Tuesday, September 9, 2014

HLS encryption in the rtmp module v1.1.5

The nginx-rtmp-module version 1.1.5 supports HLS encryption using AES-128 method. HLS fragments are encrypted so that they could be opened only with someone having HLS key files. The key files are auto-generated by the module and stored in a location specified in nginx.conf. They are supposed to be served securely using the https protocol only to authorised clients. To make this simpler those files can be stored in a location different from the default HLS location. It's possible to set how many HLS fragments are encrypted with a single key file.
http {
    server {
        listen 443 ssl;
        server_name example.com;

        ssl_certificate /var/ssl/example.com.pem;
        ssl_certificate_key /var/ssl/example.com.private;

        # Serve HLS keys securely here
        location /keys {
            root /tmp;
        }
    }

    server {
        listen 80;
        server_name example.com;

        # Serve HLS playlist/fragments here
        location /hls {
            root /tmp;
        }
    }
}

rtmp {
    server {
        listen 1935;

        hls on;
        hls_path /tmp/hls;

        # Use HLS encryption
        hls_keys on;

        # Store auto-generated keys in this location rather than hls_path
        hls_key_path /tmp/keys;

        # Prepend key url with this value
        hls_key_url https://example.com/keys/;

        # Change HLS key every 2 fragments
        hls_fragments_per_key 2;
    }
}
The following directives are added:
  • hls_keys on|off - Toggles HLS encryption using the AES-128 method. Current fragment number is used as an AES initialization vector.
  • hls_key_path - Directory where key files are stored. The default HLS directory (hls_path) is used by default.
  • hls_key_url - URL prefix to serve key files from a different location.
  • hls_fragments_per_key - The number of fragments encrypted with a single key. Zero (default) means a single auto-generated key file is used from the publish command till the stream end.
Here's an example m3u8 playlist generated by the above mentioned configuration.
#EXTM3U
#EXT-X-VERSION:3
#EXT-X-MEDIA-SEQUENCE:16
#EXT-X-TARGETDURATION:10
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/mystream-15.key",IV=0x0000000000000000000000000000000F
#EXTINF:10.010,
mystream-16.ts
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/mystream-17.key",IV=0x00000000000000000000000000000011
#EXTINF:10.010,
mystream-17.ts
#EXTINF:10.010,
mystream-18.ts
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/mystream-19.key",IV=0x00000000000000000000000000000013
#EXTINF:10.010,
mystream-19.ts
#EXTINF:9.759,
mystream-20.ts
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/mystream-21.key",IV=0x00000000000000000000000000000015
#EXTINF:10.010,
mystream-21.ts

20 comments:

  1. looks like you forgot to push the `1.1.5` tag

    ReplyDelete
  2. Hi, i am trying to send an encrypted HLS stream using above mentioned configuration. But when i capture stream (in wireshark), its plain http. Also the contents of m3u8 file are visible. The ngnix log is not showing any error regarding this. Can you give some clue?

    ReplyDelete
    Replies
    1. Catch here is that whether file can be readable or not rather than visibility of the files just my sugession

      Delete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Hi @Roman Arutyunyan

    I faced problem in drop a client. When i drop a connection as :
    /usr/bin/curl http://192.168.1.9:9001/ctrl/drop/client?app=live&name=HBOAdria&clientid=28157

    OR

    /usr/bin/curl http://192.168.1.9:9001/ctrl/drop/client?app=live&name=HBOAdria&addr=192.168.1.7&clientid=28432

    then all channels from the live application disconnected. I used 2 workers at 9000 and 9001 port.

    I use lastest module with nginx 1.7.9

    Thanks.

    ReplyDelete
  5. Hi arut
    I want to use rtmp module in production. I saw there are some bugs reported on the net related to crash, crash on close etc. do you offer some kind of support/bug fix model to this module?

    ReplyDelete
  6. Roman,
    why you specify IV explicitly as current chunk sequence number if standard stats this is default behaviour so can don't specify IV at all ?

    ReplyDelete
  7. Stream is coming without encryption. I can see the key file coming and .ts packets coming but not encrypted packets.

    ReplyDelete
  8. I could never get this working.. keys and segments are produced and downloaded but the player won't display anything (videojs hlsjs)

    ReplyDelete
  9. If you're attempting to burn fat then you need to start using this brand new custom keto diet.

    To create this keto diet, licenced nutritionists, fitness trainers, and chefs joined together to provide keto meal plans that are productive, convenient, economically-efficient, and delightful.

    From their launch in January 2019, thousands of clients have already completely transformed their figure and health with the benefits a professional keto diet can give.

    Speaking of benefits; in this link, you'll discover eight scientifically-proven ones given by the keto diet.

    ReplyDelete
  10. Excellent and helpful information is provided here. I appreciate the website's owner for genuinely sharing this site's excellent job. I'm happy to provide us with this useful knowledge. Keep it that way, please. Click here to read the article I want to share with you about Fixed - Logitech G Pro X Microphone. Is the microphone on the Logitech G Pro X not working? Through this post, you may thus see the answer.

    ReplyDelete
  11. I always look forward to reading your blog because your writing style is entertaining and instructive. Please check out this profile CPS Tester. This addon is a must-have if you want to precisely track your clicking speed.

    ReplyDelete
  12. Very impressive. I saved it to my favourites so I could check back later to see if there was any fresh information. Please visit my blog at emily compagno networth. Emily Compagno has a sizable net worth thanks to her talent and knowledge. Consult this article to find out more.

    ReplyDelete
  13. I always look forward to reading your blog because of the entertaining and informative writing style you use. Visit this profile Color Blindness by clicking here. I'm colorblind, thus this test always makes me nervous. It serves as a constant reminder of the variety of our visual experiences.

    ReplyDelete