Knowledge Base

Use stream key authentication for Nginx RTMP

Posted on

The quickest and easiest way to implement a very basic form of authentication, in my opinion, is to use the method from this Github: https://github.com/IRLToolkit/nginx-rtmp-auth.
It uses a single file that contains several allow stream key names for any application you want to specify. It also includes a config file that you can use to set the port for the listener script, among other things. And it also includes a python script that can run in the background.

sudo apt install python3 pip

Clone the github and install the requirements

cd /opt \
git clone https://github.com/IRLToolkit/nginx-rtmp-auth \
sudo chown -R www-data: /opt/nginx-rtmp-auth \
cd nginx-rtmp-auth \
pip3 install -r requirements.txt

Edit the config.ini file and make the changes you require, and remove all the commented lines. I've changed the port to something above 1000, so we won't need sudo to run this script. When you're done it should look something like this:

[main]
bind_to_ip = 127.0.0.1
bind_to_port = 8808
authentication_file = authentication.json
log_to_file = auth.log

Save the file and now open the authentication.json file

nano authentication.json

Change "encoder" to whatever you are using as application. In our case "live". Since we only use the "live" application for incoming streams, I will remove the streamerpush line, and the comma at the end of the previous line. I will also change the streamer keys to something else. Through this file you are basically defining what stream keys are allowed to start streaming to your server. Anything that doesn't match what we specify here, will not be allowed to start streaming. After my changes the file looks like this:

{
  "live":["stream", "my-stream", "something-else"]
}

Save the file, and run the script like this:

python3 rtmpauth.py

This will run a listener on the port you specified, waiting for authenticate requests. Now we need to make a small change to our nginx.conf file so it knows where to send such a request.

sudo nano /etc/nginx/nginx.conf

Add the following line somewhere under the /live application in your nginx.conf.

on_publish http://127.0.0.1:8808/auth/;

Save the file, do a quick nginx -t if you feel like it, and restart Nginx:

sudo systemctl restart nginx

Assuming you still have the script running, now go ahead and try it out. Start streaming to the server using a working stream key, and also try a faulty stream key, and see what happens.

If you don't want to have to start this script each time manually, you could have it auto-start and run in the background. There's probably a better way to do this, but what I did was create a bash script containing this:

#!/bin/bash
python3 rtmpauth.py &

I saved it in the same folder as where rtmpauth.py is stored, named it "run-auth.sh" and then I made sure the script is executable:

sudo chmod +x run-auth.sh

Finally, I added the script to crontab and made it run at boot.

crontab -e
@reboot sleep 60; nohup bash /opt/nginx-rtmp-auth/run-auth.sh &

That concludes this tutorial!

Table of Contents
Copyright © 2024.