Securing URLs with the Secure Link Module in NGINX

[Francis Daly]

On Mon, Jun 17, 2019 at 08:17:51AM +0000, Andrew Andonopoulos wrote:

Hi there,

> I would like to add the secure link in each m3u8 and ts file but can't modify the files on the fly with the free nginx version, i think nginx plus have this capability ? (receive fmp4 and deliver manifests on the fly)
> https://www.nginx.com/products/nginx/streaming-media/

If nginx plus resolves all of your issues quickly and easily, then
"use nginx plus" would seem to be the straightforward option.

I think that only you can assess whether nginx plus does do what you
want, because you have not actually said what exactly you want, as far
as I can see, in any of these mails.

> What you would suggest in case i want to use secure link for all the files?

I would probably redesign the urls that I was going to advertise, so
that people request things like

  /play/MD5/TIME/directory/file

(From your example - "directory" is "justin-timberlake", and "file" is
"playlist.m3u8" or "Justin_Timberlake_640_360_600.m3u8" or, presumably,
"something.ts". "/play" is a mostly-arbitrary prefix so that I can do
other things on the same server -- it can probably be empty if this
server is dedicated to these streams.)

Then I would use "map" to set variables $the_md5, $the_time,
$the_directory, and $the_file from the incoming request.

I would want the MD5 calculation to include the directory name, but not
the file name, so that a single MD5 value will "cover" all files in the
directory, but will not cover other directories.

Then if everything is ok, rewrite to an internal location that does the
proxy_pass to get the real content.


So - in "location ^~ /play/" (which handles all /play/* requests), I would
use something like

  secure_link $the_md5,$the_time;
  secure_link_md5 "some-secret $the_directory $secure_link_expires";
  if ($secure_link = "") { return 403; }
  if ($secure_link = "0") { return 410; }
  rewrite ^ /hls/$the_directory/$the_file;

And in "location ^~ /hls/" (which handles all /hls/* requests), I would use

  internal;
  proxy_pass http://s3test.s3.amazonaws.com;


Then you decide what TIME you want, and calculate the suitable MD5
for each directory that you care about. (You can include user-specific
things in the calculation too -- just make sure that your secure_link_md5
directive and your external link-creating utility use the same patterns.)

Then try to use those links, and see what works and what fails.


For every new directory, or new expiry time, you calculate the new link
to the playlist.m3u8 and advertise that.

Note that I have not tested any of this; so if you do get a
confirmed-working config, I'm sure the list will be happy to see it for
future reference.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org