Securing URLs with the Secure Link Module in NGINX

Andrew Andonopoulos andre8525 at
Mon Jun 17 12:25:22 UTC 2019

Hi Hung,

I presume i need to re-compile nginx. I never installed a module before so i think i need to follow these steps:

1) get the module in the server, in the folder /tmp/
2) compile nginx with this command: ./configure --add-module=/tmp/nginx-secure-token-module (this will be the module folder? so i just point it to the folder in tmp?


From: nginx <nginx-bounces at> on behalf of Hung Nguyen <hungnv at>
Sent: Monday, June 17, 2019 12:01 PM
To: nginx at
Subject: Re: Securing URLs with the Secure Link Module in NGINX


Actually you can use a module developed by Kaltura call secure token module (1). This module can examine your response to see its content-type, if it matches configured parameter, it will automatically inject secure params into hls playlist. Use this module, please note you dont use anything relate to uri in secure link (ie: dont use $uri to calculate secure link)


On Jun 17, 2019, at 3:17 PM, Andrew Andonopoulos <andre8525 at<mailto:andre8525 at>> wrote:

Hi Francis and thank you for your quick response / support.

Now is more clear how locations and secure link works.

I would like to add the secure link in each m3u8 and ts file but can't modify the files on the fly with the free nginx version, i think nginx plus have this capability ? (receive fmp4 and deliver manifests on the fly)

What you would suggest in case i want to use secure link for all the files?


From: nginx <nginx-bounces at<mailto:nginx-bounces at>> on behalf of Francis Daly <francis at<mailto:francis at>>
Sent: Monday, June 17, 2019 7:40 AM
To: nginx at<mailto:nginx at>
Subject: Re: Securing URLs with the Secure Link Module in NGINX

On Sat, Jun 15, 2019 at 06:08:07PM +0000, Andrew Andonopoulos wrote:

Hi there,

> In my case the player will request the m3u8 URL:
> https://<domain>/hls/justin-timberlake-encrypted/playlist.m3u8?md5=u808mTXsFSpZt7b8wLvlIw&expires=1560706367
> The response from the server will be:
> Justin_Timberlake_416_234_200.m3u8
> Justin_Timberlake_480_270_300.m3u8

> Can I instruct Nginx to use secure link only for the playlist.m3u8 and not for the other m3u8 and ts files?


I am not sure why you would do that; or what benefit it will give you;
but that's ok. I do not need to understand that part.

In nginx, a request in handled in a location.

So you want one location that will handle playlist.m3u8 requests and
does the secure_link thing; and a separate location that will handle
all of the other /hls/ requests.

I think you want to proxy_pass all of the requests, so you need proxy_pass
in both locations.

I think you want lots of common config -- add_header, proxy_hide_header --
so it is probably simplest to use nested locations to allow inheritance
rather than duplication.

For example (untested):

  location /hls/ {

    # all of the common config goes here


    location ~ /playlist\.m3u8$ {
      secure_link $arg_md5,$arg_expires;
      secure_link_md5 "enigma$hls_uri$secure_link_expires";

      if ($secure_link = "") { return 403; }
      if ($secure_link = "0") { return 410; }


Adjust to fit the rest of your requirements.

Good luck with it,

Francis Daly        francis at<mailto:francis at>
nginx mailing list
nginx at<mailto:nginx at>
nginx mailing list
nginx at<mailto:nginx at>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list