Stream Restriction by authorize domains or ip addresses?

Homer

Member
is it possible to restrict video to play only on authorize domain? Example; only *.trustdomain.com/* can load the ws/wss/rtmp/rtsp stream. Those with unauthorized domain or ip will not be able to play or received stream.
 

Max

Administrator
Staff member
is it possible to restrict video to play only on authorize domain? Example; only *.trustdomain.com/* can load the ws/wss/rtmp/rtsp stream
Currently WCS does not support domain restriction.
We will inform you once it is implemented.
Those with unauthorized domain or ip will not be able to play or received stream.
For authentication, you can generate temporary short-living tokens and pass the tokens to play() method. You can also authorize by IP address.

Example:
1. You play a stream.
Code:
session.createStream({name: 'stream1',display: myDisplay, custom:{token:'abcdef-1000ms-alive'}}).play();
2. WCS server sends REST / HTTP hook to your web server
http://your-web-server.com/api/playStream
Content-Type: application/json
Code:
{
"name": "stream1",
"custom": {token:'abcdef-1000ms-alive'},
"sessionId": "192.168.88.22/10.0.0.1"
}
Here 192.168.88.22 is IP address of connected user.

3. Your web server answers with HTTP status 403 Forbidden to reject playback.
Or your web server answers with HTTP 200 OK to permit playback.

You can learn more from our REST Methods docs:
https://flashphoner.com/docs/wcs5/wcs_docs/html/en/wcs-rest-methods
 

MJ@alaun

New Member
Although I did not open this thread, I am also interested in the same topic: Is there also a possibility to add a token for method Flashphoner.roomApi.connect() ?
 

Max

Administrator
Staff member
Although I did not open this thread, I am also interested in the same topic: Is there also a possibility to add a token for method Flashphoner.roomApi.connect() ?
Starting from the following builds
Web SDK
https://flashphoner.com/downloads/b...2681597f499580ba3210ee73cdc78e20251dd3.tar.gz
Server 2436
You can pass parameter 'token' to roomApi.connect() method.
Example:
Code:
connection = Flashphoner.roomApi.connect({urlServer: url, username: username, token: '12345'}).on(SESSION_STATUS.FAILED, function(session){
        setStatus('#status', session.status());
        onLeft();
    }).on(SESSION_STATUS.DISCONNECTED, function(session) {
        setStatus('#status', session.status());
        onLeft();
    }).on(SESSION_STATUS.ESTABLISHED, function(session) {
        setStatus('#status', session.status());
        joinRoom();
    });
This token will be passed to REST in 'custom' object.
Example:
Code:
URL:http://localhost:9091/RoomApp/connect
OBJECT:
{
  "nodeId" : "ET3IqW3xNOdbMzy8xarh4LwBCz7JetSz@192.168.88.59",
  "appKey" : "roomApp",
  "sessionId" : "/192.168.88.254:51050/192.168.88.59:8443",
  "useWsTunnel" : false,
  "useWsTunnelPacketization2" : false,
  "useBase64BinaryEncoding" : false,
  "mediaProviders" : [ "WebRTC", "MSE", "WSPlayer" ],
  "clientVersion" : "0.5.24",
  "clientOSVersion" : "5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
  "clientBrowserVersion" : "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
  "custom" : {
    "login" : "222",
    "token" : "12345"
  }
}
Therefore you can setup your own REST application which will
1) Authenticate connections by the passed token and return 403 Forbidden if access is unauthorized.
2) Delegate and forward REST request to internal address http://localhost:9091/RoomApp/connect if connection is authorized.

Docs
https://flashphoner.com/docs/wcs5/wcs_docs/html/en/wcs-rest-methods/
 

MJ@alaun

New Member
Thanks a lot for the update.
Am I right that I have to update the url for the roomApp via CLI so that the WCS send REST-methods to my server?
If so, do I have to restart the flashphoner-WCS after updating the url to receive the connect?
 

Max

Administrator
Staff member
Yes you have to update the URL using CLI.
For example, change
http://localhost:9091/RoomApp
to
http://your-web-server/RoomApp
Once this update is done, your room application will be broken because you did not implement forwarding to original URL http://localhost:9091/RoomApp.
So you have to implement the forwarding before update.
1. Implement forwarding and test.
Example:
If you receive REST/HTTP JSON request to your URL http://your-web-server/RoomApp/connect, you forward this request to http://localhost:9091/RoomApp as is.
If you receive REST/HTTP JSON response from http://localhost:9091/RoomApp/connect, you forward this response to WCS server as is.
2. Change URL to http://your-web-server/RoomApp in CLI
You don't need to restart WCS server to apply changes.
 

Max

Administrator
Staff member
Yes you can do that using CLI:
Code:
update app -k roomApp2 roomApp
Result:
Code:
> show apps
owner name              appKey            id URL
----------------------------------------------------------------------------------
admin flashChatApp      flashChatApp      6  http://localhost:9091/ChatApp
admin conferenceApp     conferenceApp     10 http://localhost:9091/ConferenceApp
admin sfu               sfu               13 http://localhost:9091/EchoApp
admin clickToCallApp    clickToCallApp    12 http://localhost:9091/ClickToCallApp
admin qaApp             qaApp             3  http://localhost:9091/QAApp
admin chatRoomApp       roomApp2          9  http://localhost:9091/RoomApp
admin chatRoomApp       flashRoomApp      5  http://localhost:9091/RoomApp
admin wcs3App           wcs3App           2  http://localhost:9091/EchoApp
admin websocketChatApp  websocketChatApp  7  http://localhost:9091/ChatApp
admin callApp           callApp           11 http://localhost:9091/CallApp
admin defaultApp        defaultApp        1  http://localhost:9091/EchoApp
admin flashStreamingApp flashStreamingApp 4  http://localhost:9091/EchoApp
admin chatRoomApp       chatRoomApp       8  http://localhost:9091/ChatRoomApp
 

MJ@alaun

New Member
Thanks for your reply, but isn't the appKey "roomApp" fixed in the Flashphoner-JavaScript-API for the roomApp?
I'm looking for a way to register more than one roomApp with the CLI and to configure on client-side which I want to use by the appKey. I think there's an option "appKey" for the method "Flashphoner.createSession" but not for "Flashphoner.roomApi.connect".
 

Max

Administrator
Staff member
We have fixed this in latest Web SDK build
https://flashphoner.com/downloads/b...ad5be146c7d0272bae4c03c48bce733a7bcfb4.tar.gz
Now you can pass appKey parameter:
Example:
Code:
 connection = Flashphoner.roomApi.connect({urlServer: url, username: username, appKey: 'roomApp'}).on(SESSION_STATUS.FAILED, function(session){
        setStatus('#status', session.status());
        onLeft();
    }).on(SESSION_STATUS.DISCONNECTED, function(session) {
        setStatus('#status', session.status());
        onLeft();
    }).on(SESSION_STATUS.ESTABLISHED, function(session) {
        setStatus('#status', session.status());
        joinRoom();
    });
 

Max

Administrator
Staff member
We have added passthrough "Origin"-header to REST in latest server build. Example:
Code:
URL:http://localhost:9091/EchoApp/connect
OBJECT:
{
  "nodeId" : "4pAdCKlDJ87jZMR5oEOvtE3ymhuUzFeb@192.168.10.10",
  "appKey" : "defaultApp",
  "sessionId" : "/192.168.10.20:56725/192.168.10.10:8443",
  "useWsTunnel" : false,
  "useWsTunnelPacketization2" : false,
  "useBase64BinaryEncoding" : false,
  "mediaProviders" : [ "WebRTC", "WSPlayer" ],
  "clientVersion" : "0.5.23",
  "clientOSVersion" : "5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36",
  "clientBrowserVersion" : "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36",
  "origin" : "https://192.168.10.10"
}
You can now use "origin"-field on REST side to restrict access by domain.
 
So if I remove all methods, would my app continue to function, just without the "supporting" calls to the localhost REST server?
 
I should probably elaborate on what I need to implement. I need to send an RTMP stream to WC5 (currently doing that via FFMpeg or Wirecaster) and have that viewable by WebRTC clients. That is all working well. I'd like to include an authentication token on the RTMP stream URL and have that used when the RTMP stream connects to WC5. From what I see when calling the "stream/find_all" method, the appkey being used for the RTMP feed is "flashStreamingApp". So I would either need to create my own app that handled the RTMP stream or override the connect method for flashStreamingApp. Is this correct? Can I create my own app? Currently my RTMP output is something like "rtmp://<myhostIP>:1935/live/BigBuck".
 

Max

Administrator
Staff member
Hello
You can pass authentication directly in the RTMP URL
Example:
1. RTMP connection URL
Code:
rtmp://192.168.88.59/live?name=value
Stream name
Code:
stream2229
2. As you can see, WCS server sends REST /connect with custom object {"name":"value"}
Therefore the token can be passed to REST and you can authenticate it.
Code:
URL:http://localhost:9091/EchoApp/connect
OBJECT:
{
  "nodeId" : "ET3IqW3xNOdbMzy8xarh4LwBCz7JetSz@192.168.88.59",
  "appKey" : "flashStreamingApp",
  "sessionId" : "70d58925-f646-4099-ad2e-926040d6d06f",
  "useWsTunnel" : false,
  "useWsTunnelPacketization2" : false,
  "useBase64BinaryEncoding" : false,
  "custom" : {
    "name" : "value"
  }
}
 

Attachments

Max

Administrator
Staff member
If you are using ffmpeg, you can pass the custom object directly.
Example:
Code:
ffmpeg -re -i /tmp/VIDEO2findingnews.mp4 -acodec aac -vcodec libx264 -f flv -ar 44100 -rtmp_conn "O:1 NS:appKey:flashStreamingApp NS:name:12121212 NS:stream:12121212 NO:custom:O:1 NS:auth:22222222 NS:stream:3333333 O:0 O:0" rtmp://192.168.33.200:1935/12121212
So having the custom object you can verify passed token and authenticate / reject the connection.
 
Thanks - I had already seen where I could pass the custom values into WCS via RTMP. My questions are more about how the apps are set up and the REST methods are configured - I'm having difficulty understanding how that mapping works:

1. Is "flashStreamingApp" the only way to send an RTMP stream to WC5? Can I set up my own app to receive RTMP?
2. For "flashStreamingApp" or my own app, can I configure only the "connect" method to go to my REST server, and have all the other methods use your default REST service at http://localhost:9091/EchoApp ?
3. If I create a new app and don't do "add app-rest-method -a myApp", will WCS still function as it should? Trying to understand if the REST methods are required or are optional for developers who need to intercept the WCS calls for various reasons.

I hope this makes sense. Thanks!

Chuck
 

Max

Administrator
Staff member
Hello,

Application other than "flashStreamingApp" can be used for Flash streaming but that application should use FlashStreaming handlers.
Only required methods (e.g., only "connect" method) can be reconfigured. Other methods can be forwarded to the original application URL. Only those methods, which would be required for the functionality, have to be added to the application.

Please see below the procedure for using a new added application.

Log in to command line
Code:
ssh -p 2000 admin@localhost
Set up new application
1. Add new application
Code:
add app myApp myAppKey http://192.168.1.5/rest/my_api
2. Set FlashStreaming handlers as the classes for direct calls and callback
Code:
update app -m com.flashphoner.server.client.handler.wcs4.FlashStreamingHandler myAppKey
update app -c com.flashphoner.server.client.handler.wcs4.FlashStreamingCallbackHandler myAppKey
3. Add methods to the application
Code:
add app-rest-method -a myApp
Specifying the application appKey when connecting
Code:
ffmpeg -re -y -rtbufsize 1k -i /tmp/video.avi -preset ultrafast -acodec aac -vcodec h264 -strict -2 -f flv -rtmp_conn "O:1 NS:appKey:myAppKey NS:token:12345" rtmp://192.168.1.5:1935/live/stream1
Here both WCS and web server are on 192.168.1.5.
With the attached API example, connection will be rejected if the token is not "12345".
 

Attachments

Top