Securing URLs with the Secure Link Module in NGINX

Andrew Andonopoulos andre8525 at
Fri Jun 7 18:47:54 UTC 2019

Hi Patrick,

This is the nginx config, do you think that i should use another method? like auth?

user www;
worker_processes auto;
pid /var/run/;
worker_rlimit_nofile 1048576;

events {
    worker_connections  1024;


http {

    include       mime.types;
    default_type  text/html;
    log_format  custom_cache_log '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';
    sendfile           on;
    keepalive_timeout  65;

    proxy_cache_path   /tmp/nginx/cache levels=1:2 keys_zone=s3_cache:10m max_size=4G inactive=60m use_temp_path=off;

    map $uri $hls_uri {
        ~^(?<base_uri>.*).m3u8$ $base_uri;
        ~^(?<base_uri>.*).ts$   $base_uri;
        default                 $uri;

    server {
        listen       80;

        access_log  /var/log/nginx/ custom_cache_log;
error_log /var/log/nginx/ warn;

        location / {
           proxy_cache            s3_cache;
           proxy_http_version     1.1;
           proxy_set_header       Connection "";
           proxy_set_header       Authorization '';
           proxy_set_header       Host '';
           proxy_hide_header      x-amz-id-2;
           proxy_hide_header      x-amz-request-id;
           proxy_hide_header      x-amz-meta-server-side-encryption;
           proxy_hide_header      x-amz-server-side-encryption;
           proxy_hide_header      Set-Cookie;
       proxy_hide_header   x-amz-storage-class;
       proxy_ignore_headers   Set-Cookie;
           proxy_cache_revalidate on;
           proxy_intercept_errors on;
           proxy_cache_use_stale  error timeout updating http_500 http_502 http_503 http_504;
           proxy_cache_lock       on;
       proxy_cache_background_update on;
           proxy_cache_valid      200 60m;
           add_header             Cache-Control max-age=31536000;
           add_header             X-Cache-Status $upstream_cache_status;
           proxy_pass   ;
       add_header             'Access-Control-Allow-Origin' '*';
           add_header             'Access-Control-Allow-Credentials' 'true';
           add_header             'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Origin,X-Auth-Token,Authorization,Accept,Client-Security-Token';
           add_header             'Access-Control-Allow-Methods' 'OPTIONS, GET';

           secure_link $arg_md5,$arg_expires;
           secure_link_md5 "enigma$uri$secure_link_expires";

           if ($secure_link = "") { return 403; }
           if ($secure_link = "0") { return 410; }


        # redirect server error pages to the static page /50x.html
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;



From: nginx <nginx-bounces at> on behalf of Patrick <201904-nginx at>
Sent: Friday, June 7, 2019 12:29 AM
To: nginx at
Subject: Re: Securing URLs with the Secure Link Module in NGINX

On 2019-06-06 23:00, Andrew Andonopoulos wrote:
> However i changed it little bit and i used the following (without map) and i was able to get 200 for only the URI, so i presume that the secure link with NGINX is working:

Can you post a redacted version of the config file?

Secure Link should work -- however it's not great because unless the m3u8
playlist is generated on the fly, the media assets will not be protected
by the Secure Link setup.

nginx mailing list
nginx at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list