NGINX http-secure-link iphone issue !!

Francis Daly francis at daoine.org
Wed Aug 10 12:32:34 UTC 2016


On Wed, Aug 10, 2016 at 01:01:33PM +0500, shahzaib mushtaq wrote:

Hi there,

> > Why does the client have anything to do with md5 and generating things?

> User clicks on video -> move to watch video page -> a function creates
> md5+expiry on this page -> Secure URL appends into the player -> Video
> starts to play.

I think I'm still a bit unclear on why the "secure" link is used here
at all.

If the link is created by the client, then it doesn't really count as
"secure", does it?

Oh, I guess that if "the client" is your own custom code rather than
(say) a piece of javascript that is offered to any browser, that might
be a good reason for using that design.

>  Seems like you're right our approach is wrong for iphone application ,
> we're trying to generate hash in mobile application too which was not
> right. Now we're taking approach where URL will construct on server &
> distribute to all platforms.
> 
> Is that how it should be ?

Oh, it *can* be anything that you want. The design depends on what the
requirements are -- do you use the "secure link" just for a time-expiry
(instead of just removing the video from the server); or for some other
control like "must come from a particular IP address" or "must also
include a particular cookie".

It could well be that your current design is correct for your
requirements, and the problem is in whatever the iphone application
is doing.

The only nginx-related piece is to ensure that it correctly
reads-and-interprets the secure part of the url, and for that you need
to make sure that whatever creates the url uses the expected method to
create it.

Cheers,

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list