本文主要介绍基于HLS直播服务器的十万并发防盗链实现
录制切片服务器负责把直播流 切片成HLS 直播协议所需要的TS 切片文件,
切片文件命名规则可以为: live-Segment[%d%d%d%d].ts
比如:live-Segement0011.ts , live-Segement0003.ts 等.也可以自由发挥, 比如:live-2018-08-21_14:00:00.ts等.
TS 切片策略:
-文件开头必须是PAT表,紧接这是PMT表
-文件内部,紧接这PSI 表后, 应该是视频关键帧
-切片内部PCR 总间隔 推荐10秒
-文件末尾 最好是一个完整的视频帧内容,
m3u8文件内容:
#EXTM3U
#EXT-X-VERSION:2
#EXT-X-ALLOW-CACHE:YES
#EXT-X-MEDIA-SEQUENCE:128483 每生成一个新的TS切片,该值加一
#EXT-X-TARGETDURATION:10
#EXTINF:10.1501,
http://videoa.southtv.cn/cctv1/live-2018-08-20_14-59-36.ts?sign=286200040a04918772efb52cbad6f21d&t=5b7a67ec
#EXTINF:11.0109,
http://videoa.southtv.cn/cctv1/live-2018-08-20_14-59-48.ts?sign=7825c09c52f7f8d1617a173b28f5ea37&t=5b7a67ec
#EXTINF:10.0912,
http://videoa.southtv.cn/cctv1/live-2018-08-20_15-00-00.ts?sign=984225f050a9bcf6d67bee3b08674f23&t=5b7a67ec
OpenResty® 是一个基于 Nginx 与 Lua 的高性能 Web 平台,其内部集成了大量精良的 Lua 库、第三方模块以及大多数的依赖项。用于方便地搭建能够处理超高并发、扩展性极高的动态 Web 应用、Web 服务和动态网关。—— [ openresty ]
tar -xzvf openresty-VERSION.tar.gz
cd openresty-VERSION/
./configure
make
sudo make install
首先要配置打开文件数量限制,
vi /etc/security/limits.conf
# 添加如下的行
* soft noproc 11000
* hard noproc 11000
* soft nofile 4100
* hard nofile 4100
说明:* 代表针对所有用户
noproc 是代表最大进程数
nofile 是代表最大文件打开数
更改/etc/sysctl.conf
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 0
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
# 不充当路由器
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# 反向路径过滤
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
#net.ipv4.neigh.default.gc_stale_time = 120
#net.ipv4.conf.default.arp_announce = 2
#net.ipv4.conf.all.arp_announce = 2
#net.ipv4.conf.lo.arp_announce = 2
###内存资源使用相关设定
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 65536 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_mem = 8388608 8388608 8388608
##应对DDOS攻击,TCP连接建立设置
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_max_syn_backlog = 262144
##应对timewait过高,TCP连接断开设置
net.ipv4.tcp_max_tw_buckets = 524288
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_fin_timeout = 5
net.ipv4.ip_local_port_range = 10000 65000
###TCP keepalived 连接保鲜设置
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_keepalive_probes = 5
###其他TCP相关调节
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
#net.nf_conntrack_max=655360
net.ipv4.neigh.default.gc_thresh1 = 102400
net.ipv4.neigh.default.gc_thresh2 = 204800
net.ipv4.neigh.default.gc_thresh3 = 409600
#TCP拥堵算法 (最新算法bbr)
#net.ipv4.tcp_congestion_control = cubic
#net.ipv4.tcp_available_congestion_control = cubic reno
#net.ipv4.tcp_allowed_congestion_control = cubic reno
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.p6p1.rp_filter=0
net.ipv4.conf.p6p2.rp_filter=0
net.ipv4.conf.bond0.rp_filter=0
sysctl -p生效
nginx 配置
1 worker_processes 55; 根据系统内核数量配置
2 worker_rlimit_nofile 10240;
3
4 events {
5 worker_connections 10240;
6 multi_accept on;
7 use epoll;
8 }
9
到此为止,前期工作已经作为, 开始利用lua 模块 处理防盗链
nginx 的location配置里增加
299 location ~ live\.m3u8$ {
300 access_by_lua_file /southtv/lualib/access_token.lua;
301 root /data; #TS 切片文件目录
302 }
acess.lua 就是我们的防盗链实现
1 URL 需要具备时间有效性,直播URL 2小时有效, 防止被拷贝
2 URL 需要对自身签名,防止URL 被篡改,
3 URL 需要具备IP地址 校验特效, 用户A的播放URL,不可以拷贝出来给用户B 使用
3 URL 不可以逆向解密
if ngx.var.arg_sign ~= nil and ngx.var.arg_ip ~= nil and ngx.var.arg_t ~= nil then
local diff = os.time() - tonumber(ngx.var.arg_t)
if (diff > 7200) then
ngx.exit(ngx.HTTP_FORBIDDEN)
end
if ngx.var.remote_addr ~= ngx.var.arg_ip then
ngx.exit(ngx.HTTP_FORBIDDEN)
end
local sign, _ = string.find(ngx.var.request_uri, "sign")
local sub = string.sub(ngx.var.request_uri, 1, sign - 1)
local my = sub.."key=mykey"
--ngx.say(my)
--ngx.say(ngx.md5(my))
if ngx.md5(my) ~= ngx.var.arg_sign then
ngx.exit(ngx.HTTP_FORBIDDEN)
else
return
end
end
ngx.exit(ngx.HTTP_FORBIDDEN)
以上所有技术点,已经在南方无线APP里 验证使用,
单机并发大概9万左右, 欢迎下载试用,
[ 南方无线APP ]
关于我们
http://www.southtv.cn