Securing URLs with the Secure Link Module in NGINX

Francis Daly francis at daoine.org
Fri Jun 7 22:34:06 UTC 2019


On Fri, Jun 07, 2019 at 09:51:49PM +0000, Andrew Andonopoulos wrote:

Hi there,

thanks for the fuller details. I think it makes it clear what is
happening.

> and this command to generate the md5:
> 
>  echo -n 'enigma/hls/justin-timberlake/playlist1560033000' | openssl md5 -binary | openssl base64 | tr '+/' '-_' | tr -d '='
> DWHdyTKR5vTqw10wNtnlIg
> 
> 
> The request for the main manifest was ok:
> 
> Request URL: http://<domain>/hls/justin-timberlake/playlist.m3u8?md5=DWHdyTKR5vTqw10wNtnlIg&expires=1560033000
> Request Method: GET
> Status Code: 200 OK
> 
> 
> But the content of the manifest doesn't have the md5

The content of the manifest file must be, in this case, "the relative
urls for the individual pieces".

> #EXTM3U
> #EXT-X-VERSION:3
> #EXT-X-STREAM-INF:BANDWIDTH=200000,RESOLUTION=416x234
> Justin_Timberlake_416_234_200.m3u8
> #EXT-X-STREAM-INF:BANDWIDTH=300000,RESOLUTION=480x270
> Justin_Timberlake_480_270_300.m3u8

Justin_Timberlake_416_234_200.m3u8 is probably the filename; but you
have configured your nginx such that Justin_Timberlake_416_234_200.m3u8
is not a valid url for that file.

The url with your current nginx configuration is something more like

Justin_Timberlake_416_234_200.m3u8?md5=CvlIb8kRVaCrpjqyJERUtQ&expires=1560033000

(from: $ echo -n 'enigma/hls/justin-timberlake/Justin_Timberlake_416_234_2001560033000' | openssl md5 -binary | openssl base64 | tr '+/' '-_' | tr -d '='
CvlIb8kRVaCrpjqyJERUtQ
)

so *that* is the string that must appear in the playlist.m3u8 file.

And the file Justin_Timberlake_480_270_300.m3u8 will have a different
"md5" part of the url, because your nginx config ignores the .m3u8 but
uses everything before it when checking the md5sum.

Whatever creates the playlist.m3u8 file that ends up being served by your
nginx, will need to be modified to create the correct urls for the files,
if they are to be served by your nginx.


You could, if you chose, change your nginx config (the map) to ignore the
final digits-and-underscores as well as the .m3u8 part; if you did that,
then the query-string part of all of these entries in the manifest would
be the same (and you would only need to calculate it once).

> As well as the other m3u8 manifest, so only the playlist have the md5 and expire:

You must decide how you want your files to be accessed, and then configure
things appropriately.

If you want every .m3u8 and .ts file below /hls/ to only be accessed via
the secure_link, then you must make sure that you advertise the correct
secure_link urls for those files.

If you want only the playlist.m3u8 files to be accessed via the
secure_link, while the other .m38u and .ts files are not restricted and
expiring, then you must configure your nginx to do the secure_link check
on playlist.m3u8 and not on the others.

> Request URL: http://86.180.184.242/hls/justin-timberlake/Justin_Timberlake_640_360_600.m3u8
> Request Method: GET
> Status Code: 403 Forbidden

That is what you configured your nginx to do, so it looks like it is
worked as implemented -- but presumably not as desired.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list