OvenMediaEngine Enterprise
English
English
  • About
    • Introduction
    • Release Notes
      • 0.18.2
      • 0.18.1
      • 0.18.0
      • 0.17.3
      • 0.17.2
      • 0.17.1
      • 0.17.0
      • 0.16.8
      • 0.16.7
      • 0.16.6
      • 0.16.5
      • 0.16.4
  • Installation
    • Getting Started
      • Getting Started with Ubuntu
      • Getting Started with RHEL
      • Getting Started with Docker
    • Configuration Structure Overview
  • Web Console
    • Getting Started with Web Console
    • Web Console Overview
      • Sign In
      • Change Password
      • Web Console Home
      • Stream List
        • Managed and Instant Streams
        • Scheduled Channels | 0.16.4.0+
        • Multiplex Channels | 0.16.5.0+
      • Event Monitoring | 0.18.1.0+
        • Configuration
        • Event Specification
      • Web Console Publishing | 0.18.1.2+
      • Logs
      • Configuration Files
      • Restart
    • Web Console Settings
      • Server Settings
      • Live Sources (Ingress Protocols) Settings
      • ABR and Transcoding Settings
      • Streaming (Egress Protocols) Settings
      • TLS Encryption Settings | 0.14.0.0+
      • Access Control Settings
      • Thumbnail Settings | 0.15.7.0+
      • Recording Settings | 0.16.5.0+
      • Push Publishing Settings | 0.15.14.0+
      • REST API Settings | 0.11.0.0+
      • Alert Settings | 0.15.11.0+
  • CDN Compatibility
    • Origin Server Redundancy
    • Origin Cache Control
  • Protection
    • RTMP Authentication | 0.17.2.0+
    • Proxy Protocol Integration | 0.16.6.2+
    • Digital Rights Management (DRM)
      • OvenMediaEngine Configuration for DRM | 0.16.0.0+
      • PallyCon DRM Configuration | 0.16.4.0+
  • Performance
    • Hardware-Accelerated Video Encoding | 0.16.4.0+
  • Event Insertion
    • Insert SEI into H.264 (AVC) Streams | v0.18.0.0+
    • Insert AMF0 messages in RTMP Push Publisher | 0.17.3.0+
  • Monetization
    • Insert Ad Markers (EXT-X-CUE-OUT/EXT-X-CUE-IN) | v0.17.3.0+
    • Insert onCuePoint messages into YouTube Live | 0.17.3.0+
  • Advanced Management
    • Generating Audio PTS | 0.17.2.3+
    • API Storage | 0.17.0.0+
    • Restart Application | 0.17.0.0+
    • Record Delivery | 0.16.5.0+
    • Add Delay to the Stream
    • Control Default Playlist Creation
Powered by GitBook
On this page
  • Access Control and HAProxy Protocol
  • SignedPolicy
  • Admission Webhooks
  1. Protection

Proxy Protocol Integration | 0.16.6.2+

Starting with OvenMediaEngine Enterprise version 0.16.6.2-1, support for The PROXY protocol version 1 of HAProxy is available.

With this feature, OvenMediaEngine can handle stream input via The PROXY protocol. To enable this feature, activate the <HAProxyProtocol> in the Server.xml as follows:

<Server>
...
  <Modules>
    <!-- Enable HAProxyProtocol feature for Cloudflare, default: false -->
    <HAProxyProtocol>
      <Enable>true</Enable>
    </HAProxyProtocol>
...

Access Control and HAProxy Protocol

You can use the Client Address forwarded via the HAProxy Protocol for Access Control.

SignedPolicy

When the real_ip policy is set in SignedPolicy, you can verify the Client Address forwarded through the HAProxy Protocol. The allow_ip is the IP of the directly connected client, so you can enhance security by first checking if the connected IP is an allowed proxy server IP.

{
    "url_activate":1399711581,                                    
    "url_expire":1399721581,                                    
    "stream_expire":1399821581,                                    
    "allow_ip":"192.168.100.5/32",
    "real_ip":"111.111.111.111/32"
}

When HAProxyProtocol is enabled, SignedPolicy validates the Client Address forwarded via The Proxy protocol against real_ip.

Admission Webhooks

The Client Address forwarded through the HAProxy Protocol is passed to the Control Server in the real_ip field of AdmissionWebhooks.

Since the address field still contains the IP of the directly connected client, you can enhance security by first checking if this IP is an allowed proxy server IP.

POST /configured/target/url/ HTTP/1.1
Content-Length: 325
Content-Type: application/json
Accept: application/json
X-OME-Signature: f871jd991jj1929jsjd91pqa0amm1
{
  "client": 
  {
    "address": "211.233.58.86",
    "port": 29291,
    "real_ip": "192.0.2.43",
    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
  },
  "request":
  {
    "direction": "incoming | outgoing",
    "protocol": "webrtc | rtmp | srt | llhls | thumbnail",
    "status": "opening | closing",
    "url": "scheme://host[:port]/app/stream/file?query=value&query2=value2",
    "new_url": "scheme://host[:port]/app/new_stream/file?query=value&query2=value2",
    "time": "2021-05-12T13:45:00.000Z"
  }
}

When HAProxyProtocol is enabled, AdmissionWebhooks sets the Client Address forwarded via The Proxy protocol as the highest priority for the real_ip field, over the existing X-REAL-IP or X-FORWARDED-FOR headers.

PreviousRTMP Authentication | 0.17.2.0+NextDigital Rights Management (DRM)

Detailed User Guide:

Detailed User Guide:

https://airensoft.gitbook.io/ovenmediaengine/v/dev/access-control/signedpolicy
https://airensoft.gitbook.io/ovenmediaengine/v/dev/access-control/admission-webhooks