Nginx Streaming config instructions potentially dangerous
Closed this issue · 4 comments
The config instructions for nginx are leading to a potentially dangerous situation - the streaming server is not secured in any way and may be abused by anybody. This may generate massive costs for incoming bandwith, but it may also allow anybody to overwrite a live stream.
Please provide instructions for users how they can protect their streaming server.
And at least put a warning into this document - this is a bad trap!
Hello,
I am not sure what you are referring to. The kaltura-nginx package provided in the CE repos makes use of multiple FOSS modules (all noted in the documentation and the package spec, which is also FOSS). Furthermore, in the very doc you've referenced, there's a section that pertains to applying access restrictions:
https://github.com/kaltura/platform-install-packages/blob/Propus-16.3.0/doc/nginx-rtmp-live-streaming.md#additional-nginx-rtmp-configuration
If there are specific concerns you wish to share, go right ahead. Also, as this is a FOSS project (licensed under AGPLv3), you are welcome to submit a pull request with additional hardening instructions. I'll be glad to review it and merge, should you choose to do so.
Closing due to lack of feedback. You may reopen if you wish to provide additional information as per what I wrote in my last response.
Please more patience and do not close tickets after a few days - other things are happening, too in this world.
You are linking in your docs only to very basic ip based access restrictions that come with the nginx streaming module - that is not an acceptable solution for real world usage. If you do not protect the incoming stream with username / password, everybody can overwrite your stream - I am not sure I can see this protection anywhere in the kaltura code happening if it exists, it would be very kind if you could point me to that, thank you! Which authentication methods are supported?
If no username / password restrictions come with the default install - does this mean that all users of your software are probably offering public streaming endpoints that might be [ab]used by anybody?
As noted previously, we do not alter the Nginx RTMP module in any way that's related to security. You are expected to protect your Nginx server (as well as all other third party software utilised as part of Kaltura CE) using standard means (FW rules, access control, etc). The Nginx RTMP module's documentation can be found in the link referenced from the doc already mentioned and you'd be well advised to review it.
As I also said, if you wish to contribute documentation, you are free to do so and your contribution will be reviewed.