Hotlink protection
Available for Nimble Streamer and Wowza Streaming Engine
Hot-linking (or hotlinking) is a process of re-streaming of the streaming media. This is critical for any business which has premium access to their assets. It you have any exclusive content, you're loosing money in case of hot-linking.
What can we do?
We provide a token-based authorization to check each incoming connection signature against original published signature.
The following Nimble Streamer entities can be protected: entire server, application and stream.
The following Wowza entities can be protected: entire server, virtual host, application, application instance and stream.
All protocols supported by respective media servers are covered by hotlink protection.
The protection consists of 3 parts - server support (built into Nimble Streamer and available in Wowza agent), a code snippet on a web page which generates a signature for the stream URL and a control interface to enable the protection.
Hotlink protection is integrated in two steps. They are:
- Modify media player web page to have a signature of media URL.
- Set up and enable protection via web control panel.
1. Make media URL signature
To sign media URL for further recognition and handling, the web page with media player must be slightly modified.
1.1 Signature code
As example, you have these URLs for your live stream:
rtmp://ultimatestreamingservice.com:1935/live/stream
http://ultimatestreamingservice.com:8081/live/stream/playlist.m3u8
The modified URLs would be:
rtmp://ultimatestreamingservice.com:1935/live?wmsAuthSign=c2VydmVyX3RpbWU9NS80LzIwMTIgODozMzowNSBBTSZoYXNoX3ZhbHVlPXE3MjN6aEVmdGFUOUJoWjBQTmw1TVE9PSZ2YWxpZG1pbnV0ZXM9MjA2/stream
http://ultimatestreamingservice.com:8081/live/stream/playlist.m3u8?wmsAuthSign=c2VydmVyX3RpbWU9NS80LzIwMTIgODozMzowNSBBTSZoYXNoX3ZhbHVlPXE3MjN6aEVmdGFUOUJoWjBQTmw1TVE9PSZ2YWxpZG1pbnV0ZXM9MjA2
To generate signature you need to modify your front-end source to include code snippet.
Click here to see the PHP source code to generate this signature.
You should add three highlighted parts of code into your server script. You can find full examples in WMSAuth snippets github repo.
<!DOCTYPE html>
<html>
<head>
<!-- 1. jquery library -->
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7/jquery.js"></script>
<script src="http://cdn.jquerytools.org/1.2.6/all/jquery.tools.min.js"></script>
<!-- 2. flowplayer -->
<script src="http://releases.flowplayer.org/js/flowplayer-3.2.12.min.js"></script>
<style>
a.rtmp { display:block; width:640px; height:360px; margin:25px 0; text-align:center; }
a.rtmp img { border:0px; margin-top:140px; }
</style>
</head>
<body>
<?php
/*
In this example the source media is located at
rtmp://server.test.com:1935/vod/mp4:sample.mp4
Flow player has the name split by 2 part. They are stored in respective variables below.
*/
$base_url = 'rtmp://server.test.com:1935/vod';
$video_url = 'mp4:sample.mp4';
$today = gmdate("n/j/Y g:i:s A");
$ip = $_SERVER['REMOTE_ADDR'];
$key = "default"; //enter your key here
$validminutes = 20;
$str2hash = $ip . $key . $today . $validminutes;
$md5raw = md5($str2hash, true);
$base64hash = base64_encode($md5raw);
$urlsignature = "server_time=" . $today ."&hash_value=" . $base64hash. "&validminutes=$validminutes";
$base64urlsignature = base64_encode($urlsignature);
?>
<div class="box black">
<a class="rtmp" href="<?php echo $video_url; ?>" style="background-image:url(bunny.jpg)">
<img src="play_text_large.png" />
</a>
</div>
<script>
$(function() {
$f("a.rtmp", "http://releases.flowplayer.org/swf/flowplayer-3.2.16.swf", {
// configure both players to use rtmp plugin
clip: {
provider: 'rtmp'
},
// here is our rtpm plugin configuration
plugins: {
rtmp: {
url:"http://releases.flowplayer.org/swf/flowplayer.rtmp-3.2.12.swf",
netConnectionUrl: '<?php echo "$base_url?wmsAuthSign=$base64urlsignature"; ?>'
}
}
});
});
</script>
</body></html>
In this sample key means the password which will be used later for setting up rule in control panel and validminutes means number of minutes while this signed link will be valid to let people read the page and start the playback.
1.2 More examples
You can find more code samples for various programming languages in Paywall samples github repository and adapt them for your use case.
2. Set up control panel settings
After the code is set on web server side, Nimble Streamer (or Wowza agent) must be notified about protection settings.
Go to top menu and select "Control" -> "WMSAuth paywall setup".
WMSAuth is a feature set which handles hotlink protection and other features like geo-lock and pay-per-view.
2.1 WMSAuth group
In WMSAuth, every restriction may be applied to a group of servers. So the first thing to do is to create a group and assign one or more servers to it.
Click on Add WMSAuth group to specify its name and proceed to further setup.
2.2 WMSAuth rule
Within a group, there may be several rules, each working with its set of Nimble Streamer or Wowza entities. Just click on "Add rule" to enter rule creation page.
Check this screenshot to see how you can specify application or stream regular expression.
The last thing to specify is a key, or password, which was inserted into the media signature on web server side in section "Make media signature" above.
After you save the rule, it will be applied to the server within a few seconds.
Time tolerance parameter means maximum time range that is allowed for web server and media server to be unsynchronized. It should be used when you can't arrange these times to match perfectly.
Is that all I need?
Yes. Now when your media is signed with WMSAuth signature, Nimble Streamer or Wowza will be checking each incoming request against its media signature. Immediately after that the connection will be either allowed or denied, it takes just several milliseconds.
The hot-linking protection functionality is also working with stream-based signature for Nimble Streamer.
You may also combine this functionality with geo-location and IP ranges restriction as well as connections and bandwidth limitation. This is also a foundation for pay-per-view feature set.
Questions or problems
Hotlink protection does not work? Check the troubleshooting FAQ.
What if WMSPanel is not accessible? Hot-linking protection works regardless of WMSPanel availability. If your server can't connect to WMSPanel for some reason, the protection will still work perfectly. Once the rules are set up, the control panel is not used anymore.