Third-party websites are likely to abuse your server resources if your Ant Media streams are not secured; to stop malicious and unauthorized stream embedding. If you’re into the business of live streaming, you will understand that server resources are critical and expensive. if anybody can feed on your streaming resources, you’re likely tp go out of business quickly as you will keep incurring huge costs.
To stop people from abusing your streaming resources, you can stop third-party domains from embedding your Ant Media HLS and DASH streams. In this article, we would like to give you a brief clue of what you need to implement.
But we recommend that you read the full guide on how to implement everything related to secure Ant Media HLS and DASH streams.
Installing Nginx and setting up the Reverse Proxy
In short, the first step is to install Nginx server on the same machine where Ant Media server. Doing this will allow you to implement the important part of this step, which is configuring the reverse proxy using the nano /etc/nginx/nginx.conf file:
Sample nginx.conf configuration
This is the sample template configuration you’re going to put into the nginx.conf file:
user nginx;
worker_processes auto;
pid /var/run/nginx.pid;
worker_rlimit_nofile 1048576;
events {
worker_connections 1048576;
multi_accept on;
use epoll;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
keepalive_timeout 300s;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# logs settings
log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘
‘”$hostname” “upstream: $upstream_addr”‘;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# gzip
gzip on;
gzip_disable “msie6”;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/javascript application/x-javascript text/xml application/xml application/xml+rss application/vnd.ms-fontobject application/x-font-ttf font/opentype font/x-woff image/svg+xml image/x-icon;
# proxy settings
proxy_redirect off;
proxy_http_version 1.1;
proxy_read_timeout 10s;
proxy_send_timeout 10s;
proxy_connect_timeout 10s;
#redirect all http requests to https
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
#Origin Configuration
#Change {YOUR_DOMAIN} with your fully qualified domain name.
server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/{YOUR_DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{YOUR_DOMAIN}/privkey.pem;
server_name yourdomain.com;
location / {
if ($http_referer !~* “^https?://(www.)?Whitelisted-domain-name.com”){
return 403;
}
proxy_pass http://AMS-server-IP:5080;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “Upgrade”;
}
}
#Dashboard Configuration (To allow access to your AMS dashboard on different port which should be allowed only for specific IPs)
#Change {YOUR_DOMAIN} with your fully qualified domain name.
server {
listen 4444 ssl;
ssl_certificate /etc/letsencrypt/live/{YOUR_DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{YOUR_DOMAIN}/privkey.pem;
server_name yourdomain.com;
location / {
proxy_pass http://AMS-Server-IP:5080;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “Upgrade”;
}
}
}
Whitelisting the allowed domains
From the above code, you will need to find the following block:
if ($http_referer !~* “^https?://(www.)?Whitelisted-domain-name.com”){
return 403;
}
it’s important to note that this block is critical and without it, you can’t whitelist the domains you want to allow to embed your Ant Media HLS streams.
Unwhitelisted domains won’t be allowed to embed your streams on their sites.
