Securing Your Streams

LiveGo provides several mechanisms to control access and secure your streaming server.

Stream Keys

The primary method for controlling who can publish a stream is the channelkey system. Instead of publishing to a predictable URL like rtmp://.../live/my_stream, the publisher must use a secret key.

  • Obtaining a Key: A key is generated or retrieved via the /control/get?room=<stream_name> API endpoint.
  • Publishing: The publisher uses this key as the stream name in the RTMP URL.
  • Playback: Viewers use the public stream_name to watch the stream.

This prevents unauthorized users from guessing your stream name and hijacking your broadcast.

JWT Authentication for the API

The control API can be secured using JSON Web Tokens (JWT). When enabled, all API requests must include a valid JWT.

This feature was added in a recent version, as noted in the CHANGELOG.md.

Configuration (livego.yaml):

To enable JWT, add a jwt block to your configuration file:

jwt:
  secret: "your-very-secret-key"
  algorithm: "HS256"

server:
  - appname: live
    live: true
    hls: true
    api: true
  • secret: A secret string used to sign and validate tokens.
  • algorithm: The signing algorithm (e.g., HS256, HS384, HS512). HS256 is a common choice.

Making Authenticated Requests:

Once enabled, you must include the token in your API calls. The server checks for the token in two places: 1. The Authorization header (Bearer <token>) 2. A URL query parameter named jwt

Example using curl with a query parameter:

# Assume $TOKEN contains your valid JWT
curl "http://localhost:8090/control/get?room=my_stream&jwt=$TOKEN"

Centralized Key Management with Redis

By default, LiveGo stores stream keys in memory using go-cache. For a more robust, multi-server setup, you can configure LiveGo to use Redis as a central store for stream keys.

Configuration (livego.yaml):

redis_addr: "localhost:6379"
redis_pwd: "your-redis-password" # Optional

server:
  - appname: live
    live: true
    hls: true

When redis_addr is set, LiveGo will connect to the specified Redis instance to store and retrieve all stream keys, ensuring consistency across multiple LiveGo instances.

Secure RTMP (RTMPS)

LiveGo supports RTMPS for encrypted stream ingest over TLS.

Configuration (livego.yaml):

To enable RTMPS, you need to provide a TLS certificate and key file and set enable_rtmps to true.

# RTMP Options
rtmp_addr: ":1935"

# RTMPS Options
enable_rtmps: true
rtmps_cert: server.crt
rtmps_key: server.key
  • enable_rtmps: Set to true to enable the RTMPS listener.
  • rtmps_cert: Path to your TLS certificate file.
  • rtmps_key: Path to your TLS private key file.

The RTMPS server will listen on the same port as rtmp_addr. Your encoder should be configured to connect using the rtmps:// protocol scheme.