安全的伪流flv文件 [英] Secure pseudo-streaming flv files
问题描述
我们使用 RTMP 通过Wowza保护流媒体内容的安全,它的工作原理就像是一种魅力. Wowza确实是用于业务目的的强大而强大的媒体服务器.
但是我们遇到了一个问题,对于我们来说,它每天都在变得越来越大.许多新客户无法按照其防火墙规则使用RTMP,因此为他们交付业务媒体内容是一个问题. 但是每个人都不会遇到http伪流的问题,或者只是渐进式的,就像 youtube 或 vimeo 一样. 因此,我们应该这样做,但要提供伪流流量的安全链接,以防止通过窃取链接而直接下载.
我们使用的服务器很少,一台用于Rails应用程序,另一台用于数据库,第三台用作Wowza媒体服务器. 我的想法是在 Wowza 媒体服务器上设置 nginx 并配置为伪流媒体原始文件(与Wowza用于通过网络摄像头捕获流的文件系统相同).
您可以建议将nginx与http_secure_link_module和http_flv_module模块一起使用吗? 我同事的另一个想法是在Wowza侧构建一个微型应用程序,以获取加密的链接并将其转换为本地文件系统,然后通过 X-Accel-Redirect 访问文件,并通过直接连接检查身份验证到数据库.
非常感谢
我找到了一个解决方案,让我与对此感兴趣的人分享.
首先,我的限制是使用尽可能少的工具,因此理想情况下仅在Web服务器中具有内置模块,而没有上游后端脚本.我现在有一个解决方案.
server {
listen 8080 ssl;
server_name your_server.com;
location /video/ {
rewrite /video/([a-zA-Z0-9_\-]*)/([0-9]*)/(.*)\.flv$ /flv/$3.flv?st=$1&e=$2;
}
location /flv/ {
internal;
secure_link $arg_st,$arg_e;
secure_link_md5 YOUR_SECRET_PASSWORD_HERE$arg_e$uri;
if ($secure_link = "") { return 403; }
if ($secure_link = "0") { return 403; }
root /var/www/;
flv;
add_header Cache-Control 'private, max-age=0, must-revalidate';
add_header Strict-Transport-Security 'max-age=16070400; includeSubdomains';
}
}
真实的flv文件位于"/var/www/flv"目录中.要在Ruby端对URL进行加密,可以使用该脚本:
expiration_time = (Time.now + 2.hours).to_i # 1326559618
s = "#{YOUR_SECRET_PASSWORD_HERE}#{expiration_time}/flv/video1.flv"
a = Base64.encode64(Digest::MD5.digest(s))
b = a.tr("+/", "-_").sub('==', '').chomp # HLz1px_YzSNcbcaskzA6nQ
# => "http://your_server.com:8080/video/#{b}/#{expiration_time}/video1.flv"
因此,安全的2小时URL(您可以将其放入Flash Player中)如下所示:
"http://your_server.com:8080/video/HLz1px_YzSNcbcaskzA6nQ/1326559618/video1.flv"
P.S. Nginx应该使用以下选项进行编译:-with-http_secure_link_module --with-http_flv_module
$ cd /usr/src
$ wget http://nginx.org/download/nginx-1.2.2.tar.gz
$ tar xzvf ./nginx-1.2.2.tar.gz && rm -f ./nginx-1.2.2.tar.gz
$ wget http://zlib.net/zlib127.zip
$ unzip zlib127.zip && rm -f zlib127.zip
$ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.gz
$ tar xzvf pcre-8.30.tar.gz && rm -f ./pcre-8.30.tar.gz
$ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
$ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz
$ cd nginx-1.2.2 && ./configure --prefix=/opt/nginx --with-pcre=/usr/src/pcre-8.30 --with-zlib=/usr/src/zlib-1.2.7 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --with-http_stub_status_module --with-http_secure_link_module --with-http_flv_module
$ make && make install
We use RTMP to secure stream media content through Wowza and it works like a charm. Wowza is really strong and robust media-server for a business purpose.
But we met a problem, it's getting bigger every day for us. A lot of new customers can't use RTMP by their firewall rules, and it's a problem to deliver a business media content for them. But everybody has no problems with http pseudo-streaming or just progressive, like it does youtube or vimeo. So we should do the same, but provide secure links to pseudo-streaming traffic, to prevent a direct download by stealing the links.
We use few servers, one for Rails app, the second for DB, and third as Wowza media server. My thinking is to setup nginx on Wowza media server and configure to pseudo-stream media originally files (in the same filesystem that Wowza uses to stream through webcam capture).
Can you suggest to use nginx with http_secure_link_module and http_flv_module modules? Another idea by my colleague is to build a tiny application on Wowza side to get encrypted links and translate it to local file system, then get access to files through X-Accel-Redirect and check authentication via direct connection to DB.
Thanks a lot
I have found a solution, let me share with anyone interested in it.
First of all, my constraints was to use the minimum tools as possible, so ideally to have built-in module in web-server only, no upstream backend scripts. And I have a solution now.
server {
listen 8080 ssl;
server_name your_server.com;
location /video/ {
rewrite /video/([a-zA-Z0-9_\-]*)/([0-9]*)/(.*)\.flv$ /flv/$3.flv?st=$1&e=$2;
}
location /flv/ {
internal;
secure_link $arg_st,$arg_e;
secure_link_md5 YOUR_SECRET_PASSWORD_HERE$arg_e$uri;
if ($secure_link = "") { return 403; }
if ($secure_link = "0") { return 403; }
root /var/www/;
flv;
add_header Cache-Control 'private, max-age=0, must-revalidate';
add_header Strict-Transport-Security 'max-age=16070400; includeSubdomains';
}
}
The real flv files located into "/var/www/flv" directory. To encrypt the URL on Ruby side, you can use that script:
expiration_time = (Time.now + 2.hours).to_i # 1326559618
s = "#{YOUR_SECRET_PASSWORD_HERE}#{expiration_time}/flv/video1.flv"
a = Base64.encode64(Digest::MD5.digest(s))
b = a.tr("+/", "-_").sub('==', '').chomp # HLz1px_YzSNcbcaskzA6nQ
# => "http://your_server.com:8080/video/#{b}/#{expiration_time}/video1.flv"
So the secured 2-hours URL (you can put it into flash-player) looks like:
"http://your_server.com:8080/video/HLz1px_YzSNcbcaskzA6nQ/1326559618/video1.flv"
P.S. Nginx should be compiled with following options --with-http_secure_link_module --with-http_flv_module
$ cd /usr/src
$ wget http://nginx.org/download/nginx-1.2.2.tar.gz
$ tar xzvf ./nginx-1.2.2.tar.gz && rm -f ./nginx-1.2.2.tar.gz
$ wget http://zlib.net/zlib127.zip
$ unzip zlib127.zip && rm -f zlib127.zip
$ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.gz
$ tar xzvf pcre-8.30.tar.gz && rm -f ./pcre-8.30.tar.gz
$ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
$ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz
$ cd nginx-1.2.2 && ./configure --prefix=/opt/nginx --with-pcre=/usr/src/pcre-8.30 --with-zlib=/usr/src/zlib-1.2.7 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --with-http_stub_status_module --with-http_secure_link_module --with-http_flv_module
$ make && make install
这篇关于安全的伪流flv文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
