MOQ Installation
Prerequisites
- Red5 Pro Server with MOQ plugin support (see release notes for the minimum version)
- Java 21 or later
- UDP port
4433open in your firewall (default QUIC port for MOQ and WebTransport) - A valid TLS certificate for production deployments (see TLS Certificates below)
Standard Installation
The moq-plugin ships with Red5 Pro Server distributions that include MOQ support.
The plugin is enabled by default (enable=true in conf/moq-plugin.properties). To disable it without uninstalling, set enable=false and restart.
TLS Certificates
MOQ and WebTransport require TLS. The plugin auto-generates a self-signed certificate at startup if no certificate paths are configured. For production, provide your own certificate:
# conf/moq-plugin.properties
server.cert.file=/etc/letsencrypt/live/your-domain.com/fullchain.pem
server.key.file=/etc/letsencrypt/live/your-domain.com/privkey.pem
Accepted private key formats: PKCS#8, traditional RSA/EC, or encrypted PKCS#8 (PEM-encoded).
Local Development Certificate
For local testing, a helper script generates a self-signed certificate and prints the certificate hash needed for browser client pinning:
cd moq-plugin
chmod +x create-local-tls.sh
./create-local-tls.sh
The certificate hash is also printed to the server console at startup in multiple formats (Uint8Array, hex, compact hex). Use it in the certHash field of the test client page.
Verifying the Installation
After startup, these log lines confirm the relay is running and accepting connections:
INFO o.r.s.n.p.PicoquicMoqBridge - Picoquic session established: sessionId=1, type=webtransport, path=/moq
INFO o.r.s.n.p.PicoquicMoqBridge - Picoquic-MoQ bridge created: picoquicSessionId=1, moqSessionId=picoquic-1, type=webtransport
INFO o.r.s.n.p.PicoquicMoqBridge - WebTransport connection: stream 4 will be control stream
If the plugin fails to start, see Troubleshooting.