settings. The default generated app doesn't have an OPUS encoding profile, so to use WebRTC streaming, you need to add the app to your configuration.
Pulling type providers are activated by streaming requests from publishers. And by default, the provider is automatically disabled after 30 seconds of no client playback. If you want to change this setting, check out the Clustering chapter.
When a playback request comes in from the following URL, RTSP pull starts working according to Origins settings.
Protocol
URL
WebRTC
ws[s]:://host.com[:port]/app_name/rtsp_stream_name
LLHLS
http[s]://host.com[:port]/app_name/rtsp_stream_name/llhls.m3u8
OvenMediaEngine has an XML configuration file. If you start OvenMediaEngine with systemctl start ovenmediaengine
, the config file is loaded from the following path.
If you run it directly from the command line, it loads the configuration file from:
If you run it in Docker container, the path to the configuration file is:
The Server
is the root element of the configuration file. The version
attribute indicates the version of the configuration file. OvenMediaEngine uses this version information to check if the config file is a compatible version.
The IP address
is OvenMediaEngine will bind to. If you set *, all IP addresses of the system are used. If you enter a specific IP, the Host uses that IP only.
PrivacyProtection is an option to comply with GDPR, PIPEDA, CCPA, LGPD, etc. by deleting the client's personal information (IP, Port) from all records. When this option is turned on, the client's IP and Port are converted to xxx.xxx.xxx.xxx:xxx
in all logs and REST APIs.
OvenMediaEngine needs to know its public IP in order to connect to the player through WebRTC. The server must inform the player of the IceCandidates and TURN server addresses when signaling, and this information must be the IP the player can connect to. However, in environments such as Docker or AWS, public IP cannot be obtained through a local interface, so a method of obtaining public IP using stun server is provided (available from version 0.11.1).
If OvenMediaEngine obtains the public IP through communication with the set stun server, you can set the public IP by using * or ${PublicIP} in IceCandidate and TcpRelay.
The Bind
is the configuration for the server port that will be used. Bind consists of Providers
and Publishers
. The Providers are the server for stream input, and the Publishers are the server for streaming.
The meaning of each element is shown in the following table:
<Managers><API>
REST API Server port
RTMP
RTMP port for incoming RTMP stream.
SRT
SRT port for incoming SRT stream
MPEG-TS
MPEGTS ports for incoming MPEGTS/UDP stream.
WebRTC
OVT
OVT port for an origin server.
LLHLS
HTTP(s) port for LLHLS streaming.
VirtualHosts
are a way to run more than one streaming server on a single machine. OvenMediaEngine supports IP-based virtual host and Domain-based virtual host. "IP-based" means that you can separate streaming servers into multiples by setting different IP addresses, and "Domain-based" means that even if the streaming servers use the same IP address, you can split the streaming servers into multiples by setting different domain names.
VirtualHosts
consist of Name
, Host
, Origins
, SignedPolicy
, and Applications
.
The Domain has Names
and TLS. Names can be either a domain address or an IP address. Setting * means it allows all domains and IP addresses.
SignedPolicy is a module that limits the user's privileges and time. For example, operators can distribute RTMP URLs that can be accessed for 60 seconds to authorized users, and limit RTMP transmission to 1 hour. The provided URL will be destroyed after 60 seconds, and transmission will automatically stop after 1 hour. Users who are provided with a SingedPolicy URL cannot access resources other than the provided URL. This is because the SignedPolicy URL is authenticated. See the SignedPolicy chapter for more information.
Origins (also we called OriginMap) are a feature to pull streams from external servers. It now supports OVT and RTSP for the pulling protocols. OVT is a protocol defined by OvenMediaEngine for Origin-Edge communication. It allows OvenMediaEngine to relay a stream from other OvenMediaEngines that have OVP Publisher turned on. Using RTSP, OvenMediaEngine pulls a stream from an RTSP server and creates a stream. RTSP stream from external servers can stream by WebRTC, HLS, and MPEG-DASH.
The Origin has Location
and Pass
elements. Location is a URI pattern for incoming requests. If the incoming URL request matches Location, OvenMediaEngine pulls the stream according to a Pass element. In the Pass element, you can set the origin stream's protocol and URLs.
To run the Edge server, Origin creates application and stream if there isn't those when user request. For more learn about Origin-Edge, see the Live Source chapter.
<Application>
consists of various elements that can define the operation of the stream, including Stream input, Encoding, and Stream output. In other words, you can create as many <Application>
as you like and build various streaming environments.
<Application>
needs to set <Name>
and <Type>
as follows:
<Name>
is used to configure the Streaming URL.
<Type>
defines the operation of <Application>
. Currently, there is only a live
type.
<OutputProfile>
is a configuration that creates an output stream. Output stream name can be set with <OutputStreamName>
, and transcoding properties can be set through <Encodes>
. If you want to stream one input to multiple output streams, you can set multiple <OutputProfile>
.
For more information about the OutputProfiles, please see the Transcoding chapter.
Providers
ingest streams that come from a media source.
If you want to get more information about the <Providers>
, please refer to the Live Source chapter.
You can configure the Output Stream operation in <Publishers>
. <ThreadCount>
is the number of threads used by each component responsible for the <Publishers>
protocol.
You need many threads to transmit streams to a large number of users at the same time. So it's better to use a higher core CPU and set <ThreadCount>
equal to the number of CPU cores.
OvenMediaEngine currently supports WebRTC, Low-Latency DASH, MEPG-DASH, and HLS. If you don't want to use any protocol then you can delete that protocol setting, the component for that protocol isn't initialized. As a result, you can save system resources by deleting the settings of unused protocol components.
If you want to learn more about WebRTC, visit the WebRTC Streaming chapter. And if you want to get more information on Low-Latency DASH, MPEG-DASH, and HLS, refer to the chapter on HLS & MPEG-DASH Streaming.
Finally, Server.xml
is configured as follows:
AdmissionWebhooks are HTTP callbacks that query the control server to control publishing and playback admission requests.
Users can use the AdmissionWebhook for a variety of purposes, including customer authentication, tracking published streams, hide app/stream names, logging and more.
AdmissionWebhooks can be set up on VirtualHost, as shown below.
ControlServerUrl
The HTTP Server to receive the query. HTTP and HTTPS are available.
SecretKey
The secret key used when encrypting with HMAC-SHA1
Timeout
Time to wait for a response after request (in milliseconds)
Enables
Enable Providers and Publishers to use AdmissionWebhooks
AdmissionWebhooks send HTTP/1.1 request message to the configured user's control server when an encoder requests publishing or a player requests playback. The request message format is as follows.
The message is sent in POST method and the payload is in application/json format. X-OME-Signature is a base64 url safe encoded value obtained by encrypting the payload with HMAC-SHA1 so that the ControlServer can validate this message. See the Security section for more information on X-OME-Signature.
Here is a detailed explanation of each element of Json payload:
client
Information of the client who requested the connection.
address
IP address of the client connected to the server
port
Port number of the client connected to the server
real_ip
IP address of the client forwarded by the proxy server
user_agent (optional)
Client's User_Agent
request
Information about the client's request
direction
incoming : A client requests to publish a stream
outgoing : A client requests to play a stream
protocol
webrtc, srt, rtmp, llhls, thumbnail
status
opening : A client requests to open a stream
closing : A client closed the stream
url
url requested by the client
new_url (optional)
url redirected from user's control server (status "closing" only)
time
time requested by the client (ISO8601 format)
OME searches for and sets the values in real_ip in the following order:
The value of the X-REAL-IP header
The value of the first item of X-FORWARDED-FOR
The IP of the client that is actually connected
The control server may need to validate incoming http requests for security reasons. To do this, the AdmissionWebhooks module puts the X-OME-Signature
value in the HTTP request header. X-OME-Signature
is a base64 url safe encoded value obtained by encrypting the payload of an HTTP request with the HMAC-SHA1 algorithm using the secret key set in <AdmissionWebhooks><SecretKey>
of the configuration.
As shown below, the trigger condition of request is different for each protocol.
WebRTC
When a client requests Offer SDP
RTMP
When a client sends a publish message
SRT
LLHLS
When a client requests a playlist (llhls.m3u8)
The engine in the closing state does not need any parameter in response. To the query just answer with empty json object.
ControlServer must respond with the following Json format. In particular, the "allowed"
element is required.
allowed (required)
true or false
Allows or rejects the client's request.
new_url (optional)
Redirects the client to a new url. However, the scheme
, port
, and file
cannot be different from the request. Only host, app, and stream can be changed. The host can only be changed to another virtual host on the same server.
lifetime (optional)
The amount of time (in milliseconds) that a client can maintain a connection (Publishing or Playback)
0 means infinity
HTTP based streaming (HLS) does not keep a connection, so this value does not apply.
reason (optional)
If allowed is false, it will be output to the log.
new_url
redirects the original request to another app/stream. This can be used to hide the actual app/stream name from the user or to authenticate the user by inserting additional information instead of the app/stream name.
For example, you can issue a WebRTC streaming URL by inserting the user ID as follows: ws://domain.com:3333/user_id
It will be more effective if you issue a URl with the encrypted value that contains the user ID, url expiration time, and other information.
After the Control Server checks whether the user is authorized to play using user_id
, and responds with ws://domain.com:3333/app/sport-3
to new_url
, the user can play app/sport-3.
If the user has only one hour of playback rights, the Control Server responds by putting 3600000 in the lifetime
.
Beta
HLS is still in development and some features such as SignedPolicy and AdmissionWebhooks are not supported.
HLS based on MPEG-2 TS containers is still useful because it provides high compatibility, including support for older devices. Therefore, OvenMediaEngine decided to officially support HLS version 7+ based on fragmented MP4 containers, called LL-HLS, as well as HLS version 3+ based on MPEG-2 TS containers.
To differentiate between LLHLS and HLS playback addresses, we created the following rule for HLS playback addresses:
http[s]://domain[:port]/<app name>/<stream name>/ts:<playlist file name>.m3u8
or
http[s]://domain[:port]/<app name>/<stream name>/<playlist file name>.m3u8?format=ts
To use HLS, you need to add the <HLS>
elements to the <Publishers>
in the configuration as shown in the following example.
HLS is ready when a live source is inputted and a stream is created. Viewers can stream using OvenPlayer or other players.
HLS Publisher basically creates a playlist.m3u8
Playlist using the first video track and the first audio track. When you create a stream, as shown above, you can play HLS with the following URL:
http[s]://domain[:port]/<app name>/<stream name>/ts:playlist.m3u8
If you use the default configuration, you can start streaming with the following URL:
https://domain:3334/app/<stream name>/ts:playlist.m3u8
HLS can deliver adaptive bitrate streaming. OME encodes the same source with multiple renditions and delivers it to the players. And HLS Player, including OvenPlayer, selects the best quality rendition according to its network environment. Of course, these players also provide option for users to manually select rendition.
HLS Publisher basically creates a playlist.m3u8
Playlist using the first video track and the first audio track. If you want to create a new playlist for ABR, you can add it to Server.xml as follows:
Since TS files used in HLS must have A/V pre-muxed, the Playlist must have the EnableTsPackaging
option set.
Most browsers and players prohibit accessing other domain resources in the currently running domain. You can control this situation through Cross-Origin Resource Sharing (CORS) or Cross-Domain (CrossDomain). You can set CORS and Cross-Domain as <CrossDomains>
element.
You can set it using the <Url>
element as shown above, and you can use the following values:
You can create as long a playlist as you want by setting <DVR>
to the HLS publisher as shown below. This allows the player to rewind the live stream and play older segments. OvenMediaEngine stores and uses old segments in a file in <DVR><TempStoragePath>
to prevent excessive memory usage. It stores as much as <DVR><MaxDuration>
and the unit is seconds.
SignedPolicy is a module that limits the user's privileges and time. For example, operators can distribute RTMP URLs that can be accessed for 60 seconds to authorized users, and limit RTMP transmission to 1 hour. The provided URL will be destroyed after 60 seconds, and transmission will automatically stop after 1 hour. Users who are provided with a SignedPolicy URL cannot access resources other than the provided URL. This is because the SignedPolicy URL is authenticated.
SignedPolicy URL consists of the query string of the streaming URL with Policy and Signature as shown below. If SignedPolicy is enabled in the configuration of OvenMediaEngine, access to URLs with no signature or invalid signature is not allowed. Signature uses HMAC-SHA1 to authenticate all URLs except signature.
Policy is in json format and provides the following properties.
url_expire means the time the URL is valid, so if you connect before the URL expires, you can continue to use it, and sessions that have already been connected will not be deleted even if the time expires. However, stream_expire forcibly terminates the session when the time expires even if it is already playing.
If real_ip
is in the policy, OME searches for and checks the values in the following order.
The value of the X-REAL-IP header
The value of the first item of X-FORWARDED-FOR
The IP of the client that actually connected
The URL entered into HMAC to generate the Signature must include :port.
When creating a signature, you cannot omit the default port such as http port 80, https port 443, or rtmp port 1935. This is because when OvenMediaEngine creates a signature for checking the signature, it is created by putting the port value.
When using SignedPolicy with SRT providers, only use the streamid portion of the URL, e.g. srt://myserver:9999?streamid=srt://myserver:9999/app/stream?policy=abc123
To enable SignedPolicy, you need to add the following <SignedPolicy> setting in Server.xml under <VirtualHost>.
We provide a script that can easily generate SignedPolicy URL. The script can be found in the path below.
Here's how to use this script:
For example, you can use it like this:
Policy encoded with Base64URL is added as a query string to the existing streaming URL. (The query string key is set in Server.xml.)
Signature hashes the entire URL including the policy in HMAC (SHA-1) method, encodes it as Base64URL, and includes it in the query string.
Create a hash using the secret key (1kU^b6 in the example) and the URL above using HMAC-SHA1.
If you include it as a signature query string (query string key is set in Server.xml), the following SignedPolicy URL is finally generated.
Generate SignedPolicy URL with the script.
Separate the URL based on "app" as shown in the example below and enter all the parts under the stream in the Stream Key.
Port for WebRTC. If you want more information on the WebRTC port, see the and chapters.
OVT is a protocol defined by OvenMediaEngine for Origin-Edge communication. For more information about Origin-Edge, see the chapter.
For more information, see .
When a client send a
Safari Native Player only provides the Seek UI if #EXT-X-PLAYLIST-TYPE: EVENT
is present. Since it is specified that nothing can be removed from the playlist when it is of type EVENT, you must call the to switch to VoD or terminate the stream before MaxDuration is exceeded if you use this option. Otherwise, unexpected behavior may occur in the Safari Player.
If your input stream is already h.264/aac, you can use the input stream as is like below. If not, or if you want to change the encoding quality, you can do .
We have prepared a test player that you can quickly see if OvenMediaEngine is working. Please refer to the for more information.
See the section for how to configure renditions.
Signature is generated by HMAC-SHA1 encoding all URLs except signature query string. The generated Signature is encoded using and included as a query string of the existing URL.
We hope to provide SignedPolicy URL Generator Library in various languages. If you have created the SignedPolicy URL Generator Library in another language, please send a Pull Request to our . Thank you for your open source contributions.
In order to include the policy in the URL, it must be encoded with .