Securing URLs with the Secure Link Module in NGINX

Andrew Andonopoulos andre8525 at hotmail.com
Sat Jun 15 18:08:07 UTC 2019 

Hello Francis and thank you for the response.

In my case the player will request the m3u8 URL:

https://<domain>/hls/justin-timberlake-encrypted/playlist.m3u8?md5=u808mTXsFSpZt7b8wLvlIw&expires=1560706367<https://cdn1.cdnlotus.com/hls/justin-timberlake-encrypted/playlist.m3u8?md5=u808mTXsFSpZt7b8wLvlIw&expires=1560706367>

The response from the server will be:

#EXTM3U
#EXT-X-VERSION:3
#EXT-X-STREAM-INF:BANDWIDTH=200000,RESOLUTION=416x234
Justin_Timberlake_416_234_200.m3u8
#EXT-X-STREAM-INF:BANDWIDTH=300000,RESOLUTION=480x270
Justin_Timberlake_480_270_300.m3u8
#EXT-X-STREAM-INF:BANDWIDTH=600000,RESOLUTION=640x360
Justin_Timberlake_640_360_600.m3u8
#EXT-X-STREAM-INF:BANDWIDTH=900000,RESOLUTION=960x540
Justin_Timberlake_960_540_900.m3u8
#EXT-X-STREAM-INF:BANDWIDTH=1300000,RESOLUTION=1280x720
Justin_Timberlake_1280_720_1300.m3u8


After that the player will request the bitrate m3u8 files (as per the main manifest) which includes the ts files.
for example:
https://<domain>/hls/justin-timberlake-encrypted/Justin_Timberlake_416_234_200.m3u8<https://cdn1.cdnlotus.com/hls/justin-timberlake-encrypted/playlist.m3u8?md5=u808mTXsFSpZt7b8wLvlIw&expires=1560706367>


Can I instruct Nginx to use secure link only for the playlist.m3u8 and not for the other m3u8 and ts files?

The map config that i am using now is:
#map $uri $hls_uri {
        ~^(?<base_uri>.*).m3u8$ "base_uri";
        ~^(?<base_uri>.*).ts$   "base_uri";
       default                 $uri;
    }



Thanks
Andrew



________________________________
From: nginx <nginx-bounces at nginx.org> on behalf of Francis Daly <francis at daoine.org>
Sent: Sunday, June 9, 2019 8:15 AM
To: nginx at nginx.org
Subject: Re: Securing URLs with the Secure Link Module in NGINX

On Sat, Jun 08, 2019 at 02:44:22PM +0000, Andrew Andonopoulos wrote:

Hi there,

> Thanks for the clarification, so all requests will be like this:
>
> http://<domain>/hls/<content folder name>/<content filename>
>
> can i include in the map the domain http://example.com, the folder /hls/ and ignore all the rest?

You can. I'm not sure why you would.

The "map" is only a way to create a variable.

The important part is what you do with that variable - for example,
in one of the secure_link* directives.


You said that the task was "to use secure link to secure m3u8 and
ts files".

What do you understand by the phrase "to secure", there?

It is possible that the secure link module does not do what you want to
have done.

Presumably you want to allow some access and disallow some other
access. Possibly you only care about time-limited access?

I suspect that the details will matter.

>From a "secret url" point of view: telling someone to
access http://example.com/dir/file.m3u is exactly the same as
telling them to access http://example.com/dir/file.m3u?secret or
http://example.com/dir/secret/file.m3u -- you give them a url, and you
configure your nginx such that anyone who accesses that url gets the
file contents. The "secret" part might stop them guessing how to get
file.ts in the same directory; but only if it is not the same secret
for all file names.

(You *could* issue different secret urls for different users; but I
don't think that that is what you are doing here.)


>From a "time-limited" point of view, you could tell
someone to access http://example.com/dir/file.m3u?time
or http://example.com/dir/file.m3u?secret&time or
http://example.com/dir/secret/time/file.m3u, and configure your nginx
to send the file contents only until "time". The secret/secure_link part
is to stop someone adding a week to "time" and getting access for longer
than they should.

Or you could just "rm dir/file.m3u" when you no longer want it accessible.


There are good use-cases for the secure_link module.

But you should probably start with what you want to achieve; and then
see whether secure_link is the right answer. And then the mechanics of
configuring nginx to do what you want can be sorted out afterwards.

        f
--
Francis Daly        francis at daoine.org
_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20190615/770e3ccc/attachment.html>

More information about the nginx mailing list