Securing URLs with the Secure Link Module in NGINX

Andrew Andonopoulos andre8525 at
Fri Jun 7 21:51:49 UTC 2019


I was trying a couple of things and forgot to switch it back. I tried again and this is the current map and secure link config:

map $uri $hls_uri {
        ~^(?<base_uri>.*).m3u8$ $base_uri;
        ~^(?<base_uri>.*).ts$   $base_uri;
        default                 $uri;

secure_link $arg_md5,$arg_expires;
secure_link_md5 "enigma$hls_uri$secure_link_expires";

if ($secure_link = "") { return 403; }
if ($secure_link = "0") { return 410; }

Then i used this command to generate the expire date/time:

date -d "2019-06-08 23:30" +%s

and this command to generate the md5:

 echo -n 'enigma/hls/justin-timberlake/playlist1560033000' | openssl md5 -binary | openssl base64 | tr '+/' '-_' | tr -d '='

The request for the main manifest was ok:

Request URL: http://<domain>/hls/justin-timberlake/playlist.m3u8?md5=DWHdyTKR5vTqw10wNtnlIg&expires=1560033000<>
Request Method: GET
Status Code: 200 OK

But the content of the manifest doesn't have the md5

As well as the other m3u8 manifest, so only the playlist have the md5 and expire:

Request URL:
Request Method: GET
Status Code: 403 Forbidden


From: nginx <nginx-bounces at> on behalf of Francis Daly <francis at>
Sent: Friday, June 7, 2019 8:59 PM
To: nginx at
Subject: Re: Securing URLs with the Secure Link Module in NGINX

On Fri, Jun 07, 2019 at 06:47:54PM +0000, Andrew Andonopoulos wrote:

Hi there,

> This is the nginx config, do you think that i should use another method? like auth?

It looks to me like you could try using exactly the method in the document
you mentioned previously.

>     map $uri $hls_uri {
>         ~^(?<base_uri>.*).m3u8$ $base_uri;
>         ~^(?<base_uri>.*).ts$   $base_uri;
>         default                 $uri;
>     }

You create a variable $hls_uri which is "the uri without the .ts or
.m3u8", like that document does.

>            secure_link $arg_md5,$arg_expires;
>            secure_link_md5 "enigma$uri$secure_link_expires";

But your secure_link_md5 directive does not use that variable. Unlike
what that document does.

If there is still a problem after you fix that, can you show one request
that you make that does not give the response that you want?

Perhaps there is something unexpected in the way that the md5sum in the
link is generated or calculated.

Francis Daly        francis at
nginx mailing list
nginx at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list