System Design

Architecture

Control plane and data plane separation. Token-based security. Intelligent orchestration. Built for operators who cannot afford downtime.

Control Plane vs Data Plane

Most IPTV panels run everything in one process. When it crashes, you lose the UI, the API, and the streams simultaneously. We separate these concerns so a failure in one does not cascade to the other.

CP

Control Plane

User management, reseller hierarchies, stream configuration, load balancer assignment, and health orchestration. Stateless. Horizontally scalable.

DP

Data Plane

Stream ingestion, transcoding, segment generation, and client delivery. Optimized for I/O throughput. Runs independently on edge nodes.

Control Plane
User API Reseller Mgmt LB Assignment Health Orchestrator
Data Plane
FFmpeg Ingest Transcoding HLS Segments Token Validation

Stream Orchestration Flow

1

Ingest

Source stream received via RTMP/HLS. FFmpeg process spawned with resource limits and cgroup constraints.

2

Assign

Load balancer selected based on health score, current capacity, and geographic proximity to the client.

3

Validate

HMAC token validated in memory. No database round-trip. Sub-millisecond authorization.

4

Deliver

Segments served to client with adaptive bitrate. If the node degrades, failover happens automatically.

token_validator.go 
func ValidateStreamToken(token string, secret []byte) bool {
    parts := strings.Split(token, ":")
    if len(parts) != 3 {
        return false
    }

    payload := parts[0] + ":" + parts[1]
    mac := hmac.New(sha256.New, secret)
    mac.Write([]byte(payload))

    expected := hex.EncodeToString(mac.Sum(nil))
    return hmac.Equal(
        []byte(parts[2]),
        []byte(expected),
    )
}

Token-Based Streaming

Every stream request carries a cryptographically signed token. Validation happens entirely in memory using HMAC-SHA256. No database connection, no cache lookup, no external dependency.

  • Sub-millisecond validation — pure computation, zero I/O
  • Time-bounded tokens — automatic expiration without revocation tables
  • Per-reseller secrets — compromise isolation at the tenant boundary

Failover & Recovery

When a stream node degrades, the system reacts in seconds. Not minutes. Not after a support ticket.

Detect

Probes detect latency spikes, segment gaps, or FFmpeg crashes within seconds.

Reroute

Control plane marks node degraded and redirects new client requests to healthy nodes.

Recover

Automatic restart and re-ingestion. Node rejoins pool once health probes pass.

Discuss Your Architecture