Configure Red5 Pro to run with SSL
This configuration of Red5 Pro will make the assumption that you want to handle HTTPS on the standard port of 443
; by default the Red5 server is configured to use 5080
and 5443
for HTTP and HTTPS.
The port configuration used in the examples are not the only available option and any open ports may be used, but using standard port prevents the need to specify alternatives when making HTTPS connections.
Red5 Server Properties
The red5.properties
file is located in the conf directory where you installed Red5 Pro.
Define the HTTP and HTTPS ports
-
Open the file and change the
https.port
as shown below (note: you can modify the default http port if you wish, but we recommend leaving it as the default5080
, as there is generally no reason to access Red5 Pro via HTTP:Original:
http.port=5080 https.port=5443
Modified:
http.port=5080 https.port=443
Modify location and password for your keystore and truststore files
- Scroll down and locate the
rtmps.keystorepass
property. Modify the following four properties as shown to match your selected password and paths to yourkeystore.jks
andtruststore.jks
files:
Original:
rtmps.keystorepass=password
rtmps.keystorefile=conf/keystore.jks
rtmps.truststorepass=password
rtmps.truststorefile=conf/truststore.jks
Modified:
rtmps.keystorepass=changeit
rtmps.keystorefile=/etc/letsencrypt/live/ssl.example.com/keystore.jks
rtmps.truststorepass=changeit
rtmps.truststorefile=/etc/letsencrypt/live/ssl.example.com/truststore.jks
Windows SSL Configuration
NOTE: for Windows, you must still use the linux path syntax, so the configuration should look like this:
rtmps.keystorepass=changeit
rtmps.keystorefile=C:/Users/letsencrypt/live/ssl.example.com/keystore.jks
rtmps.truststorepass=changeit
rtmps.truststorefile=C:/Users/letsencrypt/live/ssl.example.com/truststore.jks
Define secure WebSocket port (for builds before version 5.4.0)
If you are running a version of Red5 Pro earlier than 5.4.0, then you must define the secure websocket port.
As of release 5.4.0, websockets
automatically use the same ports as http/https, so they do not need to be defined separately in the red5.properties
file.
-
The first step is to decide which port you’ll be using for your wss connections. We suggest using 8083 if you’re using 8081 for regular WebSocket connections (if you are using a build earlier than 5.4.0, then port 8081/80083 are hard coded into the front end). This is also a suggestion as there is no “standard” or IETF specified port that must be used at this time. Scroll down to locate the
WebSocket
section:# WebSocket ws.host=0.0.0.0 ws.port=8081
Add the two lines for wss as shown and then save the file:
# WebSocket ws.host=0.0.0.0 ws.port=8081 wss.host=0.0.0.0 wss.port=8083
-
Save and close the
red5.properties
file.
JEE Container Configuration
The jee-container.xml
file is also located in the conf directory along with the red5.properties
file.
- Comment out the
<!-- Non-secured transports for HTTP and WS -->
section (Tomcat without SSL enabled). - Uncomment the
<!-- Secure transports for HTTPS and WSS -->
section. - Start or restart Red5 Pro.
Secure RTMP
RTMPS
NOTE: NOT necessary for WebRTC
To enable RTMPS
, we need to first open the red5-core.xml
located in the red5pro/conf
directory. Once you’ve got it in your editor, scroll down to the section shown below and uncomment out the rtmpsMinaIoHandler
and rtmpsTransport
beans:
<!-- RTMPS -->
<!-- Notes to self:
https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites
https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html
<bean id="rtmpsMinaIoHandler" class="org.red5.server.net.rtmps.RTMPSMinaIoHandler">
<property name="handler" ref="rtmpHandler" />
<property name="keystorePassword" value="${rtmps.keystorepass}" />
<property name="keystoreFile" value="${rtmps.keystorefile}" />
<property name="truststorePassword" value="${rtmps.truststorepass}" />
<property name="truststoreFile" value="${rtmps.truststorefile}" />
<property name="cipherSuites">
<array>
<value>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</value>
<value>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</value>
<value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value>
<value>TLS_RSA_WITH_AES_128_CBC_SHA256</value>
<value>TLS_RSA_WITH_AES_128_CBC_SHA</value>
<value>SSL_RSA_WITH_RC4_128_SHA</value>
</array>
</property>
<property name="protocols">
<array>
<value>TLSv1</value>
<value>TLSv1.1</value>
<value>TLSv1.2</value>
</array>
</property>
</bean>
<bean id="rtmpsTransport" class="org.red5.server.net.rtmp.RTMPMinaTransport" init-method="start" destroy-method="stop">
<property name="ioHandler" ref="rtmpsMinaIoHandler" />
<property name="addresses">
<list>
<value>${rtmps.host}:${rtmps.port}</value>
</list>
</property>
<property name="ioThreads" value="${rtmp.io_threads}" />
<property name="tcpNoDelay" value="${rtmp.tcp_nodelay}" />
</bean>
-->
<!-- Enable when you need it. - - >
<bean id="rtmpProxyTransport" class="org.red5.server.net.rtmp.RTMPMinaTransport" init-method="start" destroy-method="stop">
<property name="ioHandler" ref="debugProxyIoHandler" />
<property name="address" value="${proxy.source_host}" />
<property name="port" value="${proxy.source_port}" />
<property name="ioThreads" value="${rtmp.io_threads}" />
<property name="tcpNoDelay" value="${rtmp.tcp_nodelay}" />
</bean>
<bean id="debugProxyIoHandler" class="org.red5.server.net.proxy.DebugProxyHandler">
<property name="codecFactory" ref="rtmpCodecFactory" />
<property name="forward" value="${proxy.destination_host}:${proxy.destination_port}" />
<property name="dumpTo" value="./webapps/dump/" />
</bean>
-->
Any properties that you may want to change are once again located in the red5.properties
file in the RTMPS labeled section. RTMPS will be available on 8443 if you are using the defaults. To use RTMPS in your flash client, just ensure that you supply the port in the uri like so:
nc = new NetConnection();
nc.objectEncoding = ObjectEncoding.AMF3;
nc.client = this;
nc.proxyType = "best";
nc.addEventListener(NetStatusEvent.NET_STATUS, nc.client.onStatus);
var uri:String = "rtmps://ssl.example.com:8443/live";
nc.connect(uri, null);
Setup RTMPS in your red5/conf/red5-core.xml
. You may notice that some of the RTMP variables are used here, that is only for ease of setup; you could set them to whatever you prefer.
<bean id="rtmpsMinaIoHandler" class="org.red5.server.net.rtmps.RTMPSMinaIoHandler">
<property name="handler" ref="rtmpHandler" />
<property name="keystorePassword" value="${rtmps.keystorepass}" />
<property name="keystoreFile" value="${rtmps.keystorefile}" />
<property name="truststorePassword" value="${rtmps.truststorepass}" />
<property name="truststoreFile" value="${rtmps.truststorefile}" />
<property name="cipherSuites">
<array>
<value>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</value>
<value>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</value>
<value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value>
<value>TLS_RSA_WITH_AES_128_CBC_SHA256</value>
<value>TLS_RSA_WITH_AES_128_CBC_SHA</value>
<value>SSL_RSA_WITH_RC4_128_SHA</value>
</array>
</property>
<property name="protocols">
<array>
<value>TLSv1</value>
<value>TLSv1.1</value>
<value>TLSv1.2</value>
</array>
</property>
</bean>
<bean id="rtmpsTransport" class="org.red5.server.net.rtmp.RTMPMinaTransport" init-method="start" destroy-method="stop">
<property name="ioHandler" ref="rtmpsMinaIoHandler" />
<property name="addresses">
<list>
<value>${rtmps.host}:${rtmps.port}</value>
</list>
</property>
<property name="ioThreads" value="${rtmp.io_threads}" />
<property name="tcpNoDelay" value="${rtmp.tcp_nodelay}" />
</bean>
Enabling all these beans/configs should provide your users with SSL secured connections, making the web just a little bit safer for us all.
The final step is to start or restart your Red5 Pro server.
Here are some more details on RTMPS and Red5 (open source).
RTMPE
RTMPE does not require any server modification and runs on the default RTMP port 1935.