Securing URLs with the Secure Link Module in NGINX

Francis Daly francis at daoine.org
Sun Jun 9 08:15:13 UTC 2019


On Sat, Jun 08, 2019 at 02:44:22PM +0000, Andrew Andonopoulos wrote:

Hi there,

> Thanks for the clarification, so all requests will be like this:
> 
> http://<domain>/hls/<content folder name>/<content filename>
> 
> can i include in the map the domain http://example.com, the folder /hls/ and ignore all the rest?

You can. I'm not sure why you would.

The "map" is only a way to create a variable.

The important part is what you do with that variable - for example,
in one of the secure_link* directives.


You said that the task was "to use secure link to secure m3u8 and
ts files".

What do you understand by the phrase "to secure", there?

It is possible that the secure link module does not do what you want to
have done.

Presumably you want to allow some access and disallow some other
access. Possibly you only care about time-limited access?

I suspect that the details will matter.

>From a "secret url" point of view: telling someone to
access http://example.com/dir/file.m3u is exactly the same as
telling them to access http://example.com/dir/file.m3u?secret or
http://example.com/dir/secret/file.m3u -- you give them a url, and you
configure your nginx such that anyone who accesses that url gets the
file contents. The "secret" part might stop them guessing how to get
file.ts in the same directory; but only if it is not the same secret
for all file names.

(You *could* issue different secret urls for different users; but I
don't think that that is what you are doing here.)


>From a "time-limited" point of view, you could tell
someone to access http://example.com/dir/file.m3u?time
or http://example.com/dir/file.m3u?secret&time or
http://example.com/dir/secret/time/file.m3u, and configure your nginx
to send the file contents only until "time". The secret/secure_link part
is to stop someone adding a week to "time" and getting access for longer
than they should.

Or you could just "rm dir/file.m3u" when you no longer want it accessible.


There are good use-cases for the secure_link module.

But you should probably start with what you want to achieve; and then
see whether secure_link is the right answer. And then the mechanics of
configuring nginx to do what you want can be sorted out afterwards.

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list