Here are the steps to configure SSL in existing Red5 application. This article is keeping in the mind you have basic knowledge of Red5 or you are aware of how Red5 applications are built.
Software required on machine where Red5 server is installed:-
1: Open SSL //Open source SSL libraries required for compiling Stunnel
2: Stunnel //Open source SSL wrapper software uses open SSL works both on
Windows and Linux.
3: gcc // The GNU C compiler (although it always bundled with Linux
Machine, but I did not find it. Necessary if you are compiling the
Open SSL and Stunnel from source. Not required if using RPM
Configuration needed on server machine:-
1:- Install the Open SSL (if windows use exe RPM or source for Linux machine can be downloaded from openssl website).
2:- Install Stunnel (if windows, use exe otherwise RPM or compilation from source is preferred, can be downloaded from stunnel website). Make sure that you already have compiled Open SSL in your machine before proceeding with the installation of Stunnel; otherwise it will fail to compile.
Under Linux the standard command to compile Stunnel from source are described below. For any update please always follow the installation instructions given their website.
machine# gzip -dc stunnel-VERSION.tar.gz tar -xvzf -
machine# cd stunnel-VERSION
machine# ./configure
machine# make
machine# make install
There are several configurations that differ based on your computer and environment. That can be read from the website itself.
3:- Running Stunnel (There are several ways/mode you can run the stunnel. Follow the FAQ available in their website to choose the best which matches your requirements).
To run stunnel, you always require a configuration file. The process of making sample configuration file (stunnel.conf) is described below.
The sample configuration file used was like this:
sample.conf
; Sample stunnel configuration file by Sunil Gupta 2007
; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
cert = /etc/stunnel/stunnel.pem
;chroot = /var/run/stunnel/
pid = /stunnel.pid
key = /etc/stunnel/stunnel.pem
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don’t forget to c_rehash CApath
;CApath = certs
; It’s often easier to use CAfile
;CAfile = certs.pem
; Don’t forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
Output = /var/log/stunnel.log
foreground=yes
; Use it for client mode
; client = yes
; Service-level configuration
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
[rtmps - https]
TIMEOUTconnect=20
accept = 443
connect = 80
TIMEOUTclose = 20
; vim:ft=dosin
Finish
Note: – When you install Stunnel, you get a default sample file, which is not enough in most of the cases to run the flash application. The additions to configuration file I made are as follows.
Also the line having ; in the start denotes the commented portion in file.
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
pem stands for ‘privacy enhanced mail’ used as a key format. The above two lines tells the location of pem files need to be generated. This will be configured by user. The above is the best location for Stunnel although you can change it to any desired location.
;Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
The above two lines are for better performance of Stunnel in our case.
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
The above line is a bug in a specific platform, since we are running it in Linux; we commented this line, although it could be needed in some case.
; Some debugging stuff useful for troubleshooting
debug = 7
Output = /var/log/stunnel.log
foreground=yes
The above lines are very important, Because Stunnel by default run in background mode. You will never be able to see if it is running. So better to put it in foreground, so that you can make sure that stunnel is running properly. Also the debug = 7 is very important since by default stunnel does not generate any log. You can direct him to generate log, so that you can debug your application by seeing all those log messages. The above mentioned log directory is default Linux directory where all system logs are generated.
; Use it for client mode
; client = yes
In the sample configuration file, you will always find this option un-commented leading to a different architecture, since we are running Stunnel in server mode not client mode, so we will comment this line.
[rtmps - https]
TIMEOUTconnect=20
accept = 443
connect = 80
TIMEOUTclose = 20
And the very last lines are mentioned above. In the sample configuration file, you will never find rtmps and it is not even mentioned anywhere in Stunnel. The default file contains only https, add rtmps like it is added here. Also accept port is 443, which is the default port used for secure communication and it is open like port 80 in all corporate firewalls in general. This port is to accept the connection from flash and to get the encrypted data. The connect port is 80; this is the port where stunnel will forward the decrypted data to red5 server.
The TIMEOUTconnect and TIMEOUTclose can be useful in some cases when the server where the data is being forwarded by Stunnel is delaying the connection. This is to make sure that connection is closed only when server is not responding at all. The value is in seconds (i.e. 20 sec.)
Now in order to run your application under secure connection, you require a certificate to be created on the machine where the Stunnel is installed. The procedure for creating a certificate and the possible directory to put this certificate is described below.
Use of certificate:-
When an SSL client connects to an SSL server, the server presents a certificate, essentially an electronic piece of proof that machine is who it claims to be. This certificate is signed by a ‘Certificate Authority’ (hereafter a CA) — usually a trusted third party like Verisign. A client will accept this certificate only if
The certificate presented matches the private key being used by the remote end.
The certificate has been signed correctly by the CA. The client recognizes the CA as trusted.
Every stunnel server has a private key. This is contained in the pem file which stunnel uses to initialize its identity. If we notice above, we have given the reference of this pem file in the start of our configuration file under cert.
This private key is put in /usr/local/ssl/certs/stunnel.pem.
Note:-Under client mode we need not to have certificate in most of the cases, but if we are running it in server mode, we require a certificate. Since we are using server mode, I have generated a self certificate.
To make certificate:-
1: Go to /etc/stunnel directory and
2: Run the following command:-’
openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
This creates a private key and self-signed certificate. More information on the options of this can be read from FAQ section of Stunnel website.
While executing the command, it will ask for some questions like Country, City, Company etc., Give the answer of those and it will generate the key and self certificate.
4:- Put your sample.conf file in /etc/stunnel directory where the .pem file was created earlier.
5:- Start Stunnel by issuing the command -
machine# stunnel stunnel.conf
If you are /etc/stunnel directory otherwise complete path of configuration file-
machine# stunnel /etc/stunnel/stunnel.conf
The above command will start the stunnel and you can verify the log from /var/logs/stunnel.log file.
Red5 server side changes:-
6:- Now stunnel is up and running, we need to change the Red5 configuration to accept the connection from Stunnel.
Go to red5 installation directory and search for conf folder where all red5 configuration files exist.
Open red5.properties file and under rtmps.host_port property put 443. The sample file can be like below.
rtmp.host_port = 0.0.0.0:1935
rtmp.threadcount = 4
debug_proxy.host_port = 0.0.0.0:1936
proxy_forward.host_port = 127.0.0.1:1935
rtmps.host_port = 127.0.0.1:443
http.host=0.0.0.0
http.port=5080
rtmpt.host=0.0.0.0
rtmpt.port=80
Flash client side changes:-
7:-Now we are done with server side, In order to run application under SSL, we need to change the client side protocol from rtmp to rtmps like below. And compile the flash client and run it on browser, a certificate will pop up, accept it and the application will run under SSL.
nc.connect (”rtmps://yourip/applicationname”); //used rtmps in place of rtmp
To get all Red5 media server related stuffs, visit the website below-
Technology Makes Life Easier (http://sunil-gupta.blogspot.com)
Article Source: http://EzineArticles.com/?expert=Sunil_Gupta
分享到:
相关推荐
Chapter 5: Accessing and Running Applications. Chapter 6: Publishing with CentOS. Chapter 7: Music, Video, and Images in Linux. Chapter 8: Using the Internet and the Web. Part III Adminstration. ...
由于 Oracle 10g 不直接支持 RHEL 5.5,我们需要将系统的版本号从 "Red Hat Enterprise Linux Server release 5 (Tikanga)" 修改为 "Red Hat Enterprise Linux Server release 4 (Tikanga)"。这可以通过编辑 `/etc/...
### Red Hat Linux 6.0 下安装 Oracle 11g 的详细步骤 #### 一、前期准备 在开始安装之前,需要确保环境已准备好。这包括但不限于以下几点: 1. **切换到 root 用户**: - 使用 `su root` 命令切换至 root 用户...
### Red Hat Enterprise Linux 5 (RHEL5) 安装 Oracle 10g、JDK 和 Tomcat #### 概述 本篇文章详细介绍如何在 Red Hat Enterprise Linux 5(RHEL5)上安装 Java Development Kit (JDK)、Apache Tomcat 以及 Oracle ...
sudo mkdir -p /media/backup/oracle11g/server sudo mkdir -p /media/backup/oracle11g/oradata sudo mkdir -p /media/backup/oracle11g/database sudo chown -R linkon251:linkon251 /media/backup/oracle11g sudo...
baseurl=file:///media/redhat6.2/Server enabled=1 gpgcheck=0 [HighAvailability] name=HighAvailability baseurl=file:///media/redhat6.2/HighAvailability enabled=1 gpgcheck=0 [LoadBalancer] ...
cd /media/cdrom/Server # 第一步 - 从Red Hat Enterprise Linux AS 5光盘1中安装 rpm -ivh setarch-2* rpm -ivh make-3* rpm -ivh glibc-2* rpm -ivh libaio-0* # 第二步 - 从Red Hat Enterprise Linux AS 5光盘2...
cd /media/cdrom/Server # 查询并安装所需软件包 rpm -ivh setarch-2* rpm -ivh make-3* rpm -ivh glibc-2* rpm -ivh libaio-0* rpm -ivh make-3.81-3.el5.i386.rpm rpm -ivh binutils-2.17.50.0.6-6.el5.i386.rpm ...
Description: Red Hat Enterprise Linux Server release 7.6 (Maipo) ``` **3. 设置YUM源** - **步骤**: 1. **检查镜像是否已挂载**: `df -h` 2. **新建挂载目录**: `mkdir -p /media/cdrom` 3. **将镜像挂载...
### Red Hat 6 开启 Telnet 服务详细步骤与知识点解析 #### 一、环境准备与软件安装 在 Red Hat 6 中开启 Telnet 服务首先需要确保系统中已安装了必要的软件包,并且配置了适当的环境。以下为具体步骤: 1. **...
本手册详细介绍了如何在Red Hat Advanced Server 4.0操作系统上安装和配置Oracle 10g Release 2 (10.2.0.1)。 在开始安装之前,首先需要确保你的机器配置满足Oracle的要求。作为基础步骤,应以root用户登录并检查/...
- 使用命令 `cd "/media/RHEL_5.3i386DVD/Server"` 或 `cd /mnt/cdrom/Server/` 进入到存储 RHEL 5.3 DVD 的 Server 文件夹。 2. **安装基础依赖库**: - 使用 `rpm -Uvh` 命令安装以下基础软件包:`setarch`, `...
sudo mount server_ip:/media/ranbe /mnt ``` 5. **检查挂载状态**: ```bash df -h ``` #### 三、Minicom配置和使用 Minicom是一款用于串行通信的命令行工具,常用于与串行设备交互。 1. **安装Minicom**...
在Red Hat Enterprise Linux 6(RHEL6)环境下安装Oracle 11g是一个涉及多个步骤的复杂过程,本文将详细解析这一过程中的关键知识点,帮助读者理解并顺利完成Oracle数据库的安装。 ### 一、使用DVD作为YUM源 在...
例如,在Red Hat Enterprise Linux (RHEL)及其衍生版本如CentOS中,通常会有一个名为“Packages”的文件夹存放这些安装包。 **命令示例**: ```bash cd /media/[你的用户名]/RHEL_6_Server-x86_64-DVD-6.5.iso/...
5. 创建一个新的repo文件,如`iso.repo`,并编辑它,定义DVD中的各个组件仓库,如`Server`, `HighAvailability`, `LoadBalancer`,并设置`baseurl`指向DVD挂载点,禁用GPG检查。 6. 清除YUM的缓存信息,以确保使用新...