Part7 - HLS Streaming over HTTPS

If you need to stream hls on your website as https, first we need to make sure nginx works with https. I have a pfx certificate and 2 intermediate certificates from GlobalSign for my domain. I need to generate crt certificate and private key from that pfx file. I will I need to use OpenSSL to export and convert my certificate. Lets do this step by step.

Download OpenSSL from https://indy.fulgan.com/SSL/

Extract the OpenSSL folder to C and name the folder as openssl.  

Run OpenSSL from Command Prompt as Administrator

 

 

1. Take the file you exported (e.g. certname.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.

 

2. Run the following command to export the private key: (This will generate key.pem)

openssl pkcs12 -in certname.pfx -nocerts -out key.pem –nodes

 

3. Run the following command to remove the passphrase from the private key: (This will generate server.key)

openssl rsa -in key.pem -out server.key

 

4. Run to convert certificate file pfx to crt (This will generate certificate.crt)

 

openssl pkcs12 -in certname.pfx -clcerts -nokeys -out certificate.crt

 

 

Rename server.key file as yourserver.yourdomain.key and 

certificate.crt file as yourserver.yourdomain.crt and

intermediatecert_R3.crt as yourserver.yourdomain_R3.crt and

intermediatecert_R1.crt as yourserver.yourdomain_R1.crt

 

 

Run terminal and switch to root user. 

Create a new folder for the new certificate

 

cd /etc/ssl

mkdir stream.yourdomain.com

Copy all those  crt and key files to folder /etc/ssl/stream.yourdomain.com

Now those 4 files in /etc/ssl/stream.yourdomain.com folder

 

 

 

We need to concatenate stream.yourdomain.crt and stream.yourdomain_R1.crt and stream.yourdomain_R3.crt as a bundle (name it as streambundle.crt). Run the commands below:

 

cd /etc/ssl/stream.yourdomain.com/

cat stream.yourdomain.com.crt stream.yourdomain.com_R1.crt stream.yourdomain.com_R3.crt > streambundle.crt

 

 

 

Copy bundle cert and private key to their prospective folders

 

 

cp stream.yourdomain.key /etc/ssl/private

cp streambundle.crt /etc/ssl/certs

 

Run the following command to avoid entering private key password that every time you  restart nginx

 

openssl rsa -in /etc/ssl/private/stream.yourdomain.key | cat 

  

 Then modify nginx.conf and change https part 

  

# HTTPS server
server {
listen       443 ssl; 
server_name  servername.yourdomain.com;
ssl on; 
ssl_certificate     /etc/ssl/certs/streambundle.crt;
ssl_certificate_key  /etc/ssl/private/stream.yourdomain.key;   
ssl_session_cache   shared:SSL:1m;
ssl_session_timeout  5m;       
ssl_ciphers  HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers  on;

location / {
root   html;
index  index.html index.htm;
	}
}
}

 

Save it.

sudo service nginx restart
sudo ufw allow 443

 

 

 

And use your browser to check if you can reach the web site by using https://servername.yourdomain.com

 

 

 

 

Now https works with Nginx but we need to add hls part to https portion in nginx.conf. 

 

 http and https can work at the same time. So just modify portion for https like below.

 

server {
        listen       443 ssl;
        server_name  servername.yourdomain.com;
	ssl		on;
       ssl_certificate      /etc/ssl/certs/servername.yourdomain.com.pem;
        ssl_certificate_key  /etc/ssl/private/servername.yourdomain.com.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location /hls {
        # Serve HLS fragments
        types {
            application/vnd.apple.mpegurl m3u8;
            video/mp2t ts;
        }
        root /tmp/;
        add_header Cache-Control no-cache;
        add_header 'Access-Control-Allow-Origin' '*';
          }

        location / {
            root   html;
            index  index.html index.htm;
        }
    }

 

 

 You can now change the source address on your videojs player and watch your hls stream over https by using the url below.

https:/yourdomain/hls/streamkey.m3u8

 

 Enjoy it :)