Direct connections configuration
The following configuration items define how Liberator handles direct connections from StreamLink clients as opposed to StreamLink connections tunnelled over HTTP, HTTPS, and WebSocket protocols.
Direct connections are supported by all StreamLink libraries except for StreamLink JS. For more information on connection types, see StreamLink connection types.
To enable support for direct connections over SSL, see Configure how Liberator handles direct client connections.
- direct-interface
- direct-max-line-length
- direct-port
- direct-refuse-time
- direct-tcp-nodelay-off
- directssl-certificate
- directssl-cipher-list
- directssl-dhparams
- directssl-disable-renegotiation
- directssl-enable
- directssl-interface
- directssl-ssl-options
- directssl-passwordfile
- directssl-port
- directssl-privatekey
- ssl-random-seed
direct-interface
direct-interface specifies the network interfaces that Liberator listens on for direct connection requests.
This configuration item supports IPv6 addresses from version 7 of Liberator, and multiple address wildcards from version 7.0.2.
| Configuration | Liberator 6.2 | Liberator 7.0 |
|---|---|---|
|
Default. A single IPv4 server socket that listens on all IPv4 interface addresses. |
Default. A single IPv6 server socket that accepts IPv4-mapped addresses and that listens on all IPv6 and IPv4 interface addresses. |
|
A single IPv4 server socket that listens on all IPv4 interface addresses. |
A single IPv6 server socket that accepts IPv4-mapped addresses and that listens on all IPv6 and IPv4 interface addresses. |
|
A single IPv4 server socket that listens on all IPv4 interface addresses. |
A single IPv4 server socket that listens on all IPv4 interface addresses. |
|
Not supported |
A single IPv6 server socket that listens on all IPv6 interface addresses. |
|
Not supported |
A single IPv4 server socket that listens on all IPv4 interface addresses, and a single IPv6 server socket that listens on all IPv6 interface addresses. Supported from Liberator 7.0.2 |
|
Not supported |
A single IPv6 server socket that listens on all IPv6 interface addresses, and a single IPv4 server socket that listens on all IPv4 interface addresses. Supported from Liberator 7.0.2 |
|
In the Caplin Platform Deployment Framework, you use a configuration variable Variables cannot be assigned multiple values. To create more than one direct interface, assign one address to the macro and assign all additional addresses to new |
Syntax: direct-interface <interface address> …
Type: array of strings
Default value: [all available network interfaces]
direct-max-line-length
direct-max-line-length specifies the maximum number of bytes allowed in a single line of an RTTP message sent to Liberator through a direct connection.
Syntax: direct-max-line-length <max-length-in-bytes>
Type: integer
Default value: 65536
direct-port
direct-port specifies the network port that Liberator listens on for direct connection requests.
In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTPORT to specify Liberator’s direct-port. See How can I … Configure how Liberator handles direct client connections and Configuration macros and items.
|
Syntax: direct-port <network-port>
Type: integer
Default value: 15000
direct-refuse-time
direct-refuse-time specifies the time in seconds for Liberator to refuse new direct connections if no sockets are available.
Syntax: direct-refuse-time <time-in-seconds>
Type: float
Default value: 5.0 seconds
direct-tcp-nodelay-off
direct-tcp-nodelay-off specifies whether Liberator’s direct client connection sockets should have the TCP_NODELAY feature turned off. The default is FALSE, which means TCP_NODELAY is enabled. Setting this configuration item to TRUE disables TCP_NODELAY.
Syntax: direct-tcp-nodelay-off <boolean>
Type: boolean
Default value: FALSE (TCP_NODELAY is enabled)
directssl-certificate
directssl-certificate specifies the filename and directory path of the SSL (secure sockets layer) certificate used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.
For more information on setting directssl-certificate, see Installing keys and certificates.
The default filename for the certificate is the same as the private key’s default filename (default for directssl-privatekey) because both the certificate and the private key can be contained in the same file.
Syntax: directssl-certificate <PEM-filename-and-path>
Type: string
Default value: cert.pem
directssl-cipher-list
directssl-cipher-list configures the SSL/TLS ciphers supported by Liberator’s direct SSL interface.
Configure this item in conjunction with directssl-ssl-options (SSL/TLS protocol versions) and directssl-dhparams (required for DHE ciphers).
| The default TLS configuration is not a security recommendation and is not updated regularly. Review the values for directssl-cipher-list, directssl-ssl-options, and directssl-dhparams for compliance with your security policy before deploying Liberator to production, and review regularly thereafter. |
For detailed information on how to set SSL/TLS protocols and ciphers for Liberator’s direct SSL interface, see Configuring support for SSL/TLS protocols and ciphers.
Syntax: directssl-cipher-list <openssl-cipher-list>
Type: string
Default:
-
Liberator 7.1.5:
ECDHE:DHE:!SSLv3:!SSLv2:@STRENGTHDHE ciphers require a Diffie-Hellman (DH) parameter file. See directssl-dhparams. -
Liberator 7.0:
DEFAULT:!RC4-SHA:!RC4-MD5:!DES-CBC3-SHA -
Liberator 6.0:
DEFAULT
Examples: See Example SSL/TLS protocol and cipher configuration.
directssl-dhparams
directssl-dhparams specifies the path to a Diffie-Hellman parameter file, which is required by ephemeral Diffie-Hellman ciphers (DHE).
Configure this item in conjunction with directssl-ssl-options (SSL/TLS protocol versions) and directssl-cipher-list (SSL/TLS ciphers).
| The default TLS configuration is not a security recommendation and is not updated regularly. Review the values for directssl-cipher-list, directssl-ssl-options, and directssl-dhparams for compliance with your security policy before deploying Liberator to production, and review regularly thereafter. |
For instructions on how to generate a Diffie-Helmman (DH) parameters file, see Generating a Diffie-Hellman parameters file for DHE ciphers.
Availability: Liberator 6.2.14+, Liberator 7.0.1+
Syntax: directssl-dhparams <filepath>
Type: string
Default value: <empty string>
Example:
directssl-dhparams ${SSLCERT_PATH}/rttpd-dhparam-2048.pem
directssl-disable-renegotiation
directssl-disable-renegotiation when set to TRUE, prevents clients from renegotiating their direct SSL connections. This protects against Denial of Service attacks involving repeated attempts to renegotiate.
Syntax: directssl-disable-renegotiation <boolean>
Type: boolean
Default value: FALSE (client renegotiation is allowed)
directssl-enable
directssl-enable switches on support for direct connections using SSL when set to TRUE.
Syntax: directssl-enable <boolean>
Type: boolean
Default value: FALSE (Direct connections via SSL not supported)
directssl-interface
directssl-interface specifies the network interfaces to listen on for direct connections using SSL.
For a Liberator deployed within a Caplin Deployment Framework, directssl-interface is normally set indirectly by specifying a value for the Deployment Framework configuration macro LIBERATOR${THIS_LEG}_DIRECTSSLINTERFACE. Only one HTTPS interface can be specified in the variable; to add extra interfaces, append new directssl-interface items to the configuration override file <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf.
This configuration item supports IPv6 addresses from version 7 of Liberator, and multiple address wildcards from version 7.0.2.
Syntax: directssl-interface <ip-addresses> …
Type: array of strings
Default value: [all available network interfaces]
directssl-ssl-options
directssl-ssl-options configures the SSL/TLS protocols accepted by Liberator’s direct SSL interface.
Configure this item in conjunction with directssl-cipher-list (SSL/TLS ciphers) and directssl-dhparams (required for DHE ciphers).
| The default TLS configuration is not a security recommendation and is not updated regularly. Review the values for directssl-cipher-list, directssl-ssl-options, and directssl-dhparams for compliance with your security policy before deploying Liberator to production, and review regularly thereafter. |
Use directssl-ssl-options to disable support for older versions of SSL, and to enable workarounds for known bugs in client implementations of SSL.
This configuration item takes one parameter: a pipe-separated list of OpenSSL options from the table below.
| Option | Description |
|---|---|
|
Enable all of OpenSSL’s workarounds for known bugs in client implementations of SSL. For the full list of workarounds enabled by this option, see SSL_CTX_set_options on the OpenSSL website. |
|
Disable support for SSL 2 |
|
Disable support for SSL 3 |
|
Disable support for TLS 1 |
|
Disable support for TLS 1.1. Available from Liberator 7.1.3. |
|
Disable support for TLS 1.2. Available from Liberator 7.1.3. |
|
Disable support for TLS 1.3. Available from Liberator 7.1.5. |
For a detailed information on how to set SSL/TLS protocols and ciphers for Liberator’s direct SSL interface, see Configuring support for SSL/TLS protocols and ciphers.
Syntax: directssl-ssl-options <option>[|<option>]…
Type: string
Default value:
-
Liberator 7.1.5:
SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3This option string supports older browser versions by retaining support for TLS 1.0 and TLS 1.1, two protocols that in June 2008 the IETF recommended for deprecation. Review this configuration for compliance with your security policy before deploying to production. For an example of configuration restricted to modern direct clients only, see Example 1: modern direct clients. -
Liberator 7.0:
SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1 -
Liberator 6.0:
SSL_OP_NO_SSLv2
Examples: See Example SSL/TLS protocol and cipher configuration
directssl-passwordfile
directssl-passwordfile specifies the filename and directory path of the file containing the passphrase for the encrypted SSL/TLS key used for direct connections. The directory path is optional and can be in relative or absolute format.
If the TLS key is unencrypted, then the password file must be empty.
From Liberator 7.1.9: If the TLS key is unencrypted and you don’t want to deploy an empty password file, then set the configuration variable DIRECTSSL_PASSWORD_FILE_REQUIRED to NO in the Deployment Framework file global_config/environment.conf.
For information on setting directssl-passwordfile, see Installing keys and certificates.
Syntax: directssl-passwordfile <password-filename-and-path>
Type: string
Default value: rttpd.directssl.pass
directssl-port
directssl-port specifies the network port that Liberator listens on for direct connection requests using SSL.
In the Caplin Platform Deployment Framework, you use a configuration variable LIBERATOR${THIS_LEG}_DIRECTSSLPORT to specify Liberator’s directssl-port. See How can I … Configure how Liberator handles direct client connections and Configuration macros and items.
|
Syntax: directssl-port <network-port>
Type: integer
Default value: 15001
directssl-privatekey
directssl-privatekey specifies the filename and directory path of the SSL (secure sockets layer) private key used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.
For information on setting the private key, see Installing keys and certificates.
The default filename for the private key is the same as the certificate’s default filename (default for directssl-certificate) because both the certificate and the private key can be contained in the same file.
Syntax: directssl-privatekey <private-key-filename-and-path>
Type: string
Default value: cert.pem
ssl-random-seed
See also:
-
How can I… Configure how Liberator handles direct client connections
-
Reference: HTTP configuration
-
Reference: HTTPS configuration