The open source service lalserver supports multiple authentication and anti-leech methods

lalserver is a streaming media server developed in pure Golang. Currently RTMP, RTSP (RTP/RTCP), HLS, HTTP[S]/WebSocket[S]-FLV/TS protocols are supported.

Currently, multiple authentication and anti-leech methods are supported.

lal github address : https://github.com/q191201771/lal

▌ Method 1. Authentication parameter with fixed value

First, modify the configuration file as follows:

"conf_version": "v0.2.6",
...
"simple_auth": {
    "key": "q191201771",              // 私有key，计算鉴权参数时使用
    "dangerous_lal_secret": "pengrl", // 后门鉴权参数，所有的流可通过该参数值鉴权
    "pub_rtmp_enable": true,          // rtmp推流是否开启鉴权，true为开启鉴权，false为不开启鉴权
    "sub_rtmp_enable": true,          // rtmp拉流是否开启鉴权
    "sub_httpflv_enable": true,       // httpflv拉流是否开启鉴权
    "sub_httpts_enable": true,        // httpts拉流是否开启鉴权
    "pub_rtsp_enable": true,          // rtsp推流是否开启鉴权
    "sub_rtsp_enable": true,          // rtsp拉流是否开启鉴权
    "hls_m3u8_enable": true           // m3u8拉流是否开启鉴权
}
...

The configurations of mode 1 and mode 2 are managed under configuration item simple_auth :

• The fields at the beginning of pub and sub determine whether each protocol enables authentication
• dangerous_lal_secret is the value of the authentication parameter
• key is used in the following method 2. I don't care about for the time being

For example, when the authentication function is not enabled, the url for pushing the rtmp stream is rtmp://127.0.0.1:8080/live/test110

After opening, the business side push url is changed to

rtmp://127.0.0.1:8080/live/test110?lal_secret=pengrl

Among them, lal_secret is the authentication signature parameter, the name is fixed, and the value is also fixed, corresponding to the value of dangerous_lal_secret in the configuration file.

In this authentication method, all flows use the same authentication parameter value.

▌ Method 2. Authentication parameters of MD5 signature

First of all, still modify the configuration file (see the description in Method 1 above):

• Fields beginning with pub and sub determine whether each protocol enables authentication
• key for MD5 signature

For example, when the authentication function is not enabled, the url of the push rtmp stream is rtmp://127.0.0.1:8080/live/test110

After opening, the business side push url is changed to

rtmp://127.0.0.1:8080/live/test110?lal_secret=700997e1595a06c9ffa60ebef79105b0

where lal_secret is the authentication signature parameter, the name is fixed, and the calculation formula of the value is

md5 (simple_auth::key in config file + stream name)

The calculation method corresponding to the above example is

md5("q191201771test110")

Go, C++ code and command line, web tools how to calculate MD5 see: Use tools or code to generate MD5 - Renliang Notes

In this authentication mode, different stream names correspond to different authentication parameters.

Note that method 1 and method 2 can be used at the same time. If the value of lal_secret satisfies any calculation method, the authentication can be passed.

▌ Method 3. Interact with the business side service and customize the authentication method freely

The general logic is that when lalserver receives a push or pull request, it uses http callback to notify the service of the business side.

The service of the business party determines whether the push or pull request is legal according to its own logic.

If it is illegal, use the http api interface provided by lalserver to kick the request.


Related documents:

• lalserver HTTP Notify event callback
• lalserver HTTP API interface

Third Party Documentation

• https://help.aliyun.com/document_detail/199349.html
• https://cloud.tencent.com/document/product/267/32735
• https://www.wangsu.com/document/99/171?rsr=ws