HMAC keys were integrated into XUI a while ago, but without an explanation as to how it works and what it is for, not many people would be able to successfully implement it.
The idea behind using HMAC is to be able to use your own form of authentication on your website, yet stream from XUI and be able to manage connections accordingly. Instead of using a XUI username and password to authenticate a stream, you can generate a HMAC key with a unique identifier and restrictions that XUI will be able to verify and log.
Firstly, you need to access the XUI Admin panel and generate a HMAC Key.
Done! You now have your HMAC Key: 007B50D51E14F409104FCACB48849B2C
You would then need to keep it safe somewhere as you won't be able to see it again, it's encrypted in the database.
Token Parameters:
- Stream ID
- Extension
- Max Connections
- Identifier
- Expiration - optional
- User IP - optional
From the above you can build a token as follows:
{StreamID}##{Extension}##{Expiry}##{IP}##{Identifier}##{MaxConnections}
An example being a user you have authenticated on your own system would like to view stream 44, you want restrict them to their IP address and only allow them to view the stream using this URL for 24 hours, with 1 max connection:
44##m3u8##1613771149##192.168.0.1##USER_JOHN_DOE##1
You can then generate a HMAC token using the above string, and the HMAC key you generated earlier. An example in PHP would be:
$rResult = hash_hmac("sha256", "44##m3u8##1613771149##192.168.0.1##USER_JOHN_DOE##1", "007B50D51E14F409104FCACB48849B2C");
Your HMAC token in this example would be:
ed8d97309bd6cd1add1ef427e0f5cc861204154a4ccf8ddcb119e3441199842a
Finally, build your URL to the stream using your HMAC token and token parameters as follows:
http://yourwebsite.com:8080/stream/auth?stream=44&expiry=1613771149&extension=m3u8&identifier=USER_JOHN_DOE&max=1&ip=192.168.0.1&hmac=ed8d97309bd6cd1add1ef427e0f5cc861204154a4ccf8ddcb119e3441199842a
That's it! You have a working URL that will expire in 24 hours and be restricted to IP 192.168.0.1, allowing only 1 connection at a time to stream 44 and generating a HLS m3u8 playlist.
Understandably this may seem foreign to a lot of you, however if you're a developer, this is a secure and easy method to allow external access to your streaming platform without having to set up a new XUI line for each of your external users.
Thanks for listening.