OvenMediaEngine Enterprise
English
English
  • Introduction
  • OvenMediaEngine Configuration
  • Getting Started
    • Getting Started with Ubuntu
    • Getting Started with RHEL
    • Getting Started with Docker
  • Enterprise-grade Features
    • Web Console
      • Web Console Configuration
      • Sign In
      • Change Password
      • Web Console Home
        • Stream List
      • Stream Monitoring
        • Managed and Instant Streams
        • Scheduled Channels | 0.16.4.0+
        • Multiplex Channels | 0.16.5.0+
      • Monitoring
      • Logs
      • Configuration Files
      • Settings
        • Server
        • Live Sources (Ingress Protocols)
          • RTMP | 0.9.0.0+
          • WebRTC/WHIP | 0.12.0.0+/0.15.1.0+
          • SRT | 0.12.0.0+
          • MPEG-2 TS | 0.10.4.0+
          • Scheduled Channels | 0.16.4.0+
          • Multiplex Channels | 0.16.5.0+
        • ABR and Transcoding
          • Transcoding
          • Output Profiles
          • Adaptive Bitrate Streaming (ABR) | 0.14.3.0+
          • Encodes
          • Conditional Transcoding
        • Streaming (Egress Protocols)
          • WebRTC/WHIP | 0.9.0.0+/0.15.1.0+
          • Low Latency HLS (LLHLS) | 0.14.0.0+
          • Legacy HLS | 0.16.6.0+
        • TLS Encryption | 0.14.0.0+
        • Access Control
          • Signed Policy | 0.12.0.0+
          • Admission Webhooks | 0.12.2.0+
        • Thumbnail | 0.15.7.0+
        • Recording | 0.16.5.0+
        • Push Publishing | 0.15.14.0+
        • REST API | 0.11.0.0+
        • Alert | 0.15.11.0+
      • Restart
    • Record Delivery | 0.16.5.0+
    • Digital Rights Management (DRM)
      • OvenMediaEngine Configuration for DRM | 0.16.0.0+
      • PallyCon DRM Configuration | 0.16.4.0+
    • Hardware-Accelerated Video Encoding | 0.16.4.0+
    • Proxy Protocol Integration | 0.16.6.2+
    • Event Monitoring | 0.18.1.0+
      • Configuration
      • Event Specification
    • Web Console Publishing | 0.18.1.2+
  • Advanced Management Tools
    • API Storage | 0.17.0.0+
    • Restart Application | 0.17.0.0+
    • Publisher Extension
    • RTMP Authentication | 0.17.2.0+
    • Generating Audio PTS | 0.17.2.3+
    • Inserting AMF0 messages in RTMP Push Publisher | 0.17.3.0+
    • Inserting Ad Markers (EXT-X-CUE-OUT/EXT-X-CUE-IN) | v0.17.3.0+
    • Inserting SEI into H.264 (AVC) Streams | v0.18.0.0+
  • Release Notes
    • 0.18.1 (May 9, 2025 update)
    • 0.18.0
    • 0.17.3
    • 0.17.2
    • 0.17.1
    • 0.17.0
    • 0.16.8
    • 0.16.7
    • 0.16.6
    • 0.16.5
    • 0.16.4
Powered by GitBook
On this page
  • Access Control and HAProxy Protocol
  • SignedPolicy
  • Admission Webhooks
  1. Enterprise-grade Features

Proxy Protocol Integration | 0.16.6.2+

Starting with OvenMediaEngine Enterprise version 0.16.6.2-1, support for The PROXY protocol version 1 of HAProxy is available.

With this feature, OvenMediaEngine can handle stream input via The PROXY protocol. To enable this feature, activate the <HAProxyProtocol> in the Server.xml as follows:

<Server>
...
  <Modules>
    <!-- Enable HAProxyProtocol feature for Cloudflare, default: false -->
    <HAProxyProtocol>
      <Enable>true</Enable>
    </HAProxyProtocol>
...

Access Control and HAProxy Protocol

You can use the Client Address forwarded via the HAProxy Protocol for Access Control.

SignedPolicy

When the real_ip policy is set in SignedPolicy, you can verify the Client Address forwarded through the HAProxy Protocol. The allow_ip is the IP of the directly connected client, so you can enhance security by first checking if the connected IP is an allowed proxy server IP.

{
    "url_activate":1399711581,                                    
    "url_expire":1399721581,                                    
    "stream_expire":1399821581,                                    
    "allow_ip":"192.168.100.5/32",
    "real_ip":"111.111.111.111/32"
}

When HAProxyProtocol is enabled, SignedPolicy validates the Client Address forwarded via The Proxy protocol against real_ip.

Admission Webhooks

The Client Address forwarded through the HAProxy Protocol is passed to the Control Server in the real_ip field of AdmissionWebhooks.

Since the address field still contains the IP of the directly connected client, you can enhance security by first checking if this IP is an allowed proxy server IP.

POST /configured/target/url/ HTTP/1.1
Content-Length: 325
Content-Type: application/json
Accept: application/json
X-OME-Signature: f871jd991jj1929jsjd91pqa0amm1
{
  "client": 
  {
    "address": "211.233.58.86",
    "port": 29291,
    "real_ip": "192.0.2.43",
    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
  },
  "request":
  {
    "direction": "incoming | outgoing",
    "protocol": "webrtc | rtmp | srt | llhls | thumbnail",
    "status": "opening | closing",
    "url": "scheme://host[:port]/app/stream/file?query=value&query2=value2",
    "new_url": "scheme://host[:port]/app/new_stream/file?query=value&query2=value2",
    "time": "2021-05-12T13:45:00.000Z"
  }
}

When HAProxyProtocol is enabled, AdmissionWebhooks sets the Client Address forwarded via The Proxy protocol as the highest priority for the real_ip field, over the existing X-REAL-IP or X-FORWARDED-FOR headers.

PreviousHardware-Accelerated Video Encoding | 0.16.4.0+NextEvent Monitoring | 0.18.1.0+

Last updated 8 months ago

Detailed User Guide:

Detailed User Guide:

https://airensoft.gitbook.io/ovenmediaengine/v/dev/access-control/signedpolicy
https://airensoft.gitbook.io/ovenmediaengine/v/dev/access-control/admission-webhooks