There are a couple of ways to protect your Ant Media streams. In this blog, we would like to to hold your hand so we can take you through each step
Web Panel IP filter
Ant Media Server provides IP filtering for accessing the web panel. By default, the web panel is open to all IP addresses, but you can filter IP addresses by CIDR notation. Here is a simple step-by-step guide to change this configuration.
Find this file /usr/local/antmedia/conf/red5.properties and open it.
The default configuration allows all IPs to access the web panel. So, you need to find the line below in the red5.propperties file you’ve opened.
server.allowed_dashboard_CIDR=0.0.0.0/0As we said earlier, the default settings are set to all IPs just like in the line above CIDR=0.0.0.0/0
Now, you can make the changes according to your CIDR notation such as:
server.allowed_dashboard_CIDR=13.197.23.11/16,87.22.34.66/8You can add as many CIDR notations as you want and make sure to separate them with commas. Save the file and restart the server.
Now only the IP’s that are in the CIDR block you’ve added can access the web panel.
Publisher IP filter
A Publisher in this context is anyone who utilizes Ant Media Server to broadcast live videos or streams. To add an extra layer of security to your server, you can choose to whitelist the publisher IP addresses that are allowed to broadcast streams to it.
So, Ant Media has a publisher IP filter feature you can use to enforce this security mechanism and prevent unauthorized players from publishing content to your server.
To trigger this feature, you need to find and edit the red5.properties file, which is located in the directory path that looks like this: /usr/local/antmedia/<app name>WEB_INF/red5.properties
Now, we need to use the settings.allowedPublisherCIDR to whitelist the CIDR block for the publishers allowed to publish streams on our server. For example, assuming we needed to whitelist IPs: 10.10.20.30.[0-255] and 127.0.0.1, our settings would look like this below:
settings.allowedPublisherCIDR=10.20.30.40/24, 127.0.0.1/32Allowing multiple IPs separated by commas is acceptable when editing this feature. And after you’ve edited your desired configurations, you can restart your Ant Media server as usual.
JWT Security Token
JWT, which stands for JSON Web Token, is a widely adopted open standard that facilitates the exchange of security information between a client and a server. The information is stored in a JWT as encoded JSON objects, which include a set of claims. To prevent unauthorized alterations to the claims once the token is issued, JWTs are signed using a cryptographic algorithm.
Now, Ant Media allows you to protect your streams by using the JWT stream security filter feature, which is found in the Dashboard/LiveApp or any other app you’ve created for your streams. You can either enable or disable this feature right from your Ant Media Dashboard as seen in the image below:
When you trigger the JWT Stream Security Filter for Stream Publishing and Playing, the Publish/Play requests without JWT tokens won’t be accepted.
Generating the Secret Key and Token for JWT Filter
The Ant Media JWT filter feature for streams requires a Secret Key which is then needed for the Token to be generated. A Secret key is private to you which means you will never reveal it to the public. You can generate the Secret Key from the Ant Media Dashboard under the JWT security filter feature (as described earlier).
Once you have the Secret key, we will use it to generate the token. A JWT token is a JSON object that has been signed and includes information that allows the receiver ( media server) to verify and authenticate the identity of the request sender (client).
The way this works is that, when a client sends a request to access a media stream on Ant Media server, it must include a JWT token in the request header. This token contains information such as the user’s identity and the requested permissions.
Ant Media server verifies the token to ensure that it has been issued by; a trusted source, has not expired, and has not been tampered with. If the token is valid, Ant Media grants the requested permissions to the client or sender, allowing them to access the requested media stream
So, what we need is to use a library like Debugger at JWT to generate our token using the Secret key we’ve created from the Ant Media Dashboard. Inside the Dubugger at JWT, we can use an algorithm like HMAC SHA256 to generate the token as seen below:
- Set up the header: The header has two parts: the type of token, which is JWT, and the type of signing algorithm which is SHA256 in our case. For example, the header setup looks like this:
{
"alg": "HS256",
"typ": "JWT"
}From the above, "alg" represents an algorithm used and "typ” represents the type of token, which is JWT.
- Payload: The payload represents the stream token parameters like the token expiration time. However, the payload section may not be so important for this authorization, and you just leave it as shown in the code below:
{
"streamId": "put your stream Id here",
"type": "publish"
}- Verify the Signature: This is critical in checking to see if the message wasn’t changed along the way. The signed tokens with a secret key are used to verify that the sender of the JWT is who it says it is. The signing process is completed as seen below;
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
Place your Secret Key Here
)secret base64 encodedYou can replace [ Place your Secret Key here ] with your actual Secret Key you generated earlier inside Ant Media.
So, if you’ve written everything correctly, you will be able to generate the required token as seen in the image below:
Generate JWT Token with Expiration Time
You can add the expiration parameter in the payload section so that the generated token can be used up to the expiration time you’ve defined. See the code below:
{
"streamId": "put your stream Id here",
"type": "publish",
"exp": "expiration time"
}You need to generate the expiration time using the unix timestamp tool and generate a format like this:1678835579.
Assuming you want the expiration time to be April 08, 2023, 02:14:08 GMT+3, we can use the Unix timestamp to generate the format we need as seen below in the image
streamId and type are defined correctly and properly as the tokenid needs to match with them. Generating Tokens with REST API
You can use the Ant Media getJwtTokenV2 REST API service to generate tokens with defined parameters like streamId, expireDate and type
For example, if you needed to create a JWT token service URL in Publish Scenario with defined parameters, here is the sample;
http://[IP_Address]:5080/<Application_Name>/rest/v2/broadcasts/<Stream_Id>/jwt-token?expireDate=<Expire_Date>&type=publishOn the other hand, if you need to create a JWT token creation service URL in Play Scenario, here is the sample:
http://[IP_Address]:5080/<Application_Name>/rest/v2/broadcasts/<Stream_Id>/jwt-token?expireDate=<Expire_Date>&type=playPlease note that the Expire Date format is Unix Timestamp. You can check here how to convert the time in this format
How to use the JWT token in Ant Media Streams
You can use the generated tokenId by appending it to the end of the appropriate URL of either the publisher or play stream. For example,
- RTMP url token Id integration
rtmp://[IP_Address]/<Application_Name>/streamID?token=tokenId- HLS/ VoD & Embedded Player Usage
http://[IP_Address]/<Application_Name>/streams/streamID.mp4?token=tokenId
http://[IP_Address]/<Application_Name>/streams/streamID.m3u8?token=tokenId
http://[IP_Address]/<Application_Name>/play.html?name=streamID&playOrder=hls&token=tokenIdWebRTC Publish/Play Token ID integration
For a Play stream, you have to put the JWT token parameter to play WebSocket message as seen below:
{
command : "play",
streamId : "stream1",
token : "tokenId",
}For a Publish WebRTCP stream, the JWT token parameter integration should look as follows;
{
command : "publish",
streamId : "stream1",
token : "tokenId",
}More Ant Media Server articles to explore
- How to Secure HLS & DASH Streams in Ant Media Server?
- Solved: SSL not installing on Ant Media Server
- How to install an SSL Certificate on Ant Media Server
- How can I update Ant Media Server on Ubuntu?
- How to open Ant Media Ports through the Firewall?
- Solved: Protect Ant Media Streams from getting embedded
- What you need to know before deploying Ant Media in AWS Cluster
- Solved: Ant Media stream refusing to play after embedding
- How to embed Ant Media Player in WordPress Website
- How can I enable Adaptive Bitrate streaming in Ant Media Server?
- How much does Ant Media cost to stream to 1000 viewers on AWS
- How much bandwidth does Ant Media Server need?
- How to Optimize the Performance of Ant Media Server
- Why does my Ant Media stream keep buffering?
- Can I use the ant media community license in a cluster?
- How many Streaming channels can you set up on Ant Media?
- Do I necessarily need a GPU to stream Full HD using Ant Media Server?
- How much computing power do you need for Ant Media Server?
- SOLVED: Your live stream will play automatically as soon as it’s available
