Server Authentication and MP4 record

[songoku141]

Hi,

How to setup authentication for Media Server ?
(Now I can access to stream rtsp://127.0.0.1/live/0 or rtmp://127.0.0.1/live/0 without user name and password)

How to setup for Media Server record all stream as mp4

About API:

• Using "getMediaList" i can list all stream on server but how to known statistics of stream as: connect/disconnect, bitrate, frame rate,....
• API to manual start/stop recording

[xia-chu]

1、Rtsp support 2 type of Authentication，include user name and password authentication and url param authentication ,rtmp just support url param authentication.

2、Authentication mechanism is implemented by http hook api, ZLMediaKit will send authentication request to 3rd server by http post.

3、You can change http hook api url by modify configuration file named config.ini,and the options named hook.

4、You can read this wiki 配置文件详解, i am sorry it is just chinese, you may need google translation.

5、I am sorry getMediaList api just support display some useful information, you can modify the source code。

6、mp4 record is available，but I haven't implemented control it by http api yet.

[songoku141]

How to setup auto mp4 recording in MediaServer ?

[xia-chu]

I will implemente this soon

[songoku141]

By setting "enable=1" in hook config, Media Server will required user name and password when play stream, but what is user name and password ?

[xia-chu]

You need change the default hook url to your url.
The default hook url of ZLMediaKit require the same username and password.
You can input test and test.

But the suggestion is to implement hook url yourself.

[songoku141]

Can you write a sample code to set user name and password for MediaServer ?

I am trying to input "test" and "test" when access rtsp stream "rtsp://192.168.10.68:8554/live/1" from VLC but not success.

Sorry because I am not fluently in C ++ language so dificult to understand your eccellent and very big project.

[xia-chu]

Please change hook.on_rtsp_realm to empty:

like this:

and then restart MediaServer, try play rtsp again.

This is the way to close rtsp authentication, it is recommend that authenticated by URL param.

Such as play rtsp by this way rtsp://127.0.0.1/live/0?user=aaa&passwd=123456

I am sorry reply you so late.

[xia-chu]

This is my config file:

[api]
#是否调试http api,启用调试后，会打印每次http请求的内容和回复
apiDebug=1
#一些比较敏感的http api在访问时需要提供secret，否则无权限调用
#如果是通过127.0.0.1访问,那么可以不提供secret
secret=035c73f7-bb6b-4889-a715-d9eb2d1925cc

[ffmpeg]
#FFmpeg可执行程序路径
bin=/usr/local/bin/ffmpeg
#FFmpeg拉流再推流的命令模板，通过该模板可以设置再编码的一些参数
cmd=%s -i %s -c:a aac -strict -2 -ar 44100 -ab 48k -c:v libx264 -f flv %s
#FFmpeg日志的路径，如果置空则不生成FFmpeg日志
log=/Users/xzl/git/ZLMediaKit/release/mac/Release/ffmpeg/ffmpeg.log

[general]
#是否启用虚拟主机
enableVhost=1
#播放器或推流器在断开后会触发hook.on_flow_report事件(使用多少流量事件)，
#flowThreshold参数控制触发hook.on_flow_report事件阈值，使用流量超过该阈值后才触发，单位KB
flowThreshold=1024
#播放最多等待时间，单位毫秒
#播放在播放某个流时，如果该流不存在，
#ZLMediaKit会最多让播放器等待maxStreamWaitMS毫秒
#如果在这个时间内，该流注册成功，那么会立即返回播放器播放成功
#否则返回播放器未找到该流，该机制的目的是可以先播放再推流
maxStreamWaitMS=5000
#某个流无人观看时，触发hook.on_stream_none_reader事件的最大等待时间，单位毫秒
#在配合hook.on_stream_none_reader事件时，可以做到无人观看自动停止拉流或停止接收推流
streamNoneReaderDelayMS=5000

[hls]
#hls写文件的buf大小，调整参数可以提高文件io性能
fileBufSize=65536
#hls保存文件路径
filePath=/Users/xzl/git/ZLMediaKit/release/mac/Release/httpRoot
#hls最大切片时间
segDur=3
#m3u8索引中,hls保留切片个数(实际保留切片个数大2~3个)
segNum=3

[hook]
#在推流时，如果url参数匹对admin_params，那么可以不经过hook鉴权直接推流成功，播放时亦然
#该配置项的目的是为了开发者自己调试测试，该参数暴露后会有泄露隐私的安全隐患
admin_params=secret=035c73f7-bb6b-4889-a715-d9eb2d1925cc
#是否启用hook事件，启用后，推拉流都将进行鉴权
enable=1
#播放器或推流器使用流量事件，置空则关闭
on_flow_report=https://127.0.0.1/index/hook/on_flow_report
#访问http文件鉴权事件，置空则关闭鉴权
on_http_access=https://127.0.0.1/index/hook/on_http_access
#播放鉴权事件，置空则关闭鉴权
on_play=https://127.0.0.1/index/hook/on_play
#推流鉴权事件，置空则关闭鉴权
on_publish=https://127.0.0.1/index/hook/on_publish
#录制mp4切片完成事件
on_record_mp4=https://127.0.0.1/index/hook/on_record_mp4
#rtsp播放鉴权事件，此事件中比对rtsp的用户名密码
on_rtsp_auth=https://127.0.0.1/index/hook/on_rtsp_auth
#rtsp播放是否开启鉴权事件，置空则关闭rtsp鉴权。rtsp播放鉴权还支持url方式鉴权
#建议开发者统一采用url参数方式鉴权，rtsp用户名密码鉴权一般在设备上用的比较多
on_rtsp_realm=https://127.0.0.1/index/hook/on_rtsp_realm
#远程telnet调试鉴权事件
on_shell_login=https://127.0.0.1/index/hook/on_shell_login
#直播流注册或注销事件
on_stream_changed=https://127.0.0.1/index/hook/on_stream_changed
#无人观看流事件，通过该事件，可以选择是否关闭无人观看的流。配合general.streamNoneReaderDelayMS选项一起使用
on_stream_none_reader=
#播放时，未找到流事件，通过配合hook.on_stream_none_reader事件可以完成按需拉流
on_stream_not_found=https://127.0.0.1/index/hook/on_stream_not_found
#hook api最大等待回复时间，单位秒
timeoutSec=10

[http]
#http服务器字符编码，windows上默认gb2312
charSet=utf-8
#http链接超时时间
keepAliveSecond=10
#keep-alive类型的链接最多复用次数
maxReqCount=100
#http请求体最大字节数，如果post的body太大，则不适合缓存body在内存
maxReqSize=4096
#404网页内容，用户可以自定义404网页
notFound=<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>您访问的资源不存在！</h1></center><hr><center>ZLMediaKit-4.0</center></body></html>
#http服务器监听端口
port=80
#http文件服务器根目录
rootPath=/Users/xzl/git/ZLMediaKit/release/mac/Release/httpRoot
#http文件服务器读文件缓存大小，单位BYTE，调整该参数可以优化文件io性能
sendBufSize=65536
#https服务器监听端口
sslport=443

[multicast]
#rtp组播截止组播ip地址
addrMax=239.255.255.255
#rtp组播起始组播ip地址
addrMin=239.0.0.0
#组播udp ttl
udpTTL=64

[record]
#mp4录制或mp4点播的应用名，通过限制应用名，可以防止随意点播
appName=record
#mp4录制写文件缓存，单位BYTE,调整参数可以提高文件io性能
fileBufSize=65536
#mp4录制保存路径
filePath=/Users/xzl/git/ZLMediaKit/release/mac/Release/httpRoot
#mp4录制切片时间，单位秒
fileSecond=3600
#mp4点播每次流化数据量，单位毫秒，
#减少该值可以让点播数据发送量更平滑，增大该值则更节省cpu资源
sampleMS=100

[rtmp]
#rtmp必须在此时间内完成握手，否则服务器会断开链接，单位秒
handshakeSecond=15
#rtmp超时时间，如果该时间内未收到客户端的数据，
#或者tcp发送缓存超过这个时间，则会断开连接，单位秒
keepAliveSecond=15
#在接收rtmp推流时，是否重新生成时间戳(很多推流器的时间戳着实很烂)
modifyStamp=1
#rtmp服务器监听端口
port=1935

[rtp]
#音频mtu大小，该参数限制rtp最大字节数，推荐不要超过1400
#加大该值会明显增加直播延时
audioMtuSize=600
#如果rtp的序列号连续clearCount次有序，那么rtp将不再排序(目的减少rtp排序导致的延时)
clearCount=10
#rtp时间戳回环时间，单位毫秒
cycleMS=46800000
#rtp排序map缓存大小，加大该值可能会增大延时，但是rtp乱序问题会减小
maxRtpCount=50
#视频mtu大小，该参数限制rtp最大字节数，推荐不要超过1400
videoMtuSize=1400

[rtsp]
#rtsp专有鉴权方式是采用base64还是md5方式
authBasic=0
#rtsp拉流代理是否是直接代理模式
#直接代理后支持任意编码格式，但是会导致GOP缓存无法定位到I帧，可能会导致开播花屏
#并且如果是tcp方式拉流，如果rtp大于mtu会导致无法使用udp方式代理
#假定您的拉流源地址不是264或265或AAC，那么你可以使用直接代理的方式来支持rtsp代理
#默认开启rtsp直接代理，rtmp由于没有这些问题，是强制开启直接代理的
directProxy=1
#rtsp必须在此时间内完成握手，否则服务器会断开链接，单位秒
handshakeSecond=15
#rtsp超时时间，如果该时间内未收到客户端的数据，
#或者tcp发送缓存超过这个时间，则会断开连接，单位秒
keepAliveSecond=15
#rtsp服务器监听地址
port=554
#rtsps服务器监听地址
sslport=322

[shell]
#调试telnet服务器接受最大bufffer大小
maxReqSize=1024
#调试telnet服务器监听端口
port=9000

[xia-chu]

You can play rtsp with same username and password:

You can rewiew the code:

[xia-chu]

I played success:

[songoku141]

Hi,

I am follow your instruction but still not success. Attached file is execute and config file build on Windows.
MediaServer.zip

[xia-chu]

You can test it by using the bin files in https://github.com/zlmediakit/ZLMediaKit/tree/master/release

[songoku141]

Same problem.

my steps:
start MediaServer => Add stream proxy => using VLC to play stream

With "enable=0" under "hook", vlc can play stream well
With "enable=1", vlc require user name and password to play but i am input user = "1111" and password = "1111" still not success.
this is log file
2019-09-03.log

[xia-chu]

When you modify the https default port ,why do not you change the hook urls?
You must change the hook urls to https://127.0.0.1:8443/xxxx

[xia-chu]

Did you resolve this problem?

[songoku141]

Hi,

When changed the hook urls to https://127.0.0.1:8443/xxxx
VLC can not access to MediaServer by "rtsp://192.168.10.73:8554/proxy/cam111"
while "rtsp://127.0.0.1:8554/proxy/cam111" still OK

this is logfile

2019-09-04.zip

[xia-chu]

Please change to this:

It is perhaps that the certificate ssl.p12 is expired and not available, so the https server do not work.

[songoku141]

Hi,

if changed to http://127.0.0.1:11800/xxx
the MediaServer auto remove stream after few seconds

new log:
2019-09-04.zip

[xia-chu]

[songoku141]

Thanks, it works fine.
Can i manual setting user name and password of rtsp server in config file ?

[xia-chu]

No, you must Implement your hook url of rtsp(on_rtsp_realm,and on_rtsp_auth).
on_rtsp_realm control whether authentication is required for a rtsp stream.
on_rtsp_auth return the username and password for this rtsp stream.

You can modify the code if you do not want to use web hook for rtsp authentication.

[xia-chu]

You can also modify this code :

[songoku141]

thanks

[xia-chu]

Now ZLMediaKit support whether MP4 recording is enabled by web hook.

When ZLMediaKit send http post request to your hook url with on_publish event, you can return json like this:

{
     "code" : 0,
     "enableRtxp": true,
     "enableHls": true,
     "enableMP4": true,
}

And then ZLMediaKit will record the steam by mp4.

[songoku141]

Thanks,

I will try it.
But how set length of each MP4 file ?

[xia-chu]

ZLMediaKit will save live steam by mp4 slice, and the mp4 slice length will limited by record.fileSecond:

You can add your hook url when mp4 slice generated:

And the on_record_mp4 hook event params is here:

[xia-chu]

You need update to the latest code and compile it by yourself

[xia-chu]

Hi,

How to setup authentication for Media Server ?
(Now I can access to stream rtsp://127.0.0.1/live/0 or rtmp://127.0.0.1/live/0 without user name and password)

How to setup for Media Server record all stream as mp4

About API:

• Using "getMediaList" i can list all stream on server but how to known statistics of stream as: connect/disconnect, bitrate, frame rate,....
• API to manual start/stop recording

@thaibienbac Hellow ，zlmediakit now support http api to control hls/mp4 record,please read the wiki

[songoku141]

No, you must Implement your hook url of rtsp(on_rtsp_realm,and on_rtsp_auth).
on_rtsp_realm control whether authentication is required for a rtsp stream.
on_rtsp_auth return the username and password for this rtsp stream.

You can modify the code if you do not want to use web hook for rtsp authentication.

I want to using web hook for rtsp authentication, but "on_rtsp_auth" only send user_name to web server, how to send both user name and password ?
POST /index/hook/on_rtsp_auth HTTP/1.1
Accept: /
Accept-Language: zh-CN,zh;q=0.8
Connection: keep-alive
Content-Length: 274
Content-Type: application/json
Host: 127.0.0.1
Tools: ZLMediaKit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

{
"app" : "live",
"id" : "140553560034336",
"ip" : "10.0.17.132",
"must_no_encrypt" : false,
"params" : "",
"port" : 65473,
"realm" : "zlmediakit_reaml",
"schema" : "rtsp",
"stream" : "obs",
"user_name" : "test",
"vhost" : "defaultVhost"
}

[xia-chu]

[songoku141]

Hi,

Yes, I know that. But my procedure is:

• user request rtsp stream by url: rtsp://username:password@192.168.10.12/proxy/cam111
• web server check user name and password in database
• if user exist, return the password of user (as you comment)

But but "on_rtsp_auth" only send user_name to web server, i dont know how to get the password

[xia-chu]

The client of RTSP exclusive authentication mode will not pass the user password to the server, but only an MD5 digest to the server. Therefore, the server needs to regenerate the MD5 digest match to see if it is consistent, which means the authentication is successful.

In order to hide the details of the digest generation algorithm and the difference between base64 encryption and MD5 encryption, you must provide the plaintext password to zlmediakit, or you must provide the md5 digest of the password to zlmediakit

[xia-chu]

You can return you passwd like this:

{
   "code" : 0,
   "encrypted" : false,
   "passwd" : "the plaintext password"
}

or like this:

{
   "code" : 0,
   "encrypted" : true,
   "passwd" : "md5(username:realm:password)"
}

[songoku141]

Can i add password field to this:

{
"app" : "live",
"id" : "140553560034336",
"ip" : "10.0.17.132",
"must_no_encrypt" : false,
"params" : "",
"port" : 65473,
"realm" : "zlmediakit_reaml",
"schema" : "rtsp",
"stream" : "obs",
"user_name" : "test",
"password" : "test",
"vhost" : "defaultVhost"
}

[xia-chu]

Reiterate the one point, the RTSP client will not send the plaintext password to the server，and zlmediakit will never know the password.

[xia-chu]

Why not use URL parameter authentication(the on_play hook)?