red5 security crossdomain.xml

I can’t seem to figure how to keep people from using our media server to stream.  It seems like anyone can just put in rmtp://server/oflaDemo and use your server to stream.  I created a crossdomain file but that doesn’t seem to stop anyone.

 

 

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

I have the following in mine but I can still play videos from other sites like longtailvideo.com.

 

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

                <allow-access-from domain="*.mysite.com" />

                <allow-access-from domain="localhost" to-ports="20-65535"/>

                <allow-access-from domain="*.local" to-ports="20-65535"/>

</cross-domain-policy>

 

From: red5-bounces@... [mailto:red5-bounces@...] On Behalf Of Tyler Kocheran
Sent: Monday, March 23, 2009 7:16 PM
To: red5@...
Subject: Re: [Red5] red5 security crossdomain.xml

 

Does Red5 allow a developer to see which domain the SWF file is hosted at/requesting a connection from? I remember FMS 'coming out' with this feature a while back.

The crossdomain specification is an interesting one with lots of different caveats. Basically, only allow ports and domains you trust for the most security, ie:
<allow-access-from domain="mysecuresite.com"/>
Would only allow SWFs hosted on mysecuresite.com to access your server. You can go even further to only allow people to connect to Red5 if they're hosted on a certain domain and requesting access over a certain port.

With it, you should be able to secure down your server. Here's a link for some documentation on crossdomain policy files:
http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html

2009/3/23 AMP Admin <admin@...>

I can’t seem to figure how to keep people from using our media server to stream.  It seems like anyone can just put in rmtp://server/oflaDemo and use your server to stream.  I created a crossdomain file but that doesn’t seem to stop anyone.

 

 

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

--
And do this, knowing the time, that now it is high time to awake out of sleep;
for now our salvation is nearer than when we first believed.

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

It’s like it’s not even reading the crossdomain.xml because I created a deny-all policy and all servers can still stream just fine.

 

<?xml version="1.0"?>

<cross-domain-policy>

 

</cross-domain-policy>

 

From: red5-bounces@... [mailto:red5-bounces@...] On Behalf Of Tyler Kocheran
Sent: Monday, March 23, 2009 7:50 PM

To: red5@...
Subject: Re: [Red5] red5 security crossdomain.xml

 

You'll be able to stream videos from them just fine, but they won't be able to stream from you. If you've got a couple domains handy, do something like this:
1 Put a SWF up on Domain A which simply connects to "rtmp://domain_b/myapp/" when it runs.
2 Edit your Red5 crossdomain policy file to only allow connections from Domain B.
3 Put the same SWF on Domain A on Domain B.
4 Run both of the SWF's, seeing which one succeeded. If they're both still connecting, mess with your crossdomain policy file until you've got it squared away!

2009/3/23 AMP Admin <admin@...>

I have the following in mine but I can still play videos from other sites like longtailvideo.com.

 

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

                <allow-access-from domain="*.mysite.com" />

                <allow-access-from domain="localhost" to-ports="20-65535"/>

                <allow-access-from domain="*.local" to-ports="20-65535"/>

</cross-domain-policy>

 

From: red5-bounces@... [mailto:red5-bounces@...] On Behalf Of Tyler Kocheran
Sent: Monday, March 23, 2009 7:16 PM
To: red5@...
Subject: Re: [Red5] red5 security crossdomain.xml

 

Does Red5 allow a developer to see which domain the SWF file is hosted at/requesting a connection from? I remember FMS 'coming out' with this feature a while back.

The crossdomain specification is an interesting one with lots of different caveats. Basically, only allow ports and domains you trust for the most security, ie:
<allow-access-from domain="mysecuresite.com"/>
Would only allow SWFs hosted on mysecuresite.com to access your server. You can go even further to only allow people to connect to Red5 if they're hosted on a certain domain and requesting access over a certain port.

With it, you should be able to secure down your server. Here's a link for some documentation on crossdomain policy files:
http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html

2009/3/23 AMP Admin <admin@...>

I can’t seem to figure how to keep people from using our media server to stream.  It seems like anyone can just put in rmtp://server/oflaDemo and use your server to stream.  I created a crossdomain file but that doesn’t seem to stop anyone.

 

 

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

--
And do this, knowing the time, that now it is high time to awake out of sleep;
for now our salvation is nearer than when we first believed.

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

--
And do this, knowing the time, that now it is high time to awake out of sleep;
for now our salvation is nearer than when we first believed.

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

Wait… is this the wrong location!?

/opt/red5/webapps/root/crossdomain.xml

 

From: red5-bounces@... [mailto:red5-bounces@...] On Behalf Of Tyler Kocheran
Sent: Tuesday, March 24, 2009 11:30 AM

To: red5@...
Subject: Re: [Red5] red5 security crossdomain.xml

 

You're editing the one in the conf directory, correct?
If it's not being read, then you'll have to talk to some of the other guys who do the work of serving it up for clients. Is it being served only by tomcat on 5080? Try this: put the crossdomain.xml file at the root of your domain name, outside of Red5.

2009/3/24 AMP Admin <admin@...>

It’s like it’s not even reading the crossdomain.xml because I created a deny-all policy and all servers can still stream just fine.

 

<?xml version="1.0"?>

<cross-domain-policy>

 

</cross-domain-policy>

 

From: red5-bounces@... [mailto:red5-bounces@...] On Behalf Of Tyler Kocheran
Sent: Monday, March 23, 2009 7:50 PM

To: red5@...
Subject: Re: [Red5] red5 security crossdomain.xml

 

You'll be able to stream videos from them just fine, but they won't be able to stream from you. If you've got a couple domains handy, do something like this:
1 Put a SWF up on Domain A which simply connects to "rtmp://domain_b/myapp/" when it runs.
2 Edit your Red5 crossdomain policy file to only allow connections from Domain B.
3 Put the same SWF on Domain A on Domain B.
4 Run both of the SWF's, seeing which one succeeded. If they're both still connecting, mess with your crossdomain policy file until you've got it squared away!

2009/3/23 AMP Admin <admin@...>

I have the following in mine but I can still play videos from other sites like longtailvideo.com.

 

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

                <allow-access-from domain="*.mysite.com" />

                <allow-access-from domain="localhost" to-ports="20-65535"/>

                <allow-access-from domain="*.local" to-ports="20-65535"/>

</cross-domain-policy>

 

From: red5-bounces@... [mailto:red5-bounces@...] On Behalf Of Tyler Kocheran
Sent: Monday, March 23, 2009 7:16 PM
To: red5@...
Subject: Re: [Red5] red5 security crossdomain.xml

 

Does Red5 allow a developer to see which domain the SWF file is hosted at/requesting a connection from? I remember FMS 'coming out' with this feature a while back.

The crossdomain specification is an interesting one with lots of different caveats. Basically, only allow ports and domains you trust for the most security, ie:
<allow-access-from domain="mysecuresite.com"/>
Would only allow SWFs hosted on mysecuresite.com to access your server. You can go even further to only allow people to connect to Red5 if they're hosted on a certain domain and requesting access over a certain port.

With it, you should be able to secure down your server. Here's a link for some documentation on crossdomain policy files:
http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html

2009/3/23 AMP Admin <admin@...>

I can’t seem to figure how to keep people from using our media server to stream.  It seems like anyone can just put in rmtp://server/oflaDemo and use your server to stream.  I created a crossdomain file but that doesn’t seem to stop anyone.

 

 

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

--
And do this, knowing the time, that now it is high time to awake out of sleep;
for now our salvation is nearer than when we first believed.

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

--
And do this, knowing the time, that now it is high time to awake out of sleep;
for now our salvation is nearer than when we first believed.

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

--
And do this, knowing the time, that now it is high time to awake out of sleep;
for now our salvation is nearer than when we first believed.

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

pretty sure a crossdomain.xml has to go at
http://myserver.com/crossdomain.xml otherwise flash doesn't read it..

or you can specify the location of the crossdomain through Actionscript.

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

It looks like conf/flashpolicy.xml did the trick!!!!!!

 

You people rock!!

 

Now if I can figure out why I keep seeing [ERROR] [pool-4-thread-4] org.red5.server.service.ServiceInvoker - Method checkBandwidth with parameters [] not found in the logs that would fantastic!

 

 

From: red5-bounces@... [mailto:red5-bounces@...] On Behalf Of Tyler Kocheran
Sent: Tuesday, March 24, 2009 12:15 PM

To: red5@...
Subject: Re: [Red5] red5 security crossdomain.xml

 

Yeah, as far as I know, the crossdomain file has to be available on port 80 at the root of your domain, eg http://asdfasdf.com/crossdomain.xml

Red5 features an embedded servlet container for serving HTTP requests. By default, it's configured to accept connections only on port 5080 and I think the crossdomain file needs to be at the root of port 80. Thus, serving the crossdomain policy file in your root webapp would work, if you bound Tomcat to port 80, but since it's bound to port 5080, it won't work. The solution is to just put the crossdomain file at the root of your domain in your httpdocs.

Last time I checked, Red5 set up and bound to a higher port that's used only for serving out the crossdomain policy file, is this still the case? If so, you might want to try modifying your "conf/flashpolicy.xml" file.

On Tue, Mar 24, 2009 at 9:58 AM, Kyle Jeske <kjeske@...> wrote:

pretty sure a crossdomain.xml has to go at
http://myserver.com/crossdomain.xml otherwise flash doesn't read it..

or you can specify the location of the crossdomain through Actionscript.

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

--
And do this, knowing the time, that now it is high time to awake out of sleep;
for now our salvation is nearer than when we first believed.

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

It looks like conf/flashpolicy.xml did the trick!!!!!!

 

You people rock!!

 

Now if I can figure out why I keep seeing [ERROR] [pool-4-thread-4] org.red5.server.service.ServiceInvoker - Method checkBandwidth with parameters [] not found in the logs that would fantastic!

 

 

From: red5-bounces@... [mailto:red5-bounces@...] On Behalf Of Tyler Kocheran
Sent: Tuesday, March 24, 2009 12:15 PM

To: red5@...
Subject: Re: [Red5] red5 security crossdomain.xml

 

Yeah, as far as I know, the crossdomain file has to be available on port 80 at the root of your domain, eg http://asdfasdf.com/crossdomain.xml

Red5 features an embedded servlet container for serving HTTP requests. By default, it's configured to accept connections only on port 5080 and I think the crossdomain file needs to be at the root of port 80. Thus, serving the crossdomain policy file in your root webapp would work, if you bound Tomcat to port 80, but since it's bound to port 5080, it won't work. The solution is to just put the crossdomain file at the root of your domain in your httpdocs.

Last time I checked, Red5 set up and bound to a higher port that's used only for serving out the crossdomain policy file, is this still the case? If so, you might want to try modifying your "conf/flashpolicy.xml" file.

On Tue, Mar 24, 2009 at 9:58 AM, Kyle Jeske <kjeske@...> wrote:

pretty sure a crossdomain.xml has to go at
http://myserver.com/crossdomain.xml otherwise flash doesn't read it..

or you can specify the location of the crossdomain through Actionscript.

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org

--
And do this, knowing the time, that now it is high time to awake out of sleep;
for now our salvation is nearer than when we first believed.

_______________________________________________
Red5 mailing list
Red5@...
http://osflash.org/mailman/listinfo/red5_osflash.org