You could be wondering, how can I whitelist or allow a specific domain name to access HLS or DASH streams in Ant Media server?
Well, the current versions of Ant Media server don’t natively ship with a specific blocking or whitelisting feature for HLS & DASH streams. But the good news is that there is a workaround to get your streams secured.
Unsecured streams could be stolen by others who can publish them while exploiting and depleting your server resources. In the end, you’re likely to pay a lot of money in server costs hence affecting your streaming business.
In this guide, we would like to show you a step-by-step process on how to secure your HLS & DASH streams
Install Ant Media Server
At this point, I am assuming you already have Ant Media server installed on a reliable VPS server. If you haven’t installed it or if you don’t know how to install Ant Media on a VPS, you can follow this well-written guide we’ve prepared for you.
RECOMMENDED READING: How to install Ant Media Server on VPS
Install the prerequisites
We need to first install a couple of packages that are crucial for the overall configuration of what we’re trying to achieve.
So, we will use the following command to install the curl, ca-certificates, and lsb-release packages on our Linux system.
sudo apt install curl ca-certificates lsb-release -yThe curl package is a command-line tool for transferring data using URL syntax. It is commonly used to download files and web pages.
The ca-certificates package contains a set of trusted Certificate Authorities (CAs). CAs are used to verify the authenticity of SSL/TLS certificates, which are used to encrypt data transmitted over the internet.
The lsb-release package provides information about the Linux distribution that is installed on the system. This information is used by other packages to determine which versions of packages to install.
The -y flag tells the apt package manager to automatically answer “yes” to any prompts, which can be useful for automating installations.
RECOMMENDED READING: How to download and install Ubuntu Linux on a Laptop
Set up the apt repository for stable nginx
This means adding the Nginx repository to your system’s package management system, which allows you to easily install and update Nginx using your system’s package manager (e.g., apt-get or yum). This ensures that you are always using the latest stable version of Nginx and simplifies the process of installing and managing Nginx on your system.
You need to run the following command:
echo "deb http://nginx.org/packages/`lsb_release -d | awk '{print $2}' | tr '[:upper:]' '[:lower:]'` `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.listRECOMMENDED READING: How to use the apt command in Linux | Syntaxes & Examples
Import Nginx signing Key
This is a cryptographic key used to verify the authenticity and integrity of NGINX packages and repositories. This key is used by NGINX, Inc. to sign all of its official packages, and it is also used by many third-party package repositories that distribute Nginx packages.
When you install Nginx from an official repository, your operating system’s package manager will automatically verify the package signature using the Nginx signing key. This ensures that the package you are installing has not been tampered with and is indeed from a trusted source.
If you are installing Nginx from a third-party repository, you may need to manually import the Nginx signing key into your system’s GPG keyring. Once the key is imported, your package manager will be able to verify the signatures of Nginx packages from that repository.
RECOMMENDED READING: How are Protocols implemented in applications?
The Nnginx signing key is a valuable security tool that helps to protect users from installing malicious or tampered with Nginx packages. It is recommended that all users of Nginx install the official Nginx signing key to ensure the authenticity of their packages.
To import the official Nginx signing key, you need to run the following command:
curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -Install Nginx Server
Wait! Isn’t Nginx simply a web server? Nginx is more than a web server because it offers a couple of other functionalities like load balancing and can also work as a proxy server. In this guide. we’re going to use Nginx to secure Ant Media HLS & DASH stream. To install Nginx, you need to run the following command:
apt update && apt install nginx -yInstall Certbot
We also need to install Let’s Encrypt for Nginx SSL Termination. This means that the Nginx server will be able to handle all of the encryption and decryption. To achieve this, you need to run the following command:
sudo apt install certbot python3-certbot-nginx -yCreate an SSL Certificate
After installing Certbot, we can use it to create a free SSL certificate on the domain by running the following command:
certbot --nginx -d yourdomain.comMake sure to replace yourdomain.com with your actual domain name. Adding a domain name to your server will require you to set up the DNS records the right way.
RECOMMENDED READING: How to Point a Domain Name from Namecheap to Contabo VPS
Add the auto-SSL Renewal Cron Job
We need to make sure that our SSL certificate can auto-new when it expires. This can be achieved by adding a cron job. On your terminal, use the following command:
crontab -eThe above command is used to edit the crontab file for the current user. The crontab file is a text file that contains a list of commands that are to be executed at specified times. The -e flag tells the crontab command to open the crontab file in a text editor, where you can add, remove, or modify cron jobs.
Therefore, inside the crontab file, you will need to add the following line:
0 0 */80 * * root certbot -q renew --nginxAdding this line in the crontab will mean that the Let’s Encrypt certificate for Nginx will be renewed every 80 days.
Configure Nginx to secure HLS & DASH
The whole magic to secure the Ant Media HLS & DASH streams happens inside the Nginx configuration file. But before we proceed, we need to back up this file by running the following command:
mv /etc/nginx/nginx.conf{,_bck}Create a new nginx.conf file
Now that we’ve made a backup, we need to create a new nginx.conf file that will contain all the server configurations we need: This can be achieved by running the following command:
nano /etc/nginx/nginx.confWhen the file is open, we need to copy and paste the following configuration:
user nginx;
worker_processes auto;
pid /var/run/nginx.pid;
worker_rlimit_nofile 1048576;
events {
worker_connections 1048576;
multi_accept on;
use epoll;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
keepalive_timeout 300s;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# ssl settings
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# logs settings
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
'"$hostname" "upstream: $upstream_addr"';
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# gzip
gzip on;
gzip_disable "msie6";
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/javascript application/x-javascript text/xml application/xml application/xml+rss application/vnd.ms-fontobject application/x-font-ttf font/opentype font/x-woff image/svg+xml image/x-icon;
# proxy settings
proxy_redirect off;
proxy_http_version 1.1;
proxy_read_timeout 10s;
proxy_send_timeout 10s;
proxy_connect_timeout 10s;
#redirect all http requests to https
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
#Origin Configuration
#Change {YOUR_DOMAIN} with your fully qualified domain name.
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/{YOUR_DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{YOUR_DOMAIN}/privkey.pem;
server_name yourdomain.com;
location / {
if ($http_referer !~* "^https?://(www\.)?Whitelisted-domain-name\.com"){
return 403;
}
proxy_pass http://AMS-server-IP:5080;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
#Dashboard Configuration (To allow access to your AMS dashboard on different port which should be allowed only for specific IPs)
#Change {YOUR_DOMAIN} with your fully qualified domain name.
server {
listen 4444 ssl;
ssl_certificate /etc/letsencrypt/live/{YOUR_DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{YOUR_DOMAIN}/privkey.pem;
server_name yourdomain.com;
location / {
proxy_pass http://AMS-Server-IP:5080;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
}From the above, you need to look for the following things so you can change them:
- {YOUR_DOMAIN}
Make sure to look through the entire code and find {YOUR_DOMAIN}. This means that you will need to replace it with the actual domain that you used to generate the SSL certificate earlier in this guide. Look through carefully to avoid missing out on something
RECOMMENDED READING: How to host a Laravel application on Ubuntu using Apache
- Whitelisted-domain-name
You need to find Whitelisted-domain-name in the code and replace it with the domain name you want to be whitelisted so it can play the HLS & DASH streams. In reality, the following is the snippet responsible for whitelisting domains in the above code:
location / {
if ($http_referer !~* "^https?://(www\.)?Whitelisted-domain-name\.com"){
return 403;
}All you have to do is to look for the above section in the code and then replace whitelisted-domain-name with own domain you want.
It’s important to note that if you want to whitelist multiple domains with different extensions like .oi, .com or .net, here is how the code would look:
location / {
if ($http_referer !~* "^https?://(www\.)?(Domain1\.com|Domain2\.io|Domanin3\.net)"){
return 403;
}Ports and Firewall
In the configuration code above, you will notice that we’ve defined ports 443 and 4443. You’re free to use any port and make sure you open them through the firewall.
The most important consideration here is that you need to keep your ports secret because when other people know about them, they will still access your streams through the player. This means that you have defined your custom ports, replacing the 443 & 4443 in the configuration file.
More Ant Media Server articles to explore
- Solved: SSL not installing on Ant Media Server
- How to install an SSL Certificate on Ant Media Server
- How can I update Ant Media Server on Ubuntu?
- How to open Ant Media Ports through the Firewall?
- Solved: Protect Ant Media Streams from getting embedded
- What you need to know before deploying Ant Media in AWS Cluster
- Solved: Ant Media stream refusing to play after embedding
- How to embed Ant Media Player in WordPress Website
- How can I enable Adaptive Bitrate streaming in Ant Media Server?
- How much does Ant Media cost to stream to 1000 viewers on AWS
- How much bandwidth does Ant Media Server need?
- How to Optimize the Performance of Ant Media Server
- Why does my Ant Media stream keep buffering?
- How to secure your Ant Media Livestreams?
- Can I use the ant media community license in a cluster?
- How many Streaming channels can you set up on Ant Media?
- Do I necessarily need a GPU to stream Full HD using Ant Media Server?
- How much computing power do you need for Ant Media Server?
- SOLVED: Your live stream will play automatically as soon as it’s available
- How to install Ant Media Server on Ubuntu Linux Server
