NGINX http-secure-link iphone issue !!

Francis Daly francis at
Wed Aug 10 12:32:34 UTC 2016

On Wed, Aug 10, 2016 at 01:01:33PM +0500, shahzaib mushtaq wrote:

Hi there,

> > Why does the client have anything to do with md5 and generating things?

> User clicks on video -> move to watch video page -> a function creates
> md5+expiry on this page -> Secure URL appends into the player -> Video
> starts to play.

I think I'm still a bit unclear on why the "secure" link is used here
at all.

If the link is created by the client, then it doesn't really count as
"secure", does it?

Oh, I guess that if "the client" is your own custom code rather than
(say) a piece of javascript that is offered to any browser, that might
be a good reason for using that design.

>  Seems like you're right our approach is wrong for iphone application ,
> we're trying to generate hash in mobile application too which was not
> right. Now we're taking approach where URL will construct on server &
> distribute to all platforms.
> Is that how it should be ?

Oh, it *can* be anything that you want. The design depends on what the
requirements are -- do you use the "secure link" just for a time-expiry
(instead of just removing the video from the server); or for some other
control like "must come from a particular IP address" or "must also
include a particular cookie".

It could well be that your current design is correct for your
requirements, and the problem is in whatever the iphone application
is doing.

The only nginx-related piece is to ensure that it correctly
reads-and-interprets the secure part of the url, and for that you need
to make sure that whatever creates the url uses the expected method to
create it.


Francis Daly        francis at

More information about the nginx mailing list