The
nginx-rtmp-module version 1.1.5 supports
HLS encryption using AES-128 method. HLS fragments are encrypted so that they could be opened only with someone having HLS key files. The key files are auto-generated by the module and stored in a location specified in nginx.conf. They are supposed to be served securely using the https protocol only to authorised clients. To make this simpler those files can be stored in a location different from the default HLS location. It's possible to set how many HLS fragments are encrypted with a single key file.
http {
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /var/ssl/example.com.pem;
ssl_certificate_key /var/ssl/example.com.private;
# Serve HLS keys securely here
location /keys {
root /tmp;
}
}
server {
listen 80;
server_name example.com;
# Serve HLS playlist/fragments here
location /hls {
root /tmp;
}
}
}
rtmp {
server {
listen 1935;
hls on;
hls_path /tmp/hls;
# Use HLS encryption
hls_keys on;
# Store auto-generated keys in this location rather than hls_path
hls_key_path /tmp/keys;
# Prepend key url with this value
hls_key_url https://example.com/keys/;
# Change HLS key every 2 fragments
hls_fragments_per_key 2;
}
}
The following directives are added:
- hls_keys on|off - Toggles HLS encryption using the AES-128 method. Current fragment number is used as an AES initialization vector.
- hls_key_path - Directory where key files are stored. The default HLS directory (hls_path) is used by default.
- hls_key_url - URL prefix to serve key files from a different location.
- hls_fragments_per_key - The number of fragments encrypted with a single key. Zero (default) means a single auto-generated key file is used from the publish command till the stream end.
Here's an example m3u8 playlist generated by the above mentioned configuration.
#EXTM3U
#EXT-X-VERSION:3
#EXT-X-MEDIA-SEQUENCE:16
#EXT-X-TARGETDURATION:10
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/mystream-15.key",IV=0x0000000000000000000000000000000F
#EXTINF:10.010,
mystream-16.ts
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/mystream-17.key",IV=0x00000000000000000000000000000011
#EXTINF:10.010,
mystream-17.ts
#EXTINF:10.010,
mystream-18.ts
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/mystream-19.key",IV=0x00000000000000000000000000000013
#EXTINF:10.010,
mystream-19.ts
#EXTINF:9.759,
mystream-20.ts
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/mystream-21.key",IV=0x00000000000000000000000000000015
#EXTINF:10.010,
mystream-21.ts
looks like you forgot to push the `1.1.5` tag
ReplyDeleteexactly!
DeleteGreat feature, THX!!!
ReplyDeleteHi, i am trying to send an encrypted HLS stream using above mentioned configuration. But when i capture stream (in wireshark), its plain http. Also the contents of m3u8 file are visible. The ngnix log is not showing any error regarding this. Can you give some clue?
ReplyDeleteCatch here is that whether file can be readable or not rather than visibility of the files just my sugession
DeleteThis comment has been removed by the author.
ReplyDeleteHi @Roman Arutyunyan
ReplyDeleteI faced problem in drop a client. When i drop a connection as :
/usr/bin/curl http://192.168.1.9:9001/ctrl/drop/client?app=live&name=HBOAdria&clientid=28157
OR
/usr/bin/curl http://192.168.1.9:9001/ctrl/drop/client?app=live&name=HBOAdria&addr=192.168.1.7&clientid=28432
then all channels from the live application disconnected. I used 2 workers at 9000 and 9001 port.
I use lastest module with nginx 1.7.9
Thanks.
Hi arut
ReplyDeleteI want to use rtmp module in production. I saw there are some bugs reported on the net related to crash, crash on close etc. do you offer some kind of support/bug fix model to this module?
Roman,
ReplyDeletewhy you specify IV explicitly as current chunk sequence number if standard stats this is default behaviour so can don't specify IV at all ?
On_play in hls not work? ;(
ReplyDeleteOn_play in hls not work? ;(
ReplyDeleteWell done!!! good job :))))
ReplyDeleteStream is coming without encryption. I can see the key file coming and .ts packets coming but not encrypted packets.
ReplyDeleteThank you very much!
ReplyDeleteI could never get this working.. keys and segments are produced and downloaded but the player won't display anything (videojs hlsjs)
ReplyDeleteIf you're attempting to burn fat then you need to start using this brand new custom keto diet.
ReplyDeleteTo create this keto diet, licenced nutritionists, fitness trainers, and chefs joined together to provide keto meal plans that are productive, convenient, economically-efficient, and delightful.
From their launch in January 2019, thousands of clients have already completely transformed their figure and health with the benefits a professional keto diet can give.
Speaking of benefits; in this link, you'll discover eight scientifically-proven ones given by the keto diet.
Excellent and helpful information is provided here. I appreciate the website's owner for genuinely sharing this site's excellent job. I'm happy to provide us with this useful knowledge. Keep it that way, please. Click here to read the article I want to share with you about Fixed - Logitech G Pro X Microphone. Is the microphone on the Logitech G Pro X not working? Through this post, you may thus see the answer.
ReplyDeleteI always look forward to reading your blog because your writing style is entertaining and instructive. Please check out this profile CPS Tester. This addon is a must-have if you want to precisely track your clicking speed.
ReplyDeleteVery impressive. I saved it to my favourites so I could check back later to see if there was any fresh information. Please visit my blog at emily compagno networth. Emily Compagno has a sizable net worth thanks to her talent and knowledge. Consult this article to find out more.
ReplyDeleteI always look forward to reading your blog because of the entertaining and informative writing style you use. Visit this profile Color Blindness by clicking here. I'm colorblind, thus this test always makes me nervous. It serves as a constant reminder of the variety of our visual experiences.
ReplyDelete