OvenMediaEngine Enterprise
English
English
  • Introduction
  • OvenMediaEngine Configuration
  • Getting Started
    • Getting Started with Ubuntu
    • Getting Started with RHEL
    • Getting Started with Docker
  • Enterprise-grade Features
    • Web Console
      • Web Console Configuration
      • Sign In
      • Change Password
      • Web Console Home
        • Stream List
      • Stream Monitoring
        • Managed and Instant Streams
        • Scheduled Channels | 0.16.4.0+
        • Multiplex Channels | 0.16.5.0+
      • Monitoring
      • Logs
      • Configuration Files
      • Settings
        • Server
        • Live Sources (Ingress Protocols)
          • RTMP | 0.9.0.0+
          • WebRTC/WHIP | 0.12.0.0+/0.15.1.0+
          • SRT | 0.12.0.0+
          • MPEG-2 TS | 0.10.4.0+
          • Scheduled Channels | 0.16.4.0+
          • Multiplex Channels | 0.16.5.0+
        • ABR and Transcoding
          • Transcoding
          • Output Profiles
          • Adaptive Bitrate Streaming (ABR) | 0.14.3.0+
          • Encodes
          • Conditional Transcoding
        • Streaming (Egress Protocols)
          • WebRTC/WHIP | 0.9.0.0+/0.15.1.0+
          • Low Latency HLS (LLHLS) | 0.14.0.0+
          • Legacy HLS | 0.16.6.0+
        • TLS Encryption | 0.14.0.0+
        • Access Control
          • Signed Policy | 0.12.0.0+
          • Admission Webhooks | 0.12.2.0+
        • Thumbnail | 0.15.7.0+
        • Recording | 0.16.5.0+
        • Push Publishing | 0.15.14.0+
        • REST API | 0.11.0.0+
        • Alert | 0.15.11.0+
      • Restart
    • Record Delivery | 0.16.5.0+
    • Digital Rights Management (DRM)
      • OvenMediaEngine Configuration for DRM | 0.16.0.0+
      • PallyCon DRM Configuration | 0.16.4.0+
    • Hardware-Accelerated Video Encoding | 0.16.4.0+
    • Proxy Protocol Integration | 0.16.6.2+
    • Event Monitoring | 0.18.1.0+
      • Configuration
      • Event Specification
    • Web Console Publishing | 0.18.1.2+
  • Advanced Management Tools
    • API Storage | 0.17.0.0+
    • Restart Application | 0.17.0.0+
    • Publisher Extension
    • RTMP Authentication | 0.17.2.0+
    • Generating Audio PTS | 0.17.2.3+
    • Inserting AMF0 messages in RTMP Push Publisher | 0.17.3.0+
    • Inserting Ad Markers (EXT-X-CUE-OUT/EXT-X-CUE-IN) | v0.17.3.0+
    • Inserting SEI into H.264 (AVC) Streams | v0.18.0.0+
  • Release Notes
    • 0.18.1 (May 9, 2025 update)
    • 0.18.0
    • 0.17.3
    • 0.17.2
    • 0.17.1
    • 0.17.0
    • 0.16.8
    • 0.16.7
    • 0.16.6
    • 0.16.5
    • 0.16.4
Powered by GitBook
On this page
  • Signed Policy Settings | 0.12.0.0+
  • Admission Webhooks Settings | 0.12.2.0+
  1. Enterprise-grade Features
  2. Web Console
  3. Settings

Access Control

PreviousTLS Encryption | 0.14.0.0+NextThumbnail | 0.15.7.0+

Last updated 6 months ago

On the Access Control Settings, you can check if access restrictions for Ingress and Egress streams provided by OvenMediaEngine are enabled and what the settings are.

Also, (updated on July 17, 2024) adds support for in SignedPolicy and AdmissionWebhooks, further enhancing security by comparing and verifying the Client Address passed through The PROXY protocol version 1 by HAProxy with real_ip.

Signed Policy Settings | 0.12.0.0+

SignedPolicy is a module that limits the user's privileges and time. For example, if you make a specific RTMP URL accessible for only 60 seconds, the provided URL will be automatically destroyed after 60 seconds. Also, if you make an RTMP URL that can be transmitted for only 1 hour, the RTMP transmission will automatically stop after 1 hour.

As shown below, a SignedPolicy URL includes the Policy and Signature as a query string in the stream URL, so viewers who receive a SignedPolicy URL cannot access any resources other than the provided URL.

scheme://domain.com:port/app/stream?policy=<>&signature=<>

You can check whether the Signed Policy is enabled and its settings for each VirtualHost in the Signed Policy section of Access Control Settings.

  • Policy Query Key: The query string key name in the URL pointing to the Policy value.

  • Signature Query Key: The query string key name in the URL pointing to the Signature value.

  • Secret Key: The secret key used when encoding with HMAC-SHA1.

  • Enables: List of Providers and Publishers to enable SignedPolicy.

Currently, SignedPolicy supports RTMP between Providers, and WebRTC, LLHLS, and Thumbnail between Publishers.

Admission Webhooks Settings | 0.12.2.0+

AdmissionWebhooks are HTTP Callbacks that query the Control Server to control Publishing and Playback acceptance requests. You can leverage AdmissionWebhooks for a variety of purposes, including Customer Authentication, Tracking Published Streams, Hiding App/Stream Names, Logging, and more.

You can view whether Admission Webhooks are enabled and the settings for each VirtualHost in the Admission Webhooks section in Access Control Settings.

  • Control Server Url: The HTTP Server that receives queries. HTTP and HTTPS are available.

  • Secret Key: The secret key used when encoding with HMAC-SHA1.

  • Timeout: The time (in milliseconds) to wait for a response after a request.

  • Enables: List of Providers and Publishers to enable AdmissionWebhooks.

Currently, AdmissionWebhooks supports RTMP, WebRTC, and SRT between Providers, and WebRTC, LLHLS, and Thumbnail between Publishers.

Detailed Guide:

Detailed Guide:

https://airensoft.gitbook.io/ovenmediaengine/access-control/signedpolicy
https://airensoft.gitbook.io/ovenmediaengine/access-control/admission-webhooks
Proxy Protocol
OvneMediaEngine Enterprise 16.6.2
In the Signed Policy of the Access Control Setting
In the Admission Webhooks of the Access Control Setting