How to secure streams from being embedded to unauthorized websites and domains with Ant Media Server?

[USAMAWIZARD]

I can easily watch and embed any stream running on Ant Media Server with help of embed URL but also it seems as other with the stream information can use the URL on their websites too.
I tried using CORS filter but it seems a little complicated and didn't work.
How can I easily prevent my streams from being embedded to unauthorized websites/domains?

[yashtandon113]

For workaround solutions in the Ant Media server (v2.4.3 or older versions) please check here.

In v2.5.0 and above, you can allow selected domains through a single property file to let them embed the iframe code.
To allow only specific domains to embed the iframe code, Go to the Advanced Application settings and add the below setting.

contentSecurityPolicyHeaderValue=frame-ancestors 'self' <https://allow-domain-name>;

If you would like to allow multiple domains, then it should be like this.

settings.contentSecurityPolicyHeaderValue=frame-ancestors 'self' <https://domain1> <https://domain2>;

Self is required to play the stream on the AMS dashboard panel itself. In this way, other than allowed domains, streams cannot be embedded using iframe code on other websites.

[klasadoroty]

Hi. I'm not proficient in this... but a question like this: does it matter which line we put the entry in?
Where exactly to put it?
Thank you in advance.

[yashtandon113]

@klasadoroty
You can put the property/settings in any line under /usr/local/antmedia/webapps/app-name/WEB-INF/red5-web.properties.

[klasadoroty]

Hi,
two servers under Ubuntu 18, Intel processor - works. /2.6.4
a server under Ubuntu 20, with an AMD EPYC processor - does not work, blocks completely. /2.6.4
Is it a hardware problem, the Ubuntu version?
If it should work - let us know, we will look for where the error is with us.

[klasadoroty]

Thank you for taking the time to respond.
Error found, everything works.
.. typo ...

[Mohit-3196]

This solution works fine to secure the iframe embed code but in the case of HLS still, anyone can directly get the .m3u8 URL from the console and play that.

Is there any way to allow the stream only for a specific domain if the iframe is not being used?

Thank you

[sanjay6681]

do you have full config for secure wss webrtc connection can you share it fully

[USAMAWIZARD]

@sanjay6681 can you please give some more details about which config are you looking for

[drcannoli]

@sanjay6681

If you're asking what I did specifically here's an example config provided earlier in this thread plus my changes. I also recommend following this https://www.youtube.com/watch?v=dmh34GjKSvw as it may already accomplish what you want.

This has been working fine in my testing but don't think anyone else has tested it thoroughly so use at your own risk.

user nginx;
worker_processes auto;
pid /var/run/nginx.pid;
worker_rlimit_nofile 1048576;

events {
    worker_connections 1048576;
    multi_accept on;
    use epoll;
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    keepalive_timeout 300s;
    types_hash_max_size 2048;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # ssl settings
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # logs settings
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"'
                      '"$hostname" "upstream: $upstream_addr"';
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # gzip
    gzip on;
    gzip_disable "msie6";
    gzip_http_version 1.1;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/javascript text/javascript application/x-javascript text/xml application/xml application/xml+rss application/vnd.ms-fontobject application/x-font-ttf font/opentype font/x-woff image/svg+xml image/x-icon;

    # proxy settings
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_read_timeout 10s;
    proxy_send_timeout 10s;
    proxy_connect_timeout 10s;

    map $http_upgrade $is_websocket {
        default no;
        websocket yes;
    }

    map $http_referer $referer_valid {
        default no;
        "~*^https?://(.+\.)?yourdomain\.com" yes;
    }

    # Combine conditions
    map "$is_websocket:$referer_valid" $block_request {
        default yes;
        "yes:no" no;  # Do not block WebSocket requests regardless of referer
        "no:yes" no;  # Do not block if referer is valid
        "yes:yes" no;  # Do not block valid WebSocket requests (redundant but illustrative)
    }

    #redirect all http requests to https
    server {
        listen 80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
    }

    #Origin Configuration
    #Change your.domain.com with your fully qualified domain name.
    server {
            listen 443 ssl;
            ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;
            server_name your.domain.com;

            location / {
                if ($block_request = yes) {
                        return 403;
                }


                proxy_pass http://127.0.0.1:5080;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
            }
        }

    #Dashboard Configuration (To allow access to your AMS dashboard on different port which should be allowed only for specific IPs)
    #Change your.domain.com with your fully qualified domain name.
    server {
            listen 5443 ssl;
            ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;
            server_name your.domain.com;

            location / {
                proxy_pass http://127.0.0.1:5080;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
            }
        }
    }

[xtrvj]

Hello who can help me how to fix nginx + cloudflare when i enable dns(cloudflare proxy) this fix is not working.

[yashtandon113]

@xtrvj
Please check out the out the below blog post to learn how to use AMS with Nginx and Cloudflare.
https://antmedia.io/mastering-stream-security-cloudflare/