单机十万并发HLS直播服务器的防盗链技术

单机十万并发HLS直播服务器的防盗链技术

本文主要介绍基于HLS直播服务器的十万并发防盗链实现

  • 录制切片服务器
  • HTTP 服务器 (nginx)
  • LuaLib

录制切片服务器

录制切片服务器负责把直播流 切片成HLS 直播协议所需要的TS 切片文件,
切片文件命名规则可以为: live-Segment[%d%d%d%d].ts
比如:live-Segement0011.ts , live-Segement0003.ts 等.也可以自由发挥, 比如:live-2018-08-21_14:00:00.ts等.

TS 切片策略:

-文件开头必须是PAT表,紧接这是PMT表

-文件内部,紧接这PSI 表后, 应该是视频关键帧

-切片内部PCR 总间隔 推荐10秒

-文件末尾 最好是一个完整的视频帧内容,

m3u8文件内容:

#EXTM3U
#EXT-X-VERSION:2
#EXT-X-ALLOW-CACHE:YES
#EXT-X-MEDIA-SEQUENCE:128483 每生成一个新的TS切片,该值加一
#EXT-X-TARGETDURATION:10
#EXTINF:10.1501,
http://videoa.southtv.cn/cctv1/live-2018-08-20_14-59-36.ts?sign=286200040a04918772efb52cbad6f21d&t=5b7a67ec
#EXTINF:11.0109,
http://videoa.southtv.cn/cctv1/live-2018-08-20_14-59-48.ts?sign=7825c09c52f7f8d1617a173b28f5ea37&t=5b7a67ec
#EXTINF:10.0912,
http://videoa.southtv.cn/cctv1/live-2018-08-20_15-00-00.ts?sign=984225f050a9bcf6d67bee3b08674f23&t=5b7a67ec

Openresty Nginx 安装

OpenResty® 是一个基于 Nginx 与 Lua 的高性能 Web 平台,其内部集成了大量精良的 Lua 库、第三方模块以及大多数的依赖项。用于方便地搭建能够处理超高并发、扩展性极高的动态 Web 应用、Web 服务和动态网关。—— [ openresty ]

tar -xzvf openresty-VERSION.tar.gz
cd openresty-VERSION/
./configure
make
sudo make install

系统配置

首先要配置打开文件数量限制,
vi /etc/security/limits.conf
# 添加如下的行
* soft noproc 11000
* hard noproc 11000
* soft nofile 4100
* hard nofile 4100
说明:* 代表针对所有用户
noproc 是代表最大进程数
nofile 是代表最大文件打开数

更改/etc/sysctl.conf

net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 0

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296

# 不充当路由器 
net.ipv4.ip_forward = 0 
net.ipv4.conf.all.send_redirects = 0 
net.ipv4.conf.default.send_redirects = 0 

# 反向路径过滤 
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
#net.ipv4.neigh.default.gc_stale_time = 120
#net.ipv4.conf.default.arp_announce = 2
#net.ipv4.conf.all.arp_announce = 2
#net.ipv4.conf.lo.arp_announce = 2

###内存资源使用相关设定
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 65536 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_mem = 8388608 8388608 8388608

##应对DDOS攻击,TCP连接建立设置
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 1 
net.ipv4.tcp_syn_retries = 1 
net.ipv4.tcp_max_syn_backlog = 262144

##应对timewait过高,TCP连接断开设置
net.ipv4.tcp_max_tw_buckets = 524288 
net.ipv4.tcp_tw_recycle = 1 
net.ipv4.tcp_tw_reuse = 1 
net.ipv4.tcp_timestamps = 0 
net.ipv4.tcp_fin_timeout = 5
net.ipv4.ip_local_port_range = 10000 65000

###TCP keepalived 连接保鲜设置
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_keepalive_probes = 5

###其他TCP相关调节
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144  
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1

#net.nf_conntrack_max=655360

net.ipv4.neigh.default.gc_thresh1 = 102400      
net.ipv4.neigh.default.gc_thresh2 = 204800      
net.ipv4.neigh.default.gc_thresh3 = 409600

#TCP拥堵算法 (最新算法bbr)
#net.ipv4.tcp_congestion_control = cubic 
#net.ipv4.tcp_available_congestion_control = cubic reno 
#net.ipv4.tcp_allowed_congestion_control = cubic reno 

net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.p6p1.rp_filter=0
net.ipv4.conf.p6p2.rp_filter=0
net.ipv4.conf.bond0.rp_filter=0

sysctl -p生效

nginx 配置

  1 worker_processes  55;  根据系统内核数量配置
  2 worker_rlimit_nofile 10240;
  3 
  4 events {
  5     worker_connections  10240;
  6     multi_accept on;
  7     use epoll;
  8 }
  9 

到此为止,前期工作已经作为, 开始利用lua 模块 处理防盗链

nginx 的location配置里增加

299      location ~ live\.m3u8$ {
300             access_by_lua_file /southtv/lualib/access_token.lua;
301             root   /data;  #TS 切片文件目录
302         }

acess.lua 就是我们的防盗链实现
1 URL 需要具备时间有效性,直播URL 2小时有效, 防止被拷贝
2 URL 需要对自身签名,防止URL 被篡改,
3 URL 需要具备IP地址 校验特效, 用户A的播放URL,不可以拷贝出来给用户B 使用
3 URL 不可以逆向解密

if ngx.var.arg_sign ~= nil and ngx.var.arg_ip ~= nil and ngx.var.arg_t ~= nil then

    local diff = os.time() - tonumber(ngx.var.arg_t)
    if (diff > 7200) then
        ngx.exit(ngx.HTTP_FORBIDDEN)
    end

    if ngx.var.remote_addr ~= ngx.var.arg_ip then
        ngx.exit(ngx.HTTP_FORBIDDEN)
    end
    local sign, _ = string.find(ngx.var.request_uri, "sign")
    local sub = string.sub(ngx.var.request_uri, 1, sign - 1)
    local my = sub.."key=mykey"
    --ngx.say(my)
    --ngx.say(ngx.md5(my))
    if ngx.md5(my) ~= ngx.var.arg_sign then
        ngx.exit(ngx.HTTP_FORBIDDEN)
    else
        return
    end
end

ngx.exit(ngx.HTTP_FORBIDDEN)

以上所有技术点,已经在南方无线APP里 验证使用,
单机并发大概9万左右, 欢迎下载试用,
[ 南方无线APP ]

关于我们
http://www.southtv.cn

你可能感兴趣的:(技术)