CDN Stream Publishing Authentication
Overview of Stream Publishing Authentication
To prevent attackers from stealing your publishing stream URL address to use elsewhere, or forging your server to generate publishing stream URL addresses, resulting in traffic loss, you can configure Stream Publishing Authentication through the ZEGO Console. After enabling authentication, you need to splice relevant authentication parameters in the publishing stream URL address, otherwise you cannot publish streams.
- After you configure
Stream Publishing Authenticationfrom the ZEGO Console, please keep KEY properly and do not disclose it easily to prevent attackers from obtaining it and causing losses. - If you are RTC relaying to CDN or stream mixing relaying to CDN, ZEGO servers will automatically generate and splice URL address parameters for you, and you do not need to generate them yourself; if you are publishing streams through a third-party platform, you need to generate and splice relevant parameters yourself.
When using, please refer to the following documents for configuration based on your AppID's main business region.
- If the AppID's main business region is
Mainland China, please refer to Tencent Cloud Authentication Description or Huawei Cloud Authentication Description. - If the AppID's main business region is
Hong Kong, Macao, Taiwan, or Overseas, please refer to Wangsu Cloud Authentication Description.
Tencent Cloud Authentication Description
After enabling Stream Publishing Authentication, the complete publishing stream address is as follows:
Among them, "domain" and "access point" can be obtained at "Console > Project Details > Service Configuration > CDN Service > CDN Related Addresses".
1 Generate Authentication Key
Please go to the ZEGO Console, find Authentication Configuration in your "Project Configuration > Service Configuration", enable it, and configure or automatically generate the publishing stream authentication KEY in the pop-up dialog.
Among them, the primary KEY is required and the backup KEY is optional. We recommend that you configure both the primary KEY and the backup KEY. If the primary KEY is leaked, you can smoothly switch to the backup KEY without affecting your business use.
2 Generate txTime
txTime refers to the validity period of the publishing stream URL address.
For example, if the current time is 2018-12-29 11:13:45 and you expect the newly generated URL to expire after 3 hours, then:
- txTime can be set to 2018-12-29 14:13:45.
- Then convert the time to Unix timestamp format (i.e., 1546064025).
- Then convert to hexadecimal to further compress the character length, getting txTime = 5c271099 (hexadecimal).
3 Generate txSecret
The generation method of txSecret is txSecret = MD5(KEY + StreamName + txTime).
Where:
- KEY: refers to the encryption KEY you configured in Generate Authentication Key.
- StreamName: stream name, user-defined, used to identify the live stream.
- txTime: refers to the txTime you generated in Generate txTime.
- MD5: standard MD5 one-way irreversible hash algorithm.
4 Get URL Address
After completing the above steps, the final address is as follows (example address, this address is only for format reference, please do not use directly online):
rtmp://push-tencent1.zego.im/live/123?txSecret=235cec79bf9483439762ddfd491387e2&txTime=5c271099Wangsu Cloud Authentication Description
After enabling Stream Publishing Authentication, the complete publishing stream address is as follows:
Among them, "domain" and "access point" can be obtained at "Console > Project Details > Service Configuration > CDN Service > CDN Related Addresses".
1 Generate Authentication Key
Please go to the ZEGO Console, find Authentication Configuration in your "Project Configuration > Service Configuration", enable it, and configure or automatically generate the publishing stream authentication KEY in the pop-up dialog.
Among them, the primary KEY is required and the backup KEY is optional. We recommend that you configure both the primary KEY and the backup KEY. If the primary KEY is leaked, you can smoothly switch to the backup KEY without affecting your business use.
2 Generate wsABStime
wsABStime refers to the validity period of the publishing stream URL address.
For example, if the current time is 2018-12-29 11:13:45 and you expect the newly generated URL to expire after 3 hours, then:
- wsABStime can be set to 2018-12-29 14:13:45.
- Then convert the time to Unix timestamp format (i.e., 1546064025).
- Then convert to hexadecimal to further compress the character length, getting wsABStime = 5C271099 (hexadecimal).
3 Generate wsSecret
The generation method of wsSecret is wsSecret = MD5(wsABStime + StreamName + KEY).
Where:
- wsABStime: refers to the wsABStime you generated in Generate wsABStime, such as 5C271099.
- StreamName: path, format is "/access point/streamID", such as /live/streamid123.
- KEY: refers to the encryption KEY you configured in Generate Authentication Key, such as KEY123.
- MD5: standard MD5 one-way irreversible hash algorithm.
That is, wsSecret = MD5(5C271099/live/streamid123KEY123)
4 Get URL Address
After completing the above steps, the final address is as follows (example address, this address is only for format reference, please do not use directly online):
rtmp://push-ws1.zego.im/live/123?wsSecret=235cec79bf9483439762ddfd491387e2&wsABStime=5C271099Huawei Cloud Authentication Description
After enabling Stream Publishing Authentication, the complete publishing stream address is as follows:
Among them, "domain" and "access point" can be obtained at "Console > Project Details > Service Configuration > CDN Service > CDN Related Addresses".
1 Obtain Authentication Key
Please contact ZEGOCLOUD Technical Support to configure relevant permissions for Huawei Cloud CDN publishing stream authentication and obtain the authentication key.
2 Generate hwTime
hwTime refers to the validity period of the publishing stream URL address.
For example, if the current time is 2018-12-29 11:13:45 and you expect the newly generated URL to expire after 3 hours, then:
- hwTime can be set to 2018-12-29 14:13:45.
- Then convert the time to Unix timestamp format (i.e., 1546064025).
- Then convert to hexadecimal to further compress the character length, getting hwTime = 5c271099 (hexadecimal).
3 Generate hwSecret
The generation method of hwSecret is hwSecret = hmac_sha256(KEY, StreamName + hwTime).
Where:
- KEY: refers to the authentication key you obtained in Obtain Authentication Key.
- StreamName: stream name, user-defined, used to identify the live stream.
- hwTime: refers to the hwTime you generated in Generate hwTime.
- hmac_sha256: HMAC-SHA256 encryption algorithm.
4 Get URL Address
After completing the above steps, the final address is as follows (example address, this address is only for format reference, please do not use directly online):
rtmp://push-huawei1.zego.im/live/123?hwSecret=ce201856a0957413319e883c8ccae13602f01d3d91e21daf5161964cf708a6a8&hwTime=5c271099Sample Code for Generating Authentication Parameters
The following is the unified authentication parameter generation sample code supporting three providers (Tencent Cloud, Wangsu Cloud, Huawei Cloud):
package main
import (
"crypto/hmac"
"crypto/md5"
"crypto/sha256"
"fmt"
"time"
)
// AuthResult Authentication result
type AuthResult struct {
Secret string // Authentication key
Time string // Time parameter
URL string // Complete publishing stream URL
}
// GenerateCDNAuth Generate CDN authentication parameters
func GenerateCDNAuth(provider, key, streamName string, expireHours int) (*AuthResult, error) {
// 1. Generate expiration timestamp (hexadecimal)
expireTime := time.Now().Add(time.Duration(expireHours) * time.Hour).Unix()
timeHex := fmt.Sprintf("%x", expireTime)
var secret, timeParam, url string
switch provider {
case "tencent":
// Tencent Cloud: txSecret = MD5(KEY + StreamName + txTime)
data := key + streamName + timeHex
hash := md5.Sum([]byte(data))
secret = fmt.Sprintf("%x", hash)
timeParam = timeHex
url = fmt.Sprintf("rtmp://push-tencent1.zego.im/live/%s?txSecret=%s&txTime=%s",
streamName, secret, timeParam)
case "wangsu":
// Wangsu Cloud stream name needs to include access point /live/ prefix
// Wangsu Cloud: wsSecret = MD5(wsABStime + StreamName + KEY)
timeParam = strings.ToUpper(timeHex)
data := timeParam + "/live/" + streamName + key
hash := md5.Sum([]byte(data))
secret = fmt.Sprintf("%x", hash)
url = fmt.Sprintf("rtmp://push-ws1.zego.im/live/%s?wsSecret=%s&wsABStime=%s",
streamName, secret, timeParam)
case "huawei":
// Huawei Cloud: hwSecret = hmac_sha256(KEY, StreamName + hwTime)
data := streamName + timeHex
h := hmac.New(sha256.New, []byte(key))
h.Write([]byte(data))
secret = fmt.Sprintf("%x", h.Sum(nil))
timeParam = timeHex
url = fmt.Sprintf("rtmp://push-huawei1.zego.im/live/%s?hwSecret=%s&hwTime=%s",
streamName, secret, timeParam)
default:
return nil, fmt.Errorf("Unsupported provider: %s", provider)
}
return &AuthResult{
Secret: secret,
Time: timeParam,
URL: url,
}, nil
}
func main() {
// Example parameters
key := "your_auth_key" // Authentication key
streamName := "123" // Stream name
expireHours := 3 // Expire after 3 hours
// Generate Tencent Cloud authentication
if result, err := GenerateCDNAuth("tencent", key, streamName, expireHours); err == nil {
fmt.Printf("Tencent Cloud - Secret: %s, Time: %s\n", result.Secret, result.Time)
fmt.Printf("Tencent Cloud - URL: %s\n\n", result.URL)
}
// Generate Wangsu Cloud authentication
if result, err := GenerateCDNAuth("wangsu", key, streamName, expireHours); err == nil {
fmt.Printf("Wangsu Cloud - Secret: %s, Time: %s\n", result.Secret, result.Time)
fmt.Printf("Wangsu Cloud - URL: %s\n\n", result.URL)
}
// Generate Huawei Cloud authentication
if result, err := GenerateCDNAuth("huawei", key, streamName, expireHours); err == nil {
fmt.Printf("Huawei Cloud - Secret: %s, Time: %s\n", result.Secret, result.Time)
fmt.Printf("Huawei Cloud - URL: %s\n", result.URL)
}
}