Tuesday, September 9, 2014

HLS encryption in the rtmp module v1.1.5

The nginx-rtmp-module version 1.1.5 supports HLS encryption using AES-128 method. HLS fragments are encrypted so that they could be opened only with someone having HLS key files. The key files are auto-generated by the module and stored in a location specified in nginx.conf. They are supposed to be served securely using the https protocol only to authorised clients. To make this simpler those files can be stored in a location different from the default HLS location. It's possible to set how many HLS fragments are encrypted with a single key file.
http {
    server {
        listen 443 ssl;
        server_name example.com;

        ssl_certificate /var/ssl/example.com.pem;
        ssl_certificate_key /var/ssl/example.com.private;

        # Serve HLS keys securely here
        location /keys {
            root /tmp;
        }
    }

    server {
        listen 80;
        server_name example.com;

        # Serve HLS playlist/fragments here
        location /hls {
            root /tmp;
        }
    }
}

rtmp {
    server {
        listen 1935;

        hls on;
        hls_path /tmp/hls;

        # Use HLS encryption
        hls_keys on;

        # Store auto-generated keys in this location rather than hls_path
        hls_key_path /tmp/keys;

        # Prepend key url with this value
        hls_key_url https://example.com/keys/;

        # Change HLS key every 2 fragments
        hls_fragments_per_key 2;
    }
}
The following directives are added:
  • hls_keys on|off - Toggles HLS encryption using the AES-128 method. Current fragment number is used as an AES initialization vector.
  • hls_key_path - Directory where key files are stored. The default HLS directory (hls_path) is used by default.
  • hls_key_url - URL prefix to serve key files from a different location.
  • hls_fragments_per_key - The number of fragments encrypted with a single key. Zero (default) means a single auto-generated key file is used from the publish command till the stream end.
Here's an example m3u8 playlist generated by the above mentioned configuration.
#EXTM3U
#EXT-X-VERSION:3
#EXT-X-MEDIA-SEQUENCE:16
#EXT-X-TARGETDURATION:10
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/mystream-15.key",IV=0x0000000000000000000000000000000F
#EXTINF:10.010,
mystream-16.ts
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/mystream-17.key",IV=0x00000000000000000000000000000011
#EXTINF:10.010,
mystream-17.ts
#EXTINF:10.010,
mystream-18.ts
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/mystream-19.key",IV=0x00000000000000000000000000000013
#EXTINF:10.010,
mystream-19.ts
#EXTINF:9.759,
mystream-20.ts
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/mystream-21.key",IV=0x00000000000000000000000000000015
#EXTINF:10.010,
mystream-21.ts

13 comments:

  1. looks like you forgot to push the `1.1.5` tag

    ReplyDelete
  2. Hi, i am trying to send an encrypted HLS stream using above mentioned configuration. But when i capture stream (in wireshark), its plain http. Also the contents of m3u8 file are visible. The ngnix log is not showing any error regarding this. Can you give some clue?

    ReplyDelete
    Replies
    1. Catch here is that whether file can be readable or not rather than visibility of the files just my sugession

      Delete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Hi @Roman Arutyunyan

    I faced problem in drop a client. When i drop a connection as :
    /usr/bin/curl http://192.168.1.9:9001/ctrl/drop/client?app=live&name=HBOAdria&clientid=28157

    OR

    /usr/bin/curl http://192.168.1.9:9001/ctrl/drop/client?app=live&name=HBOAdria&addr=192.168.1.7&clientid=28432

    then all channels from the live application disconnected. I used 2 workers at 9000 and 9001 port.

    I use lastest module with nginx 1.7.9

    Thanks.

    ReplyDelete
  5. Hi arut
    I want to use rtmp module in production. I saw there are some bugs reported on the net related to crash, crash on close etc. do you offer some kind of support/bug fix model to this module?

    ReplyDelete
  6. Roman,
    why you specify IV explicitly as current chunk sequence number if standard stats this is default behaviour so can don't specify IV at all ?

    ReplyDelete
  7. Stream is coming without encryption. I can see the key file coming and .ts packets coming but not encrypted packets.

    ReplyDelete