Direct connections configuration
The following configuration items define how Liberator handles direct connections from StreamLink clients as opposed to StreamLink connections tunnelled over HTTP, HTTPS, and WebSocket protocols.
Direct connections are supported by all StreamLink libraries except for StreamLink JS. For more information on connection types, see StreamLink connection types.
To enable support for direct connections over SSL, see Configure how Liberator handles direct client connections.
- direct-interface
- direct-max-line-length
- direct-port
- direct-refuse-time
- direct-tcp-nodelay-off
- directssl-certificate
- directssl-cipher-list
- directssl-dhparams
- directssl-disable-renegotiation
- directssl-enable
- directssl-interface
- directssl-log-hello-ciphers
- directssl-ssl-options
- directssl-passwordfile
- directssl-port
- directssl-privatekey
- ssl-random-seed
direct-interface
direct-interface
specifies the network interfaces that Liberator listens on for direct connection requests.
This configuration item supports IPv6 addresses from version 7 of Liberator, and multiple address wildcards from version 7.0.2.
Configuration | Liberator 6.2 | Liberator 7.0 |
---|---|---|
|
Default. A single IPv4 server socket that listens on all IPv4 interface addresses. |
Default. A single IPv6 server socket that accepts IPv4-mapped addresses and that listens on all IPv6 and IPv4 interface addresses. |
|
A single IPv4 server socket that listens on all IPv4 interface addresses. |
A single IPv6 server socket that accepts IPv4-mapped addresses and that listens on all IPv6 and IPv4 interface addresses. |
|
A single IPv4 server socket that listens on all IPv4 interface addresses. |
A single IPv4 server socket that listens on all IPv4 interface addresses. |
|
Not supported |
A single IPv6 server socket that listens on all IPv6 interface addresses. |
|
Not supported |
A single IPv4 server socket that listens on all IPv4 interface addresses, and a single IPv6 server socket that listens on all IPv6 interface addresses. Supported from Liberator 7.0.2 |
|
Not supported |
A single IPv6 server socket that listens on all IPv6 interface addresses, and a single IPv4 server socket that listens on all IPv4 interface addresses. Supported from Liberator 7.0.2 |
In the Caplin Platform Deployment Framework, you use a configuration variable Variables cannot be assigned multiple values. To create more than one direct interface, assign one address to the macro and assign all additional addresses to new |
Syntax: direct-interface <interface address> …
Type: array of strings
Default value: [all available network interfaces]
direct-max-line-length
direct-max-line-length
specifies the maximum number of bytes allowed in a single line of an RTTP message sent to Liberator through a direct connection.
Syntax: direct-max-line-length <max-length-in-bytes>
Type: integer
Default value: 65536
direct-port
direct-port
specifies the network port that Liberator listens on for direct connection requests.
In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTPORT to specify Liberator’s direct-port . See How can I … Configure how Liberator handles direct client connections and Configuration macros and items.
|
Syntax: direct-port <network-port>
Type: integer
Default value: 15000
direct-refuse-time
direct-refuse-time
specifies the time in seconds for Liberator to refuse new direct connections if no sockets are available.
Syntax: direct-refuse-time <time-in-seconds>
Type: float
Default value: 5.0
seconds
direct-tcp-nodelay-off
direct-tcp-nodelay-off
specifies whether Liberator’s direct client connection sockets should have the TCP_NODELAY feature turned off. The default is FALSE
, which means TCP_NODELAY is enabled. Setting this configuration item to TRUE
disables TCP_NODELAY.
Syntax: direct-tcp-nodelay-off <boolean>
Type: boolean
Default value: FALSE
(TCP_NODELAY is enabled)
directssl-certificate
directssl-certificate
specifies the filename and directory path of the SSL (secure sockets layer) certificate used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.
For more information on setting directssl-certificate
, see Installing keys and certificates.
The default filename for the certificate is the same as the private key’s default filename (default for directssl-privatekey) because both the certificate and the private key can be contained in the same file.
Syntax: directssl-certificate <PEM-filename-and-path>
Type: string
Default value: cert.pem
directssl-cipher-list
directssl-cipher-list
specifies the TLS ciphers supported by Liberator’s Direct SSL interface, formatted as an OpenSSL cipher list.
The order of ciphers in directssl-cipher-list
does not influence Liberator’s choice of cipher for a TLS connection. In accordance with the TLS specification, given a choice of mutually-supported ciphers for a TLS connection, Liberator chooses the client’s most preferred cipher. To log the cipher lists of connecting clients, see directssl-log-hello-ciphers.
Configure this item in conjunction with directssl-ssl-options (SSL/TLS protocol versions) and directssl-dhparams (required for DHE ciphers).
The default TLS configuration is not a security recommendation and is not updated regularly. Review the values for directssl-cipher-list, directssl-ssl-options, and directssl-dhparams for compliance with your security policy before deploying Liberator to production, and review regularly thereafter. |
For detailed information on how to set SSL/TLS protocols and ciphers for Liberator’s direct SSL interface, see Configuring support for SSL/TLS protocols and ciphers.
Syntax: directssl-cipher-list <openssl_cipher_list>
Type: string
Default:
-
Liberator 7.1.5:
ECDHE:DHE:!SSLv3:!SSLv2:@STRENGTH
DHE ciphers require a Diffie-Hellman (DH) parameter file. See directssl-dhparams. -
Liberator 7.0:
DEFAULT:!RC4-SHA:!RC4-MD5:!DES-CBC3-SHA
-
Liberator 6.0:
DEFAULT
Examples: See Example TLS protocol and cipher configuration.
directssl-dhparams
directssl-dhparams
specifies the path to a Diffie-Hellman parameter file, which is required by ephemeral Diffie-Hellman ciphers (DHE).
Configure this item in conjunction with directssl-ssl-options (SSL/TLS protocol versions) and directssl-cipher-list (SSL/TLS ciphers).
The default TLS configuration is not a security recommendation and is not updated regularly. Review the values for directssl-cipher-list, directssl-ssl-options, and directssl-dhparams for compliance with your security policy before deploying Liberator to production, and review regularly thereafter. |
For instructions on how to generate a Diffie-Helmman (DH) parameters file, see Generating a Diffie-Hellman parameters file for DHE ciphers.
Availability: Liberator 6.2.14+, Liberator 7.0.1+
Syntax: directssl-dhparams <filepath>
Type: string
Default value: <empty string>
Example:
directssl-dhparams ${SSLCERT_PATH}/rttpd-dhparam-2048.pem
directssl-disable-renegotiation
directssl-disable-renegotiation
when set to TRUE
, prevents clients from renegotiating their direct SSL connections. This protects against Denial of Service attacks involving repeated attempts to renegotiate.
Syntax: directssl-disable-renegotiation <boolean>
Type: boolean
Default value: FALSE
(client renegotiation is allowed)
directssl-enable
directssl-enable
switches on support for direct connections using SSL when set to TRUE
.
Syntax: directssl-enable <boolean>
Type: boolean
Default value: FALSE
(Direct connections via SSL not supported)
directssl-interface
directssl-interface
specifies the network interfaces to listen on for direct connections using SSL.
For a Liberator deployed within a Caplin Deployment Framework, directssl-interface
is normally set indirectly by specifying a value for the Deployment Framework configuration macro LIBERATOR${THIS_LEG}_DIRECTSSLINTERFACE
. Only one HTTPS interface can be specified in the variable; to add extra interfaces, append new directssl-interface
items to the configuration override file <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf
.
This configuration item supports IPv6 addresses from version 7 of Liberator, and multiple address wildcards from version 7.0.2.
Syntax: directssl-interface <ip-addresses> …
Type: array of strings
Default value: [all available network interfaces]
directssl-log-hello-ciphers
Enables logging of the cipher list presented by TLS clients in the TLS handshake with Liberator.
Client cipher lists for successful connections are logged at DEBUG level. Client cipher lists for unsuccessful connections are logged at INFO level.
This is an option for debugging purposes only. We don’t recommend that it is permanently enabled in production environments, and it should be disabled as soon as the investigation is complete.
Since: Liberator 7.1.23
Syntax: directssl-log-hello-ciphers <boolean>
Type: boolean
Default value: FALSE
directssl-ssl-options
directssl-ssl-options
configures the SSL/TLS protocols accepted by Liberator’s direct SSL interface.
Configure this item in conjunction with directssl-cipher-list (SSL/TLS ciphers) and directssl-dhparams (required for DHE ciphers).
The default TLS configuration is not a security recommendation and is not updated regularly. Review the values for directssl-cipher-list, directssl-ssl-options, and directssl-dhparams for compliance with your security policy before deploying Liberator to production, and review regularly thereafter. |
Use directssl-ssl-options
to disable support for older versions of SSL, and to enable workarounds for known bugs in client implementations of SSL.
This configuration item takes one parameter: a pipe-separated list of OpenSSL options from the table below.
Option | Description |
---|---|
|
Enable all of OpenSSL’s workarounds for known bugs in client implementations of SSL. For the full list of workarounds enabled by this option, see SSL_CTX_set_options on the OpenSSL website. |
|
Disable support for SSL 2 |
|
Disable support for SSL 3 |
|
Disable support for TLS 1 |
|
Disable support for TLS 1.1. Available from Liberator 7.1.3. |
|
Disable support for TLS 1.2. Available from Liberator 7.1.3. |
|
Disable support for TLS 1.3. Available from Liberator 7.1.5. |
For a detailed information on how to set SSL/TLS protocols and ciphers for Liberator’s direct SSL interface, see Configuring support for SSL/TLS protocols and ciphers.
Syntax: directssl-ssl-options <option>[|<option>]…
Type: string
Default value:
-
Liberator 7.1.5:
SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
This option string supports older browser versions by retaining support for TLS 1.0 and TLS 1.1, two protocols that in June 2008 the IETF recommended for deprecation. Review this configuration for compliance with your security policy before deploying to production. For an example of configuration restricted to modern direct clients only, see Example TLS protocol and cipher configuration. -
Liberator 7.0:
SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1
-
Liberator 6.0:
SSL_OP_NO_SSLv2
Examples: See Example TLS protocol and cipher configuration
directssl-passwordfile
directssl-passwordfile
specifies the filename and directory path of the file containing the passphrase for the encrypted SSL/TLS key used for direct connections. The directory path is optional and can be in relative or absolute format.
If the TLS key is unencrypted, then the password file must be empty.
From Liberator 7.1.9: If the TLS key is unencrypted and you don’t want to deploy an empty password file, then set the configuration variable DIRECTSSL_PASSWORD_FILE_REQUIRED
to NO
in the Deployment Framework file global_config/environment.conf
.
For information on setting directssl-passwordfile
, see Installing keys and certificates.
Syntax: directssl-passwordfile <password-filename-and-path>
Type: string
Default value: rttpd.directssl.pass
directssl-port
directssl-port
specifies the network port that Liberator listens on for direct connection requests using SSL.
In the Caplin Platform Deployment Framework, you use a configuration variable LIBERATOR${THIS_LEG}_DIRECTSSLPORT to specify Liberator’s directssl-port . See How can I … Configure how Liberator handles direct client connections and Configuration macros and items.
|
Syntax: directssl-port <network-port>
Type: integer
Default value: 15001
directssl-privatekey
directssl-privatekey
specifies the filename and directory path of the SSL (secure sockets layer) private key used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.
For information on setting the private key, see Installing keys and certificates.
The default filename for the private key is the same as the certificate’s default filename (default for directssl-certificate) because both the certificate and the private key can be contained in the same file.
Syntax: directssl-privatekey <private-key-filename-and-path>
Type: string
Default value: cert.pem
ssl-random-seed
See also:
-
How can I… Configure how Liberator handles direct client connections
-
Reference: HTTP configuration
-
Reference: HTTPS configuration