Securing URLs with the Secure Link Module in NGINX

Francis Daly francis at
Mon Jun 17 15:05:11 UTC 2019

On Mon, Jun 17, 2019 at 01:34:33PM +0000, Andrew Andonopoulos wrote:

Hi there,

> The idea of moving MD5 and Time after the first directory is good.
> So with this option i will not have to worry modifying the manifests.


Since the manifests refer to "other files in the same directory", the
same md5sum value will apply to them all, and the client should just
ask for the correct thing each time.

> If i use this URL:  /vod/MD5/TIME/hls/directory/files
> The locations will be like this?
> location ^~ /vod/"

More or less, yes. The first line there would probably be:

  location ^~ /vod/ {

but the rest looks right. You'll want to change the secure_link_md5 line
to match what you want, of course.

> Also i will need to capture the variables:
> Then I would use "map" to set variables $the_md5, $the_time,
> $the_directory, and $the_file from the incoming request.
> Do you have an example how to write the map with the appropriate regex?

One way to set all of the variables at once (assuming the request is
well-formed) would be something like:

  map $request_uri $the_md5 {
    default "";
    ~^/vod/(?P<one>[^/]+)/(?P<the_time>[0-9]+)(?P<the_directory>.*)/(?P<the_file>[^/]+) $one;

where "$the_md5" becomes "all of the non-slashes after /vod/", $the_time
becomes "all of the numbers after that", $the_directory becomes
"everything else up to the last slash", and $the_file is "everything
after the last slash".

You will probably want to change things such that "/hls" is either
excluded from $the_directory, or excluded from the rewrite directive.

You can check the debug log, or temporarily do things like

  return 200 "md5 = $the_md5; file=$the_file;\n";

to see what values the variables have when you are testing.

You can use "curl" to make a test request and see whether the response
is what you expect.

Good luck with it,

Francis Daly        francis at

More information about the nginx mailing list