Restrict VOD requests by domain

[dev kang]

hello!
I am a former user of wowzaServer at my company.
I couldn't contain my excitement when I heard that mistServer has been open sourced.

I'm starting a new business of my own and this was great news.
I can't think of a better streaming tool.

My question is this.
https://example.com -> my webservice
https://mist.com -> mist VOD Server

Is it possible to restrict requests to the domain of my webservice only?
I want to restrict access from outside.

If I make a direct request from a web browser like below, the video playback will be restricted.
https://mist.com/example/example.m3u8

However, if the above request is made from the https://example.com의 domain, it will be played.

Is it possible to implement this feature?
I want to protect my content

[Balder Vietor]

Hey there, 

That is possible, you'll want to look at access control. You can use any logic to protect the content. Using a token is the most secure. How you create this token is of course up to you. 

That said we are planning to add a referrer field to the USER_NEW trigger next release (3.3) as well. So you could use that later on, but keep in mind that this field wouldn't always be filled in. So you would probably still need something to use if it's empty. 

https://news.mistserver.org/news/67/Building+an+access+control+system+with+triggers+and+PHP

I'd recommend reading this and contact us if you have any questions.

With kind regards,

Balder Viëtor
Head of Testing

MistServer

--
You received this message because you are subscribed to the Google Groups "Mistserver.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mistserver+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mistserver/77a9b08f-1adc-40f5-998d-9a4638f1cd49n%40googlegroups.com.

[jammin radio]

hi balder. how are you doing? great aplication, hoping that you can help me with a custom install code?

i need to use ngix the current system is using azura cast, im hoping you can help, kind regards

To view this discussion on the web visit https://groups.google.com/d/msgid/mistserver/CAKPFDa0jqPsyTHA4xk9Hb5BwiOpOzqm2OQ%2BgfNBLYS87uOVEEA%40mail.gmail.com.

[jammin radio]

azura uses ngix as its web server and also lets encrypt. all the best

[jammin radio]

hi mate got an issue using Nginx Proxy manager 

im getting 502 bad gatway

Define location *

location

Scheme*                         http                         https                     

Forward Hostname / IP*Add a path for sub-folder forwarding. Example: 203.0.113.25/path/

Forward Port *

    location /mistserver/ {
      proxy_pass http://localhost:8080/;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_buffering off;                      
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
      proxy_read_timeout 600s;
      proxy_set_header Host $host;
      proxy_set_header X-Mst-Path "$scheme://$host/mistserver";
    }

Preview of "teknivalradio"

Failed to load https://tv.teknivalradio.com/mistserver/player.js.

Please check if you've activated the HTTP protocol, if your http port is blocked, or if you're trying to load HTTPS on an HTTP page

https://tv.teknivalradio.com/mistserver/teknivalradio.html

PLEASE HELP 😁

[Michel Hageman]

Hi Jammin, 

I have the same in one server, the other one is fine though. It's a bit strange, but I guess that Nginx Proxy Manager (NPM) and the setup of this container might be a culprit in this too. 

First of all I read somewhere that the location-bit ( location /mistserver/ {}) goes under Advanced instead of Custom Locations in NPM. 

Furthermore I set up a 'host-stream' under 'streams' where I send 8080 to port 8080 from Mistserver. 

I also have to set up everything right in /etc/hosts as for subdomain and domain and the right ip-addresses, including the external ip-address. 

As I said, in one instance this leads to being able to watch the previews, whereby the .js-player functions without any problem, the other one: no dice! Same error-message as you receive. 

I hope you get your setup running as intended, maybe these notes of mine will help a bit with that, or someone from Mistserver's awesome team will surely chime in at a later point!

Also, search this group, there are more tips and tricks about this specific problem. For instance the firewall settings might be causing trouble too. 

Greets,

Michel

[Michel Hageman]

Aaannnd.... make sure your certificates are up to date and correctly configured for NPM. This might easily cause a 502 Bad Gateway as well, as I see that your domain itself is unreachable giving this error. 

Make NPM connect to port 4242 with http and activate SSL on this. Don't use httpS to port 4242. Localhost should work if installed with the binary of Mistserver, but also the external address might work as an address to route traffic to in NPM. When installed in Docker, you can use the container-name when NPM and Mistserver are on the same bridge, or share host-bridge in Docker. If all else fails, try localhost or the ip-address of the container in Docker.   

Op ma 20 mei 2024 om 09:53 schreef Michel Hageman <mhag...@gmail.com>:

[Balder Vietor]

Hey there,

502 generally means you haven't set it up to the correct address "somewhere". Though it is hard to say what the exact problem is with the information available. The first thought I would have is that the address you're using to forward is also being blocked by a firewall, is incorrect or is blocked by some other reason. 

Could also be that the x-Mst-Path header is being filtered as it's a custom header and I'm not 100% sure whether NPM allows it (as far as I know it does), but you could change the public IP address to match the location so MistServer "knows" where it's running. That's what the x-mst-path header does by the way, fill in the Public address automatically.

I'll have to admit that I never use NPM myself as I just do the proxy forwards directly into the nginx config. So Michel is most likely correct in that you should be using http as a scheme and not https. I usually set up both so that it works under both http and https, but I wouldn't know how that is set up through NPM. 

Now by default MistServer does try 0.0.0.0 to bind, so it "should" have all interfaces if allowed, but it depends very much on your set up what is and isn't allowed. 

I can also confirm I'm getting a 502 on your entire https website ( https://tv.teknivalradio.com ) while I can access your direct address over HTTP ( http://146.59.226.85 ). I can also reach https://www.teknivalradio.com , however it gets forwarded to https://www.teknivalradio.co.uk/ . That doesn't have to be a problem, but I would assume it means there might be some extra settings/steps that you need to look at. It's also a good idea to double-check if your current certificate for teknivalradio.com allows sub-domains. 

With kind regards,

Balder Viëtor
Head of Testing

MistServer

--
You received this message because you are subscribed to the Google Groups "Mistserver.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mistserver+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/mistserver/CAEb0UUA3YsbSjaP9RK9YHObttFt1WpTesp5LaSLdVnVXH7%3Dreg%40mail.gmail.com.

[jammin radio]

Hi guys thanks for the input. 

I think it’s an IP issue which il get to the bottom of with all your help 😁

To view this discussion on the web visit https://groups.google.com/d/msgid/mistserver/CAKPFDa1vH94BksiPkAKthux0u%2BniJGNQ3eCXKwiMsRfEScjpVw%40mail.gmail.com.

[jammin radio]

Ok guys Its fully working 

/Interface 

/Mistserver

& stream preview in Https va Nginx Proxy manager 😁

Meta information

Type:LiveBuffer window:52849msTracks:

Audio		Track 1
	Codec:	AAC
	Duration:	00:00:53.754 00:00:06.362 to 00:01:00.116
	Avg bitrate:	41KiB/s
	Peak bitrate:	41.9KiB/s
	Channels:	2
	Samplerate:	44 100Hz
	Language:	unknown
	Track index:	1

Video		Track 0
	Codec:	H264
	Duration:	00:00:51.633 00:00:08.478 to 00:00:60.111
	Avg bitrate:	37KiB/s
	Peak bitrate:	61.9KiB/s
	Size:	1280x 720px
	Framerate:	30fps
	Language:	unknown
	Track index:	1
	Has B-Frames:	yes

https://tv.teknivalradio.com/mistserver/teknivalradio.mp4

Embed "teknivalradio"

Use a different host:Apply

Urls

Stream info json:CopyStream info script:CopyThis script loads information about this stream into a mistvideo javascript object.HTML page:QRCopy

Embed code

[jammin radio]

 WORKING AS SHOULD!

 SETTINGS = MINE FOR REFRENCE

SET YOUR IP / ADDRESS

 TRUSTED PROXIES = Refrence YOU NEED TO SET YOUR ADDRESS'S

 ONLY ERROR = BUT FULLY FUNCTIONAL 

OK  1st STEP 

YOU must SET STREAMS in the NGINX PANEL 

YOU MUST be logged in as HTTPS for it to work / Preview

PROXY HOST SETTINGS 

NOW in the advanced TAB paste this 

BUT Change your IP 

location /mistserver/ {
      proxy_pass http://localhost:8080/;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_buffering off;                      
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
      proxy_read_timeout 600s;

      proxy_set_header Host $YOUR IP;
      proxy_set_header X-Mst-Path "$scheme://$host/mistserver";
    }
 location /mistinterface/ {
      proxy_pass http://localhost:4242/;

      proxy_set_header X-Real-IP $remote_addr;
      proxy_buffering off;                      
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
      proxy_read_timeout 600s;

      proxy_set_header Host $YOUR IP;

    }

Enjoy

[jammin radio]

Mon 20 May 2024, 22:48:45	WARN	Host 172.21.0.2 is attempting to act as a proxy, but not trusted
Mon 20 May 2024, 22:48:45	WARN	Host 172.21.0.2 is attempting to act as a proxy, but not trusted
Mon 20 May 2024, 22:48:45	WARN	Host 172.21.0.2 is attempting to act as a proxy, but not trusted
Mon 20 May 2024, 22:48:45	WARN	Host 172.21.0.2 is attempting to act as a proxy, but not trusted
Mon 20 May 2024, 22:48:42	WARN	Host 172.21.0.2 is attempting to act as a proxy, but not trusted

[jammin radio]

so you may remember i used ti use windows - flipped everything to debian - this is the easyst way to ssl Mistserver ive found ---

once you follow the steps ive said above --- very simple to do now i know how--- anyawy just checked the push on new version very simple-- bar some rtmps i need to add ? at the end... 

just a question if i wanted to give my viewers the option of a lower quality to there is thre a way to do this in mist ?? 

all the best rob

[jammin radio]

same as HLS automated bandwidth adjustment??

[Balder Vietor]

Hey there,

Gratz on getting it to work!

I'll have to check the proxy not trusted messages, looking at your settings it should've been trusted as the address is in the list. As you say it's working it must be a incorrect log message, but something to change nonetheless.

RTMP(S) + ?

Yes, this is because for MistServer the last "?" in a stream is used for track selector parameters. While RTMP does support multiple streams, most implementations of RTMP can only handle a single quality, thus selecting which track to could be quite important. By default MistServer sends 1 audio and 1 video track, with a preference for the last added track. This could be something you need to be aware of when you have a source with multiple video/audio qualities.

Multiple video qualities  

Yes this can be done, but it requires an encoder to be installed, most common options (software-wise) are FFmpeg and Gstreamer. I would say that Gstreamer is better for live streams and FFmpeg tends to be better for VoD streams, however both are completely capable and valid choices. You can set these up through stream processes when you edit a stream. MKV-Exec allows you to use either version, MistServer will send Matroska video to the standard input of the command you're using and expects to receive Matroska back. A quick and dirty method for using FFmpeg would be:

ffmpeg -loglevel quiet -hide_banner -fflags nobuffer -i - -c:v h264 -s 1280x720 -cluster_time_limit 0 -bf 0 -f matroska -

Then there's source selectors where you can determine what to pick, for example adding audio=none would make sure that there's no audio in the Matroska send towards your encoder. Otherwise by default it would be sent. 

Of course you could also simply pass an "-an" to your ffmpeg command to strip the audio on the ffmpeg side of things.

The only thing I would recommend is setting the source track mask to at least block processing tasks, otherwise multiple encodes could use each other for encoding and you generally only want to encode from the Source as it should get you better quality.

There's also the ffmpeg from the interface:

It's easier to use, but more restrictive in its usage, so you can do less things with it.

HLS adaptive bitrate 

Automatic adaptive bitrate in HLS is supported if the player and protocol support it. There's usually a few requirements like the keyframe interval should match between qualities and a specific version of HLS.

Other protocols like WebRTC can do this easier, but are more restrictive in codec choices. So it's always a bit win/lose.

I believe both HLS.js and videojs which are included in the meta-player are capable of automatic adaptive bitrate, the only requirement being an matching keyframe interval. For ffmpeg I know this can be enforced by adding a flag: 

-force_key_frames source

So using the example above you'd end up with something like:

ffmpeg -loglevel quiet -hide_banner -fflags nobuffer -i - -c:v h264 -s 1280x720 -force_key_frames source -bf 0   -cluster_time_limit 0  -f matroska -

that should add a 1280x720 quality to which it can switch automatically. Though it would be somewhat behind on the live point as ffmpeg generally takes ~3 seconds to start generating the quality.

With kind regards,

Balder Viëtor
Head of Testing

MistServer

To view this discussion on the web visit https://groups.google.com/d/msgid/mistserver/CAD%3Dndb%3DNGJm5PZ24HKAkpCiHHKibWJ8N7c_RxsF2wCN%2BVPQA_w%40mail.gmail.com.