Securing URLs with the Secure Link Module in NGINX

Mon Jun 17 12:01:32 UTC 2019

Hi,

Actually you can use a module developed by Kaltura call secure token module (1). This module can examine your response to see its content-type, if it matches configured parameter, it will automatically inject secure params into hls playlist. Use this module, please note you dont use anything relate to uri in secure link (ie: dont use $uri to calculate secure link)

(1): https://github.com/kaltura/nginx-secure-token-module <https://github.com/kaltura/nginx-secure-token-module>

> On Jun 17, 2019, at 3:17 PM, Andrew Andonopoulos <andre8525 at hotmail.com> wrote:
> 
> Hi Francis and thank you for your quick response / support.
> 
> Now is more clear how locations and secure link works. 
> 
> I would like to add the secure link in each m3u8 and ts file but can't modify the files on the fly with the free nginx version, i think nginx plus have this capability ? (receive fmp4 and deliver manifests on the fly)
> https://www.nginx.com/products/nginx/streaming-media/ <https://www.nginx.com/products/nginx/streaming-media/>
> 
> What you would suggest in case i want to use secure link for all the files?
> 
> 
> Thanks
> Andrew
> 
> 
> 
> 
> 
> From: nginx <nginx-bounces at nginx.org> on behalf of Francis Daly <francis at daoine.org>
> Sent: Monday, June 17, 2019 7:40 AM
> To: nginx at nginx.org
> Subject: Re: Securing URLs with the Secure Link Module in NGINX
>  
> On Sat, Jun 15, 2019 at 06:08:07PM +0000, Andrew Andonopoulos wrote:
> 
> Hi there,
> 
> > In my case the player will request the m3u8 URL:
> > 
> > https://<domain>/hls/justin-timberlake-encrypted/playlist.m3u8?md5=u808mTXsFSpZt7b8wLvlIw&expires=1560706367
> > 
> > The response from the server will be:
> > 
> > #EXTM3U
> > #EXT-X-VERSION:3
> > #EXT-X-STREAM-INF:BANDWIDTH=200000,RESOLUTION=416x234
> > Justin_Timberlake_416_234_200.m3u8
> > #EXT-X-STREAM-INF:BANDWIDTH=300000,RESOLUTION=480x270
> > Justin_Timberlake_480_270_300.m3u8
> 
> > Can I instruct Nginx to use secure link only for the playlist.m3u8 and not for the other m3u8 and ts files?
> 
> Yes.
> 
> I am not sure why you would do that; or what benefit it will give you;
> but that's ok. I do not need to understand that part.
> 
> 
> In nginx, a request in handled in a location.
> 
> So you want one location that will handle playlist.m3u8 requests and
> does the secure_link thing; and a separate location that will handle
> all of the other /hls/ requests.
> 
> I think you want to proxy_pass all of the requests, so you need proxy_pass
> in both locations.
> 
> I think you want lots of common config -- add_header, proxy_hide_header --
> so it is probably simplest to use nested locations to allow inheritance
> rather than duplication.
> 
> For example (untested):
> 
>   location /hls/ {
> 
>     # all of the common config goes here
> 
>     proxy_pass http://s3test.s3.amazonaws.com <http://s3test.s3.amazonaws.com/>;
> 
>     location ~ /playlist\.m3u8$ {
>       secure_link $arg_md5,$arg_expires;
>       secure_link_md5 "enigma$hls_uri$secure_link_expires";
> 
>       if ($secure_link = "") { return 403; }
>       if ($secure_link = "0") { return 410; }
>       proxy_pass http://s3test.s3.amazonaws.com <http://s3test.s3.amazonaws.com/>;
>     }
> 
>   }
> 
> Adjust to fit the rest of your requirements.
> 
> Good luck with it,
> 
>         f
> -- 
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx <http://mailman.nginx.org/mailman/listinfo/nginx>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org <mailto:nginx at nginx.org>
> http://mailman.nginx.org/mailman/listinfo/nginx <http://mailman.nginx.org/mailman/listinfo/nginx>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20190617/1b3645bb/attachment.html>