How to only allow known IP addresses to connect to your HTTP Origin server

To protect your Wowza Streaming Engine server from invalid IP addresses when in HTTP Origin mode we have come up with a simple HTTP validator. Although relative simple to implement not quite as obvious as you might think and uses a little trick into fooling Wowza Streaming Engine.

In order to implement this we have broken it down into two classes, the first is a VHost listener called Protect

package guru.thewowza.example.httporigin;

import com.wowza.wms.amf.AMFDataList;
import com.wowza.wms.client.IClient;
import com.wowza.wms.logging.WMSLoggerFactory;
import com.wowza.wms.request.RequestFunction;
import com.wowza.wms.server.Server;
import com.wowza.wms.vhost.IVHost;
import com.wowza.wms.vhost.IVHostNotify;

public class Protect implements IVHostNotify
	private String validIPAddresses = "";
	private static String originIPListAllowed = "theWowzaGuruOriginIPAllowList";

	public void onVHostClientConnect(IVHost vhost, IClient inClient,RequestFunction function, AMFDataList params) {}

	public void onVHostCreate(IVHost vhost) 
		this.validIPAddresses = Server.getInstance().getProperties().getPropertyStr(originIPListAllowed,this.validIPAddresses);
		WMSLoggerFactory.getLogger(null).info("guru.thewowza.example.httporigin.Protect: Adding Origin Protection on startup");
		vhost.setHTTPStreamerRequestValidator(new OriginValidate(WMSLoggerFactory.getLogger(null),this.validIPAddresses));

	public void onVHostInit(IVHost vhost){}
	public void onVHostShutdownComplete(IVHost vhost) {}
	public void onVHostShutdownStart(IVHost vhost) {}


This VHost listener allows a HTTPStreamerRequestValidator to be added and this is where the actual checks take place. We have also set up a property name [B]theWowzaGuruOriginIPAllowList[/B]. This allows you to set which IP addresses, comma separated, are allowed to connect for content.

The second class OriginValidate

package guru.thewowza.example.httporigin;

import java.util.ArrayList;
import java.util.List;

import org.apache.mina.common.ByteBuffer;
import com.wowza.wms.logging.WMSLogger;
import com.wowza.wms.server.RtmpRequestMessage;
import com.wowza.wms.vhost.HostPort;
import com.wowza.wms.vhost.IVHostHTTPStreamerRequestValidator;

public class OriginValidate implements IVHostHTTPStreamerRequestValidator  

	private List ipAddresses = new ArrayList();
	private WMSLogger Log = null;

	public OriginValidate ( WMSLogger log, String ipaddresslist )
		this.Log = log;

		if ( ipaddresslist.length() > 0 )
				String[] thisList = ipaddresslist.split(",");
				if ( thisList.length > 0 )
					for (int c=0; c < thisList.length; c++ )
					{"guru.thewowza.example.httporigin.OriginValidate: Add IP: "+thisList[c]);
			} catch (Exception badList)
			{"guru.thewowza.example.httporigin.OriginValidate: Bad IP List Parse : "+badList.toString());

	public boolean validateHTTPStreamerRequest(RtmpRequestMessage arg0,HostPort arg1, String arg2) 

		boolean thisEntry = this.ipAddresses.contains(arg0.getSessionInfo().getIpAddress());		
		if ( !thisEntry )
	return true;

	public String returnHeader ( RtmpRequestMessage arg0)
		String thisBody = new String(arg0.getBody().array());
		thisBody = thisBody.trim();		
		thisBody+="\r\nRange: bytes=0-1\r\n";
		return thisBody;


This class checks where the request came from and then alters the request if it is not one of the IP addresses entered in the property. What this actually does is change the request to a 2 character range request if the IP address is not valid.

To configure this module add the following to your Server.xml in the VHostListeners section


To add the correct property then also add the following property to the end Properties section of the Server.xml, this can be a comma separated list of IP addresses


To download the ZIP file containing the jar file and source files please click here

Comments are closed.