deny
The `deny` directive in the NGINX RTMP module restricts access to stream publishing based on client IP addresses.
Description
The deny directive is used in the RTMP module to control access to streaming capabilities of the server. It can take one or two arguments that specify which clients are not allowed to publish streams. When used, the directive checks the IP address of clients trying to connect and publishes to streams. If a client’s IP matches a specified deny rule, the server rejects their request. This feature is important for securing your streams and ensuring that unauthorized users cannot publish potentially harmful or unwanted streams.
The directive operates by matching against the connecting client’s IP address, allowing you to either block specific addresses or allow only certain addresses while denying the rest by using allow in conjunction with deny. The sequence of allow and deny directives is significant; the server processes them in order until a match is found. If no match is found but there is a deny all rule, the connection will be denied. Therefore, the order of these directives in your configuration can lead to either more restrictive or more liberal access policies.
The deny directive can also support CIDR notation for specifying ranges of IP addresses, allowing for more efficient bulk restrictions. This flexibility is very beneficial for large organizations or in situations where you need to manage access effectively across multiple client servers or networks.
Config Example
application live {
live on;
allow publish 192.168.0.0/24;
deny publish all;
}Ensure you add allow directives before deny where necessary to ensure correct access control order.
Be mindful of the IP format; incorrect CIDR notation can lead to unexpected behavior.
Remember that denying IPs does not stop them from accessing other services unless specified elsewhere in your configuration.