Direct connections configuration

The following configuration items define how Liberator handles direct connections from StreamLink clients as opposed to StreamLink connections tunnelled over HTTP, HTTPS, and WebSocket protocols.

Direct connections are supported by all StreamLink libraries except for StreamLink JS. For more information on connection types, see StreamLink connection types.

To enable support for direct connections over SSL, see Configure how Liberator handles direct client connections.

Contents:

direct-interface
direct-max-line-length
direct-port
direct-refuse-time
direct-tcp-nodelay-off
directssl-certificate
directssl-cipher-list
directssl-dhparams
directssl-disable-renegotiation
directssl-enable
directssl-interface
directssl-ssl-options
directssl-passwordfile
directssl-port
directssl-privatekey
ssl-random-seed

direct-interface

direct-interface specifies the network interfaces that Liberator listens on for direct connection requests.

This configuration item supports IPv6 addresses from version 7 of Liberator, and multiple address wildcards from version 7.0.2.

Wildcard support
Configuration	Liberator 6.2	Liberator 7.0
`direct-interface`	Default. A single IPv4 server socket that listens on all IPv4 interface addresses.	Default. A single IPv6 server socket that accepts IPv4-mapped addresses and that listens on all IPv6 and IPv4 interface addresses.
`direct-interface *`	A single IPv4 server socket that listens on all IPv4 interface addresses.	A single IPv6 server socket that accepts IPv4-mapped addresses and that listens on all IPv6 and IPv4 interface addresses.
`direct-interface 0.0.0.0`	A single IPv4 server socket that listens on all IPv4 interface addresses.	A single IPv4 server socket that listens on all IPv4 interface addresses.
`direct-interface ::`	Not supported	A single IPv6 server socket that listens on all IPv6 interface addresses.
`direct-interface 0.0.0.0 ::`	Not supported	A single IPv4 server socket that listens on all IPv4 interface addresses, and a single IPv6 server socket that listens on all IPv6 interface addresses. Supported from Liberator 7.0.2
`direct-interface :: 0.0.0.0`	Not supported	A single IPv6 server socket that listens on all IPv6 interface addresses, and a single IPv4 server socket that listens on all IPv4 interface addresses. Supported from Liberator 7.0.2

In the Caplin Platform Deployment Framework, you use a configuration variable LIBERATOR${THIS_LEG}_DIRECTINTERFACE to specify Liberator’s direct-interface. See How can I … Configure how Liberator handles direct client connections and Configuration macros and items.

Variables cannot be assigned multiple values. To create more than one direct interface, assign one address to the macro and assign all additional addresses to new direct-interface configuration items in the configuration override file <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf.

Syntax: direct-interface <interface address> …

Type: array of strings

Default value: [all available network interfaces]

direct-max-line-length

direct-max-line-length specifies the maximum number of bytes allowed in a single line of an RTTP message sent to Liberator through a direct connection.

Syntax: direct-max-line-length <max-length-in-bytes>

Type: integer

Default value: 65536

direct-port

direct-port specifies the network port that Liberator listens on for direct connection requests.

In the Caplin Platform Deployment Framework, you use a configuration macro LIBERATOR${THIS_LEG}_DIRECTPORT to specify Liberator’s direct-port. See How can I … Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: direct-port <network-port>

Type: integer

Default value: 15000

direct-refuse-time

direct-refuse-time specifies the time in seconds for Liberator to refuse new direct connections if no sockets are available.

Syntax: direct-refuse-time <time-in-seconds>

Type: float

Default value: 5.0 seconds

direct-tcp-nodelay-off

direct-tcp-nodelay-off specifies whether Liberator’s direct client connection sockets should have the TCP_NODELAY feature turned off. The default is FALSE, which means TCP_NODELAY is enabled. Setting this configuration item to TRUE disables TCP_NODELAY.

Syntax: direct-tcp-nodelay-off <boolean>

Type: boolean

Default value: FALSE (TCP_NODELAY is enabled)

directssl-certificate

directssl-certificate specifies the filename and directory path of the SSL (secure sockets layer) certificate used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

For more information on setting directssl-certificate, see Installing keys and certificates.

The default filename for the certificate is the same as the private key’s default filename (default for directssl-privatekey) because both the certificate and the private key can be contained in the same file.

Syntax: directssl-certificate <PEM-filename-and-path>

Type: string

Default value: cert.pem

directssl-cipher-list

directssl-cipher-list configures the SSL/TLS ciphers supported by Liberator’s direct SSL interface. You should configure this item in conjunction with directssl-ssl-options, and review both regularly as part of your security policy.

The default value of directssl-cipher-list is not secure enough for use in production.

This item takes one parameter: an OpenSSL cipher list. For a description of the cipher list format, see Cipher List Format on the OpenSSL website.

For detailed information on how to set SSL/TLS protocols and ciphers for Liberator’s direct SSL interface, see Configuring support for SSL/TLS protocols and ciphers.

In Liberator 7, the protocols SSLv2, SSLv3, and TLSv1 are disabled by default. This configuration is not compatible with client libraries that don’t support TLSv1.1 and TLSv1.2, for example the .NET Framework v4.0.

Syntax: directssl-cipher-list <openssl-cipher-list>

Type: string

Default:

Liberator 6: DEFAULT
Liberator 7: DEFAULT:!RC4-SHA:!RC4-MD5:!DES-CBC3-SHA

Examples: See Example SSL/TLS protocol and cipher configuration.

directssl-dhparams

directssl-dhparams specifies the path to a Diffie-Hellman parameter file, specifies the path to a Diffie-Hellman (DH) parameters file, which is required by ephemeral Diffie-Hellman ciphers (DHE).

For instructions on how to generate a DH parameters file, see Additional requirements for ciphers that support forward secrecy.

Availability: Liberator 6.2.14+, Liberator 7.0.1+

Syntax: directssl-dhparams <filepath>

Type: string

Default value: <empty string>

Example:

directssl-dhparams ${SSLCERT_PATH}/rttpd-dhparam-2048.pem

directssl-disable-renegotiation

directssl-disable-renegotiation when set to TRUE, prevents clients from renegotiating their direct SSL connections. This protects against Denial of Service attacks involving repeated attempts to renegotiate.

Syntax: directssl-disable-renegotiation <boolean>

Type: boolean

Default value: FALSE (client renegotiation is allowed)

directssl-enable

directssl-enable switches on support for direct connections using SSL when set to TRUE.

Syntax: directssl-enable <boolean>

Type: boolean

Default value: FALSE (Direct connections via SSL not supported)

directssl-interface

directssl-interface specifies the network interfaces to listen on for direct connections using SSL.

For a Liberator deployed within a Caplin Deployment Framework, directssl-interface is normally set indirectly by specifying a value for the Deployment Framework configuration macro LIBERATOR${THIS_LEG}_DIRECTSSLINTERFACE. Only one HTTPS interface can be specified in the variable; to add extra interfaces, append new directssl-interface items to the configuration override file <Framework-root>/global_config/overrides/servers/Liberator/etc/rttpd.conf.

This configuration item supports IPv6 addresses from version 7 of Liberator, and multiple address wildcards from version 7.0.2.

Syntax: directssl-interface <ip-addresses> …

Type: array of strings

Default value: [all available network interfaces]

directssl-ssl-options

directssl-ssl-options configures the SSL/TLS protocols accepted by Liberator’s direct SSL interface. You should configure this item in conjunction with directssl-cipher-list, and review both regularly as part of your security policy.

Use directssl-ssl-options to disable support for older versions of SSL, and to enable workarounds for known bugs in client implementations of SSL.

This configuration item takes one parameter: a pipe-separated list of OpenSSL options from the table below.

Supported OpenSSL options
Option	Description
`SSL_OP_ALL`	Enable all of OpenSSL’s workarounds for known bugs in client implementations of SSL. For the full list of workarounds enabled by this option, see SSL_CTX_set_options on the OpenSSL website.
`SSL_OP_NO_SSLv2`	Disable support for SSL 2.
`SSL_OP_NO_SSLv3`	Disable support for SSL 3.
`SSL_OP_NO_TLSv1`	Disable support for TLS 1.

For a detailed information on how to set SSL/TLS protocols and ciphers for Liberator’s direct SSL interface, see Configuring support for SSL/TLS protocols and ciphers.

In Liberator 7, the protocols SSLv2, SSLv3, and TLSv1 are disabled by default. This configuration is not compatible with older client libraries that don’t support TLSv1.1 and TLSv1.2, for example the .NET Framework v4.0.

Syntax: directssl-ssl-options <option>[|<option>]…

Type: string

Default value:

Liberator 6: SSL_OP_NO_SSLv2
Liberator 7: SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1

Examples: See Example SSL/TLS protocol and cipher configuration

directssl-passwordfile

directssl-passwordfile specifies the filename and directory path of the file containing the passphrase for the encrypted SSL/TLS key used for direct connections. The directory path is optional and can be in relative or absolute format.

For information on setting directssl-passwordfile, see Installing keys and certificates.

Syntax: directssl-passwordfile <password-filename-and-path>

Type: string

Default value: rttpd.directssl.pass

directssl-port

directssl-port specifies the network port that Liberator listens on for direct connection requests using SSL.

In the Caplin Platform Deployment Framework, you use a configuration variable LIBERATOR${THIS_LEG}_DIRECTSSLPORT to specify Liberator’s directssl-port. See How can I … Configure how Liberator handles direct client connections and Configuration macros and items.

Syntax: directssl-port <network-port>

Type: integer

Default value: 15001

directssl-privatekey

directssl-privatekey specifies the filename and directory path of the SSL (secure sockets layer) private key used for direct connections. This file must be in PEM format. The directory path is optional and can be in relative or absolute format.

For information on setting the private key, see Installing keys and certificates.

The default filename for the private key is the same as the certificate’s default filename (default for directssl-certificate) because both the certificate and the private key can be contained in the same file.

Syntax: directssl-privatekey <private-key-filename-and-path>

Type: string

Default value: cert.pem

ssl-random-seed

See ssl-random-seed in DataSource Secure Sockets Layer (SSL) configuration.

See also:

How can I… Configure how Liberator handles direct client connections
Reference: HTTP configuration
Reference: HTTPS configuration