Search code examples
nginxhttp-live-streamingrtmpnginx-config

how to use authentication in nginx hls

user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

rtmp {
    server {
        listen 8099;
        application live {
            live on;
            hls on;
            hls_path /data/live/hls;
            hls_playlist_length 4s;
            hls_fragment 1s;
            on_publish http://127.0.0.1/rtmp/publish;
            on_play http://127.0.0.1/rtmp/join;
            on_publish_done http://127.0.0.1/rtmp/close;
            on_play_done http://127.0.0.1/rtmp/leave;
        }
    }
}

http {
    server {
        listen  9000;
        location /hls {
            types {
                application/vnd.apple.mpegurl m3u8;
                video/mp2t ts;
            }
            root /data/live;
            add_header Cache-Control no-cache;
            add_header 'Access-Control-Allow-Origin' '*';
        }
    }
}

when i use rtmp to watch video, nginx can callback to on_play(http://127.0.0.1/rtmp/join). and when i leave, nginx can callback to on_play_done.

but how to use hls and callback to on_play and on_play_done.

Solution

  • You can't use on_play and on_play_done in hls because once you transition to HLS your ingest video is pure HTML, so the solution to do so is using ngx_http_auth_request_module, with that in mind your code should look somewhat like this:

    user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

rtmp {
    server {
        listen 8099;
        application live {
            live on;
            hls on;
            hls_path /data/live/hls;
            hls_playlist_length 4s;
            hls_fragment 1s;
            on_publish http://127.0.0.1/rtmp/publish;
            on_play http://127.0.0.1/rtmp/join;
            on_publish_done http://127.0.0.1/rtmp/close;
            on_play_done http://127.0.0.1/rtmp/leave;
         }
    }
}

http {
    server {
        listen  9000;
        location /hls {
            auth_request /auth;
            types {
                application/vnd.apple.mpegurl m3u8;
                video/mp2t ts;
            }
            root /data/live;
            add_header Cache-Control no-cache;
            add_header 'Access-Control-Allow-Origin' '*';
        }
        location = /auth {
            internal;
            proxy_pass http://auth-server; # -- replace with your auth server uri
            proxy_pass_request_body off;
            proxy_set_header        Content-Length "";
            proxy_set_header        X-Original-URI $request_uri;
        }
    }
}

    If the subrequest to the auth-server returns a 2xx response code, the access is allowed, if it returns 401 or 403, the access is denied. basically the same as on_play.