Direct connections configuration
The following configuration items define how Liberator handles direct connections with clients.
Liberator can accept direct persistent RTTP connections from StreamLink clients via TCP/IP, rather than via HTTP or HTTPS. The client connects to Liberator via a TCP/IP socket, and the Liberator streams data directly to the client across this connection. Direct connections can also use the Secure Sockets Layer (SSL) to provide greater security.
Liberator’s supplied with a built-in Config blade called DirectConnection that’s automatically activated when you install the Liberator (see Built-in blades). However, it only provides basic (non-secure) connectivity for direct connections. In the CaplinPlatform Deployment Framework release 6.2 and later, Liberator has a built-in Config blade called DirectSSLConnection that implements secure direct connections using the OpenSSL implementation of SSL. To set up secure direct connections in a production environment, you’ll need to provide the appropriate certificate and key files, and set up or modify some of the direct SSL configuration items that are described on this page. For details of how to set up and modify both basic and secure direct connections using the DirectConnection and DirectSSLConnection blades, see How can I… Configure how Liberator handles direct client connections. |
You may also need to set ssl-random-seed, which configures the seeding of the OpenSSL random number generator that the Liberator uses for direct secure and HTTPS connections. |
- direct-interface
- direct-max-line-length
- direct-port
- direct-refuse-time
- direct-tcp-nodelay-off
- directssl-certificate
- directssl-cipher-list
- directssl-disable-renegotiation
- directssl-enable
- directssl-interface
- directssl-ssl-options
- directssl-passwordfile
- directssl-port
- directssl-privatekey
- ssl-random-seed
direct-interface
direct-interface
specifies the network interfaces that Liberator listens on for direct connection requests.
In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTINTERFACE to specify Liberator’s direct-interface . See How can I … Configure how Liberator handles direct client connections and Configuration macros and items.
|
Syntax: direct-interface <space-separated-list-of-interface-ip-addresses>
Type: array of strings
Default value: [all available network interfaces]
direct-max-line-length
direct-max-line-length
specifies the maximum number of bytes allowed in a single line of an RTTP message sent to Liberator through a direct connection.
Syntax: direct-max-line-length <max-length-in-bytes>
Type: integer
Default value: 65536
direct-port
direct-port
specifies the network port that Liberator listens on for direct connection requests.
In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTPORT to specify Liberator’s direct-port . See How can I … Configure how Liberator handles direct client connections and Configuration macros and items.
|
Syntax: direct-port <network-port>
Type: integer
Default value: 15000
direct-refuse-time
direct-refuse-time
specifies the time in seconds for Liberator to refuse new direct connections if no sockets are available.
Syntax: direct-refuse-time <time-in-seconds>
Type: float
Default value: 5.0
seconds
direct-tcp-nodelay-off
direct-tcp-nodelay-off
specifies whether Liberator’s direct client connection sockets should have the TCP_NODELAY feature turned off. The default is FALSE
, which means TCP_NODELAY is enabled. Setting this configuration item to TRUE
disables TCP_NODELAY.
Syntax: direct-tcp-nodelay-off <boolean>
Type: boolean
Default value: FALSE
(TCP_NODELAY is enabled)
directssl-certificate
directssl-certificate
specifies the filename and directory path of the SSL (secure sockets layer) certificate used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.
In the Caplin Platform Deployment Framework, a configuration macro The certificate filename and path set up by default in the Liberator supplied with the Framework is <Framework-root>/global_config/ssl/rttpd_https.pem. This certificate file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.pem file that’s automatically copied to <Framework-root>/global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory. |
Syntax: https-certificate <PEM-filename-and-path>
Type: string
Default value: cert.pem
The default filename for the certificate is the same as the private key’s default filename (default for directssl-privatekey) because both the certificate and the private key can be contained in the same file.
directssl-cipher-list
directssl-cipher-list
specifies a colon separated list of cipher strings. These cipher strings select, in preferred order, the various SSL ciphers (cryptographic algorithms) that Liberator can use for its direct SSL connections with clients. The ciphers are selected from the set available in the version of OpenSSL built into Liberator. The format of the cipher list is as defined for the cipherlist
argument of the OpenSSL ciphers
tool; for details see the OpenSSL 1.0.2 ciphers(1) manual page, which includes a list of the available cipher suite names. At run time, Liberator passes the cipher list as a control string to the OpenSSL 1.0.2 function SSL_CTX_set_cipher_list()
; this function uses the control string to set up the list of available SSL ciphers.
Syntax: directssl-cipher-list <openSSL-ciphers(1)-cipherlist>
Type: string
Default value: DEFAULT
(The default list of OpenSSL ciphers. This may vary according to the version of OpenSSL built into Liberator.)
Example:
directssl-cipher-list HIGH:MEDIUM
directssl-disable-renegotiation
https-disable-renegotiation
when set to TRUE
, prevents clients from renegotiating their direct SSL connections. This protects against Denial of Service attacks involving repeated attempts to renegotiate.
Syntax: directssl-disable-renegotiation <boolean>
Type: boolean
Default value: FALSE
(client renegotiation is allowed)
directssl-enable
directssl-enable
switches on support for direct connections using SSL when set to TRUE
.
Syntax: directssl-enable <boolean>
Type: boolean
Default value: FALSE
(Direct connections via SSL not supported)
directssl-interface
directssl-interface
specifies the network interfaces to listen on for direct connections using SSL.
In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTSSLINTERFACE to specify Liberator’s directssl-interface . See How can I … Configure how Liberator handles direct client connections and Configuration macros and items.
|
Syntax: directssl-interface <space-separated-list-of-interface-ip-addresses>
Type: array of strings
Default value: [all available network interfaces]
directssl-ssl-options
directssl-ssl-options
specifies the levels of the SSL protocol that are supported for direct connections using SSL.
Syntax: directssl-ssl-options <supported-SSL-levels>
Type: string
Default value: SSL_OP_NO_SSLv2
Values accepted:
vALUE | MEANING |
---|---|
|
All SSL protocol levels are supported. |
|
The SSLv3 protocol is not supported. |
|
The SSLv2 protocol is not supported. |
|
The SSLv1 protocol is not supported. |
You can specify multiple values using the |
operator, as in this example:
direct-ssl-options SSL_OP_NO_TLSV1|SSL_OP_NO_SSLV2
SSL_OP_NO_TLSV1|SSL_OP_NO_SSLV2
means that all protocol levels are supported except SSLv1 and SSLv2.
directssl-passwordfile
directssl-passwordfile
specifies the filename and directory path of the file containing the SSL certificate passphrase used for direct connections. The directory path is optional and can be in relative or absolute format.
In the Caplin Platform Deployment Framework, a configuration macro SSLCERT_PATH is used to specify the directory path in the Liberator’s directssl-passwordfile setting. See Configuration macros and items. The password filename and path set up by default in the Liberator supplied with the Framework is <Framework-root>/global_config/ssl/rttpd_https.pwd This password file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.pwd file that’s automatically copied to <Framework-root>/global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory.
|
Syntax: directssl-passwordfile <password-filename-and-path>
Type: string
Default value: rttpd.directssl.pass
directssl-port
directssl-port
specifies the network port that Liberator listens on for direct connection requests using SSL.
In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTSSLPORT to specify Liberator’s directssl-port . See How can I … Configure how Liberator handles direct client connections and Configuration macros and items.
|
Syntax: directssl-port <network-port>
Type: integer
Default value: 15001
directssl-privatekey
directssl-privatekey
specifies the filename and directory path of the SSL (secure sockets layer) private key used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.
In the Caplin Platform Deployment Framework, a configuration macro The key filename and path set up by default in the Liberator supplied with the Framework is <Framework-root>/global_config/ssl/rttpd_https.key This private key file is shared between HTTPS and Direct SSL connections. Liberator is supplied with an rttpd_https.key file that’s automatically copied to <Framework-root>/global_config/ssl/ when you deploy the Liberator to the Framework, unless you’ve previously put your own version of this file in the directory. |
Syntax: directssl-privatekey <private-key-filename-and-path>
Type: string
Default value: cert.pem
The default filename for the private key is the same as the certificate’s default filename (default for directssl-certificate) because both the certificate and the private key can be contained in the same file.
ssl-random-seed
See also:
-
How can I… Configure how Liberator handles direct client connections
-
Reference: HTTP configuration
-
Reference: HTTPS configuration