├── LICENSE ├── README.md ├── php ├── auth.php ├── changepass.php ├── common.php ├── login.html ├── login.php ├── logout.php ├── nginx.conf ├── profile.php ├── reg.php ├── register.html ├── resethash.php └── showhash.php └── python ├── auth.py ├── config.py └── nginx.conf /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2014 Nesseref/Orc 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of 6 | this software and associated documentation files (the "Software"), to deal in 7 | the Software without restriction, including without limitation the rights to 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software is furnished to do so, 10 | subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # nginx-rtmp-auth 2 | Backend for handling nginx rtmp module stream authentication 3 | 4 | Note: the fun nginx/rtmp stuff is in auth.php/auth.py and nginx.conf. Everything else is a very bare-bones set of scripts to manage user tasks (user registration, id hash/password changes, etc) that could be easily replicated with practically any other web scripting language capable of interaction with a database. 5 | 6 | For that matter, the auth scripts could be easily replicated in practically anything else that is capable of database interaction (or, really, even just reading from a .htpassword style file). All the script really needs to do is process a request, check and see if the query string constitutes a valid set of credentials and, if so, return a HTTP 200 and, if not, return a HTTP 400. If you're interested in an authentication system for your nginx rtmp server and posess non-trivial programming experience, this project should be viewed as more of an example than a drop-in solution. 7 | 8 | See https://github.com/Nesseref/html5-livestreaming for an example of using the python side of this project to provide authentication for an HTML5 (HLS with JS web player) environment. 9 | 10 | # PHP 11 | **Note:** the PHP web stuff (i.e. not auth.php) is intended as an example of the sort of frontend functionality that can be constructed to interface with the authentication backend. Do **_not_** use these scripts in production, as they were not designed for actual use. 12 | 13 | Requirements: 14 | - Nginx with RTMP module (https://github.com/arut/nginx-rtmp-module) 15 | - a MySQL server 16 | - FastCGI 17 | - PHP with MySQLi extension 18 | 19 | Server-side configuration: 20 | - Set nginx.conf as the live nginx conf (location of file depends on system) 21 | - Set the web root to an appropriate value 22 | - Adjust worker_connections to a sane value for the platform 23 | - Set worker_processes to 1 to work around an issue in the nginx-rtmp module 24 | - Set the name of the rtmp server application block to whatever is desired (defaults to "stream") 25 | - Place the .php/.html files in the web root and adjust the on_publish directive url to reflect the location of auth.php 26 | - Set MySQL-related variables in common.php ($host, $username, $password, $dbname, $usertablename) 27 | - Set the non-MySQL-related variables in common.php ($streamurl (the URL to stream to minus the id hash at the end, i.e. "rtmp://DOMAIN/stream?" assuming the rtmp server application block name of "stream"), $baseurl (the URL of the web stuff, i.e. if the main page is served at http://stream.frogbox.es and each other page is at the same directory level as the index, the baseurl would be "http://stream.frogbox.es")) 28 | - Ensure the MySQL server is accepting connections from the user specified in common.php and the user specified in common.php has the correct privileges to read from the defined users table 29 | - Configure the users table 30 | - The following schema are expected (but easily changed): 31 | - username VARCHAR(64) 32 | - email VARCHAR(64) 33 | - password VARCHAR(64) 34 | - idhash VARCHAR(64) 35 | - Other columns may be added as required 36 | 37 | # Python/Flask 38 | Requirements: 39 | - Nginx with RTMP module (https://github.com/arut/nginx-rtmp-module) 40 | - a PostgreSQL server 41 | - Flask, Flask API 42 | - psycopg2 43 | 44 | Server-side configuration: 45 | - Set nginx.conf as the live nginx conf (location of file depends on system) 46 | - Set the web root to an appropriate value 47 | - Set worker_processes to 1 to work around an issue in the nginx-rtmp module 48 | - Set the name of the rtmp server application block to whatever is desired (defaults to "stream") 49 | - Adjust the on_publish directive URL to reflect where the auth script is being served from (e.g. with the Flask development server, the URL would be http://localhost:5000/auth) 50 | - Set PostgreSQL-related variables in config.py (host, username, password, database, usertablename) 51 | - Ensure the PostgreSQL server is accepting connections from the user specified in common.py and the user specified in common.py has the correct privileges to read from the defined users table 52 | - Configure the users table 53 | - The following schema are expected (but easily changed): 54 | - username VARCHAR(64) 55 | - email VARCHAR(64) 56 | - password VARCHAR(64) 57 | - idhash VARCHAR(64) 58 | - Other columns may be added as required 59 | 60 | # Non-specific 61 | 62 | Broadcaster-side configuration (assuming OBS): 63 | - Under Broadcast Settings, set Custom as the streaming service 64 | - Set server to "rtmp://DOMAIN/stream?IDHASH" (assumes default rtmp server application block name of "stream") 65 | - This is referred to as "Stream RTMP URL" in the PHP web stuff 66 | - Set play path to USERNAME 67 | 68 | Player-side configuration: 69 | - The RTMP URL will be in the format "rtmp://DOMAIN/stream/USERNAME" (assumes default rtmp server application block name of "stream") 70 | 71 | Known issues: 72 | - OBS Studio (aka OBS MultiPlatform aka OBS Linux/Mac) versions <0.11.4 mangle variables defined in the server/stream URL when passing them to nginx, meaning that information sent that way (i.e. idhash) cannot be accessed by the authentication script 73 | -------------------------------------------------------------------------------- /php/auth.php: -------------------------------------------------------------------------------- 1 | getMessage()); 12 | die("Database error!"); 13 | } 14 | 15 | 16 | if(empty($_GET['name']) || empty($_GET['swfurl'])) 17 | { 18 | http_response_code(401); 19 | die(); 20 | } 21 | else 22 | { 23 | if( !preg_match($pattern, $_GET['swfurl'], $matches) ) 24 | { 25 | trigger_error("Validation error, swfurl did not match pattern."); 26 | http_response_code(401); 27 | die("Validation error"); 28 | } 29 | } 30 | 31 | try 32 | { 33 | $sth = $dbh->prepare("SELECT idhash FROM :table WHERE username = :username"); 34 | $sth->execute( array( 'table' => $usertablename, 'username' => $_GET['name'] ) ); 35 | $res = $sth->fetch(); 36 | } catch(PDOException $e) 37 | { 38 | trigger_error($e->getMessage()); 39 | http_response_code(401); 40 | die("Query error"); 41 | } 42 | 43 | $row = $res; 44 | 45 | if ($matches[1] == $row['idhash']) 46 | { 47 | http_response_code(200); 48 | die(); 49 | } else { 50 | http_response_code(402); 51 | die(); 52 | } 53 | ?> 54 | -------------------------------------------------------------------------------- /php/changepass.php: -------------------------------------------------------------------------------- 1 | getMessage()); 12 | die("Database error!"); 13 | } 14 | 15 | if( empty( $_SESSION["username"] ) ) 16 | { 17 | header("location: login.html"); 18 | exit(); // some clients don't follow redirects, so the rest of the code will execute without an exit() 19 | } 20 | 21 | if ( empty( $_POST["oldpass"] ) || empty( $_POST["newpass"] ) ) 22 | { 23 | echo "Empty required field"; 24 | echo "
Go back"; 25 | die(); 26 | } 27 | 28 | $uname = $_SESSION["username"]; 29 | $oldpass = hash('sha256', $_POST["oldpass"]); 30 | $newpass = hash('sha256', $_POST["newpass"]); 31 | 32 | try 33 | { 34 | $sth = $dbh->prepare( "UPDATE $usertablename SET password=:newPassword WHERE username=:uname AND password=:oldPassword" ); 35 | $sth->execute( array( 'newPassword' => $newpass, "oldPassword" => $newpass, 'uname' => $uname ) ); 36 | } catch(PDOException $e ) 37 | { 38 | echo "Incorrect old password"; 39 | echo "
Go back"; 40 | trigger_error( $e->getMessage() ); 41 | die(); 42 | } 43 | header("Location: /profile.php"); 44 | exit(); 45 | ?> 46 | -------------------------------------------------------------------------------- /php/common.php: -------------------------------------------------------------------------------- 1 | 14 | -------------------------------------------------------------------------------- /php/login.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Frogstream Login 4 | 5 | 6 |
7 | Username:
8 | Password:
9 | 10 |
11 | 12 | 13 | -------------------------------------------------------------------------------- /php/login.php: -------------------------------------------------------------------------------- 1 | getMessage()); 11 | die("Database error!"); 12 | } 13 | 14 | $login_username=isset($_POST["username"])?(string)$_POST["username"]:''; 15 | $login_password=isset($_POST["password"])?(string)$_POST["password"]:''; 16 | 17 | if ( empty($login_username) || empty($login_password) ) 18 | { 19 | echo "Empty required field"; 20 | echo "
Go back"; 21 | die(); 22 | } 23 | 24 | $login_password = hash('sha256', $login_password); 25 | try 26 | { 27 | $sth = $dbh->prepare("SELECT * FROM :table WHERE username = :username AND password = :password"); 28 | $sth->execute( array( 'table' => $usertablename, 'username' => $login_username, 'password' => $login_password ) ); 29 | } catch(PDOException $e) 30 | { 31 | trigger_error($e->getMessage()); 32 | die("database error"); 33 | } 34 | 35 | $res = $sth->fetch(); 36 | 37 | if( empty($res) ) 38 | { 39 | session_start(); 40 | $_SESSION["username"] = $username; 41 | header("location: profile.php"); 42 | } 43 | else 44 | { 45 | echo "Invalid username/password combination"; 46 | echo "
Go back"; 47 | die(); 48 | } 49 | ?> 50 | -------------------------------------------------------------------------------- /php/logout.php: -------------------------------------------------------------------------------- 1 | 10 | -------------------------------------------------------------------------------- /php/nginx.conf: -------------------------------------------------------------------------------- 1 | user www; 2 | 3 | # worker_processes must be 1 for RTMP purposes. 4 | # This is due to an issue in the implementation that will not allow 5 | # viewers to access a stream in progress if there is more than one 6 | # worker process. 7 | worker_processes 1; 8 | 9 | events { 10 | worker_connections 1024; 11 | } 12 | 13 | http { 14 | server { 15 | listen 80; 16 | root /var/www; 17 | index index.html; 18 | location ~ \.php$ { 19 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 20 | fastcgi_pass unix:/var/run/php-fpm.sock; 21 | fastcgi_index index.php; 22 | fastcgi_param SCRIPT_FILENAME $request_filename; 23 | include fastcgi_params; 24 | } 25 | } 26 | } 27 | 28 | rtmp { 29 | server { 30 | listen 1935; 31 | chunk_size 4096; 32 | 33 | application stream { 34 | live on; 35 | record off; 36 | on_publish http://localhost/auth.php; 37 | notify_method get; 38 | } 39 | } 40 | } 41 | 42 | -------------------------------------------------------------------------------- /php/profile.php: -------------------------------------------------------------------------------- 1 | 13 | 14 | 15 | Frogstream User Profile 16 | 17 | 18 | Hi,
19 |
/showhash.php>Show your stream RTMP URL
20 |
/resethash.php>Reset your stream RTMP URL
21 |
Change your password:
22 |
23 | Old password:
24 | New password:
25 | 26 |
27 | /logout.php>Logout
28 | 29 | 30 | -------------------------------------------------------------------------------- /php/reg.php: -------------------------------------------------------------------------------- 1 | getMessage()); 11 | die("Database error!"); 12 | } 13 | 14 | if (empty($_POST["username"]) || empty($_POST["email"]) || empty($_POST["password"])) { 15 | echo "Empty required field"; 16 | echo "
Go back"; 17 | die(); 18 | } 19 | 20 | $username = $_POST["username"]; 21 | $email = $_POST["email"]; 22 | $password = hash('sha256', $_POST["password"]); 23 | 24 | if (strlen($username) > 64) { 25 | echo "Username too long"; 26 | echo "
Go back"; 27 | die(); 28 | } 29 | if (strlen($email) > 64) { 30 | echo "Email too long"; 31 | echo "
Go back"; 32 | die(); 33 | } 34 | 35 | if (filter_var($email, FILTER_VALIDATE_EMAIL)) { 36 | echo "Invalid email address"; 37 | die(); 38 | } 39 | 40 | try 41 | { 42 | $sth = $dbh->prepare("SELECT username FROM ".$usertablename." WHERE username = :username"); 43 | $sth->execute( array( 'username' => $username ) ); 44 | $nameresult = $sth->fetch(); 45 | 46 | $sth = $dbh->prepare("SELECT email FROM ".$usertablename." WHERE email = :email"); 47 | $sth->execute( array( 'email' => $email ) ); 48 | $emailresult = $sth->fetch(); 49 | } catch(PDOException $e) 50 | { 51 | trigger_error($e->getMessage()); 52 | die("Database error"); 53 | } 54 | if ( !empty($nameresult['username']) ) 55 | { 56 | echo "Duplicate username"; 57 | echo "
Go back"; 58 | die(); 59 | } 60 | 61 | if ( !empty($emailresult['email']) ) 62 | { 63 | echo "Duplicate email"; 64 | echo "
Go back"; 65 | die(); 66 | } 67 | 68 | $idhash = genkey(); 69 | 70 | try 71 | { 72 | $sth = $dbh->prepare("INSERT INTO ".$usertablename." (username, email, password, idhash) VALUES (:username, :email, :password, :idhash)"); 73 | $sth->execute(array( 74 | 'username' => $username, 75 | 'email' => $email, 76 | 'password' => $password, 77 | 'idhash' => $idhash 78 | )); 79 | } catch(PDOException $e) 80 | { 81 | trigger_error($e->getMessage()); 82 | die("Database error"); 83 | } 84 | 85 | 86 | 87 | 88 | 89 | echo "Server URL: " . $streamurl . $idhash . "
"; 90 | echo "Play Path/Stream Key: " . $username; 91 | echo "
Main page"; 92 | echo "
User profile"; 93 | die(); 94 | -------------------------------------------------------------------------------- /php/register.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Frogstream User Registration 4 | 5 | 6 |
7 | Username:
8 | Email:
9 | Password:
10 | 11 |
12 | 13 | 14 | -------------------------------------------------------------------------------- /php/resethash.php: -------------------------------------------------------------------------------- 1 | getMessage()); 12 | die("Database error!"); 13 | } 14 | 15 | if (empty($_SESSION["username"])) { 16 | header("location: login.html"); 17 | } 18 | 19 | $uname = $_SESSION["username"]; 20 | 21 | $newhash = genkey(); 22 | try 23 | { 24 | $sth = $dbh->prepare("UPDATE $usertablename SET idhash=:idhash WHERE username=:username"); 25 | $sth->execute(array('username' => $uname, 'idhash' => $newhash)); 26 | } catch(PDOException $e) 27 | { 28 | http_response_code(401); 29 | trigger_error($e->getMessage()); 30 | die("Database error!"); 31 | } 32 | 33 | 34 | echo "Server URL: " . $streamurl . $newhash . "
"; 35 | echo "
Go back"; 36 | ?> 37 | -------------------------------------------------------------------------------- /php/showhash.php: -------------------------------------------------------------------------------- 1 | getMessage()); 12 | die("Database error!"); 13 | } 14 | 15 | if (empty($_SESSION["username"])) { 16 | header("location: login.html"); 17 | } 18 | $uname = $_SESSION["username"]; 19 | 20 | 21 | try 22 | { 23 | $sth = $dbh->prepare("SELECT idhash FROM ".$usertablename." WHERE username = :username"); 24 | $sth->execute(array("username" => $uname)); 25 | $row = $sth->fetch(); 26 | } catch(PDOException $e) 27 | { 28 | http_response_code(401); 29 | trigger_error($e->getMessage()); 30 | die("Database error!"); 31 | } 32 | 33 | echo "Server URL: " . $streamurl . $row["idhash"] . "
"; 34 | echo "
Go back"; 35 | ?> 36 | -------------------------------------------------------------------------------- /python/auth.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, request 2 | from flask.ext.api import status 3 | import psycopg2 4 | import config 5 | 6 | app = Flask(__name__) 7 | 8 | @app.route('/auth') 9 | def auth(): 10 | if request.args.get('name') is None or request.args.get('swfurl') is None: 11 | return 'Malformed request', status.HTTP_400_BAD_REQUEST 12 | 13 | username = request.args.get('name') 14 | idhash = request.args.get('swfurl').split("?")[-1] 15 | 16 | conn = psycopg2.connect(database=config.database, user=config.user, password=config.password, host=config.host) 17 | cur = conn.cursor() 18 | cur.execute("SELECT FROM %s WHERE username=%s AND idhash=%s", (config.usertablename, username, idhash)) 19 | 20 | if len(cur.fetchall()) == 0: 21 | return 'Incorrect credentials', status.HTTP_401_UNAUTHORIZED 22 | 23 | return 'OK', status.HTTP_200_OK 24 | 25 | if __name__== '__main__': 26 | app.run() 27 | -------------------------------------------------------------------------------- /python/config.py: -------------------------------------------------------------------------------- 1 | database = "" 2 | user = "" 3 | password = "" 4 | host = "" 5 | usertablename = "" 6 | -------------------------------------------------------------------------------- /python/nginx.conf: -------------------------------------------------------------------------------- 1 | user www; 2 | 3 | # worker_processes must be 1 for RTMP purposes. 4 | # This is due to an issue in the implementation that will not allow 5 | # viewers to access a stream in progress if there is more than one 6 | # worker process. 7 | worker_processes 1; 8 | 9 | events { 10 | worker_connections 1024; 11 | } 12 | 13 | http { 14 | server { 15 | listen 80; 16 | root /usr/local/www/nginx/; 17 | index index.html; 18 | } 19 | } 20 | 21 | rtmp { 22 | server { 23 | listen 1935; 24 | chunk_size 4096; 25 | 26 | application stream { 27 | live on; 28 | record off; 29 | on_publish http://localhost:5000/auth; 30 | notify_method get; 31 | } 32 | } 33 | } 34 | 35 | --------------------------------------------------------------------------------