How to Secure HLS & DASH Streams in Ant Media Server?

Where necessary, you may need to have access to a VPS server so you can follow how to implement the steps in this article.  You can get a cheaper VPS Server from Contabo with 4vCPU cores, 8GM RAM, and 32TB Bandwidth for less than $5.50 per month. Get this deal here now

Table of Contents

Cloud VPS S

$5.50 Monthly
  • 4 vCPU Cores | 8GB RAM


$15.50 Monthly
  • 6 vCPU Cores | 16GB RAM


$17.50 Monthly
  • 8 vCPU Cores | 24GB RAM

You could be wondering, how can I whitelist or allow a specific domain name to access HLS or DASH streams in Ant Media server?

Well, the current versions of Ant Media server don’t natively ship with a specific blocking or whitelisting feature for HLS & DASH streams. But the good news is that there is a workaround to get your streams secured.

Unsecured streams could be stolen by others who can publish them while exploiting and depleting your server resources. In the end, you’re likely to pay a lot of money in server costs hence affecting your streaming business.

In this guide, we would like to show you a step-by-step process on how to secure your HLS & DASH streams

Install Ant Media Server

At this point, I am assuming you already have Ant Media server installed on a reliable VPS server. If you haven’t installed it or if you don’t know how to install Ant Media on a VPS, you can follow this well-written guide we’ve prepared for you.

RECOMMENDED READING: How to install Ant Media Server on VPS

Install the prerequisites

We need to first install a couple of packages that are crucial for the overall configuration of what we’re trying to achieve.

So, we will use the following command to install the curl, ca-certificates, and lsb-release packages on our Linux system.

sudo apt install curl ca-certificates lsb-release -y

The curl package is a command-line tool for transferring data using URL syntax. It is commonly used to download files and web pages.

The ca-certificates package contains a set of trusted Certificate Authorities (CAs). CAs are used to verify the authenticity of SSL/TLS certificates, which are used to encrypt data transmitted over the internet.

The lsb-release package provides information about the Linux distribution that is installed on the system. This information is used by other packages to determine which versions of packages to install.

The -y flag tells the apt package manager to automatically answer “yes” to any prompts, which can be useful for automating installations.

RECOMMENDED READING: How to download and install Ubuntu Linux on a Laptop

Set up the apt repository for stable nginx

This means adding the Nginx repository to your system’s package management system, which allows you to easily install and update Nginx using your system’s package manager (e.g., apt-get or yum). This ensures that you are always using the latest stable version of Nginx and simplifies the process of installing and managing Nginx on your system.

You need to run the following command:

echo "deb`lsb_release -d | awk '{print $2}' | tr '[:upper:]' '[:lower:]'` `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list

RECOMMENDED READING: How to use the apt command in Linux | Syntaxes & Examples

Import Nginx signing Key

This is a cryptographic key used to verify the authenticity and integrity of NGINX packages and repositories. This key is used by NGINX, Inc. to sign all of its official packages, and it is also used by many third-party package repositories that distribute Nginx packages.

When you install Nginx from an official repository, your operating system’s package manager will automatically verify the package signature using the Nginx signing key. This ensures that the package you are installing has not been tampered with and is indeed from a trusted source.

If you are installing Nginx from a third-party repository, you may need to manually import the Nginx signing key into your system’s GPG keyring. Once the key is imported, your package manager will be able to verify the signatures of Nginx packages from that repository.

RECOMMENDED READING: How are Protocols implemented in applications?

The Nnginx signing key is a valuable security tool that helps to protect users from installing malicious or tampered with Nginx packages. It is recommended that all users of Nginx install the official Nginx signing key to ensure the authenticity of their packages.

To import the official Nginx signing key, you need to run the following command:

curl -fsSL | sudo apt-key add -

Install Nginx Server

Wait! Isn’t Nginx simply a web server? Nginx is more than a web server because it offers a couple of other functionalities like load balancing and can also work as a proxy server. In this guide. we’re going to use Nginx to secure Ant Media HLS & DASH stream. To install Nginx, you need to run the following command:

apt update && apt install nginx -y

Install Certbot

We also need to install Let’s Encrypt for Nginx SSL Termination. This means that the Nginx server will be able to handle all of the encryption and decryption. To achieve this, you need to run the following command:

sudo apt install certbot python3-certbot-nginx -y

Create an SSL Certificate

After installing Certbot, we can use it to create a free SSL certificate on the domain by running the following command:

certbot --nginx -d

Make sure to replace with your actual domain name. Adding a domain name to your server will require you to set up the DNS records the right way.

RECOMMENDED READING: How to Point a Domain Name from Namecheap to Contabo VPS

Add the auto-SSL Renewal Cron Job

We need to make sure that our SSL certificate can auto-new when it expires. This can be achieved by adding a cron job. On your terminal, use the following command:

crontab -e

The above command is used to edit the crontab file for the current user. The crontab file is a text file that contains a list of commands that are to be executed at specified times. The -e flag tells the crontab command to open the crontab file in a text editor, where you can add, remove, or modify cron jobs.

Therefore, inside the crontab file, you will need to add the following line:

0 0 */80 * * root certbot -q renew --nginx

Adding this line in the crontab will mean that the Let’s Encrypt certificate for Nginx will be renewed every 80 days.

Configure Nginx to secure HLS & DASH

The whole magic to secure the Ant Media HLS & DASH streams happens inside the Nginx configuration file. But before we proceed, we need to back up this file by running the following command:

mv /etc/nginx/nginx.conf{,_bck}

Create a new nginx.conf file

Now that we’ve made a backup, we need to create a new nginx.conf file that will contain all the server configurations we need: This can be achieved by running the following command:

nano /etc/nginx/nginx.conf

When the file is open, we need to copy and paste the following configuration:

user nginx;
worker_processes auto;
pid /var/run/;
worker_rlimit_nofile 1048576;

events {
    worker_connections 1048576;
    multi_accept on;
    use epoll;

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    keepalive_timeout 300s;
    types_hash_max_size 2048;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # ssl settings
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # logs settings
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"'
                      '"$hostname" "upstream: $upstream_addr"';
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # gzip
    gzip on;
    gzip_disable "msie6";
    gzip_http_version 1.1;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/javascript text/javascript application/x-javascript text/xml application/xml application/xml+rss application/ application/x-font-ttf font/opentype font/x-woff image/svg+xml image/x-icon;

    # proxy settings
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_read_timeout 10s;
    proxy_send_timeout 10s;
    proxy_connect_timeout 10s;
    #redirect all http requests to https
    server {
        listen 80 default_server;
        server_name _;
        return 301 https://$host$request_uri;

    #Origin Configuration
    #Change {YOUR_DOMAIN} with your fully qualified domain name. 
    server {
            listen 443 ssl;
            ssl_certificate /etc/letsencrypt/live/{YOUR_DOMAIN}/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/{YOUR_DOMAIN}/privkey.pem;

            location / {
              if ($http_referer !~* "^https?://(www\.)?Whitelisted-domain-name\.com"){
              return 403;
                proxy_pass http://AMS-server-IP:5080;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
    #Dashboard Configuration (To allow access to your AMS dashboard on different port which should be allowed only for specific IPs)
    #Change {YOUR_DOMAIN} with your fully qualified domain name. 
    server {
            listen 4444 ssl;
            ssl_certificate /etc/letsencrypt/live/{YOUR_DOMAIN}/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/{YOUR_DOMAIN}/privkey.pem;

            location / {
                proxy_pass http://AMS-Server-IP:5080;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";

From the above, you need to look for the following things so you can change them:


Make sure to look through the entire code and find {YOUR_DOMAIN}. This means that you will need to replace it with the actual domain that you used to generate the SSL certificate earlier in this guide. Look through carefully to avoid missing out on something

RECOMMENDED READING: How to host a Laravel application on Ubuntu using Apache

  • Whitelisted-domain-name

You need to find Whitelisted-domain-name in the code and replace it with the domain name you want to be whitelisted so it can play the HLS & DASH streams. In reality, the following is the snippet responsible for whitelisting domains in the above code:

       location / {
              if ($http_referer !~* "^https?://(www\.)?Whitelisted-domain-name\.com"){
              return 403;

All you have to do is to look for the above section in the code and then replace whitelisted-domain-name with own domain you want.

It’s important to note that if you want to whitelist multiple domains with different extensions like .oi, .com or .net, here is how the code would look:

  location / {
           if ($http_referer !~* "^https?://(www\.)?(Domain1\.com|Domain2\.io|Domanin3\.net)"){
                return 403;

Ports and Firewall

In the configuration code above, you will notice that we’ve defined ports 443 and 4443. You’re free to use any port and make sure you open them through the firewall.

The most important consideration here is that you need to keep your ports secret because when other people know about them, they will still access your streams through the player. This means that you have defined your custom ports, replacing the 443 & 4443 in the configuration file.

More Ant Media Server articles to explore

Hire us to handle what you want

Hire us through our Fiverr Profile and leave all the complicated & technical stuff to us. Here are some of the things we can do for you:

  • Website migration, troubleshooting, and maintenance.
  • Server & application deployment, scaling, troubleshooting, and maintenance
  • Deployment of Kubernetes, Docker, Cloudron, Ant Media, Apache, Nginx,  OpenVPN, cPanel, WHMCS, WordPress, and more
  • Everything you need on AWS, IBM Cloud, GCP, Azure, Oracle Cloud, Alibaba Cloud, Linode, Contabo, DigitalOcean, Ionos, Vultr, GoDaddy, HostGator, Namecheap, DreamHost, and more.

We will design, configure, deploy, or troubleshoot anything you want. Starting from $10, we will get your job done in the shortest time possible. Your payment is safe with Fiverr as we will only be paid once your project is completed.