Securing URLs with the Secure Link Module in NGINX

Andrew Andonopoulos andre8525 at
Sat Jun 15 18:08:07 UTC 2019

Hello Francis and thank you for the response.

In my case the player will request the m3u8 URL:


The response from the server will be:


After that the player will request the bitrate m3u8 files (as per the main manifest) which includes the ts files.
for example:

Can I instruct Nginx to use secure link only for the playlist.m3u8 and not for the other m3u8 and ts files?

The map config that i am using now is:
#map $uri $hls_uri {
        ~^(?<base_uri>.*).m3u8$ "base_uri";
        ~^(?<base_uri>.*).ts$   "base_uri";
       default                 $uri;


From: nginx <nginx-bounces at> on behalf of Francis Daly <francis at>
Sent: Sunday, June 9, 2019 8:15 AM
To: nginx at
Subject: Re: Securing URLs with the Secure Link Module in NGINX

On Sat, Jun 08, 2019 at 02:44:22PM +0000, Andrew Andonopoulos wrote:

Hi there,

> Thanks for the clarification, so all requests will be like this:
> http://<domain>/hls/<content folder name>/<content filename>
> can i include in the map the domain, the folder /hls/ and ignore all the rest?

You can. I'm not sure why you would.

The "map" is only a way to create a variable.

The important part is what you do with that variable - for example,
in one of the secure_link* directives.

You said that the task was "to use secure link to secure m3u8 and
ts files".

What do you understand by the phrase "to secure", there?

It is possible that the secure link module does not do what you want to
have done.

Presumably you want to allow some access and disallow some other
access. Possibly you only care about time-limited access?

I suspect that the details will matter.

>From a "secret url" point of view: telling someone to
access is exactly the same as
telling them to access or -- you give them a url, and you
configure your nginx such that anyone who accesses that url gets the
file contents. The "secret" part might stop them guessing how to get
file.ts in the same directory; but only if it is not the same secret
for all file names.

(You *could* issue different secret urls for different users; but I
don't think that that is what you are doing here.)

>From a "time-limited" point of view, you could tell
someone to access
or or, and configure your nginx
to send the file contents only until "time". The secret/secure_link part
is to stop someone adding a week to "time" and getting access for longer
than they should.

Or you could just "rm dir/file.m3u" when you no longer want it accessible.

There are good use-cases for the secure_link module.

But you should probably start with what you want to achieve; and then
see whether secure_link is the right answer. And then the mechanics of
configuring nginx to do what you want can be sorted out afterwards.

Francis Daly        francis at
nginx mailing list
nginx at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list