Securing URLs with the Secure Link Module in NGINX

Andrew Andonopoulos andre8525 at hotmail.com
Mon Jun 17 15:17:46 UTC 2019 

Hi Francis,

Regarding the map, can you please explain which values the variables $one and $the_md5 will have?
My understanding of map directive is, request_uri will have the whole URI and will try to match it as per the regex. If there is a match then will pass the value to $one which will pass it to $the_md5?

Is this correct?

map $request_uri $the_md5 {
    default "";
    ~^/vod/(?P<one>[^/]+)/(?P<the_time>[0-9]+)(?P<the_directory>.*)/(?P<the_file>[^/]+) $one;
  }
where "$the_md5" becomes "all of the non-slashes after /vod/", $the_time
becomes "all of the numbers after that", $the_directory becomes
"everything else up to the last slash", and $the_file is "everything
after the last slash".

________________________________
From: nginx <nginx-bounces at nginx.org> on behalf of Francis Daly <francis at daoine.org>
Sent: Monday, June 17, 2019 3:05 PM
To: nginx at nginx.org
Subject: Re: Securing URLs with the Secure Link Module in NGINX

On Mon, Jun 17, 2019 at 01:34:33PM +0000, Andrew Andonopoulos wrote:

Hi there,

> The idea of moving MD5 and Time after the first directory is good.
> So with this option i will not have to worry modifying the manifests.

Correct.

Since the manifests refer to "other files in the same directory", the
same md5sum value will apply to them all, and the client should just
ask for the correct thing each time.

> If i use this URL:  /vod/MD5/TIME/hls/directory/files
>
> The locations will be like this?
>
> location ^~ /vod/"

More or less, yes. The first line there would probably be:

  location ^~ /vod/ {

but the rest looks right. You'll want to change the secure_link_md5 line
to match what you want, of course.

> Also i will need to capture the variables:
> Then I would use "map" to set variables $the_md5, $the_time,
> $the_directory, and $the_file from the incoming request.
>
> Do you have an example how to write the map with the appropriate regex?

One way to set all of the variables at once (assuming the request is
well-formed) would be something like:

  map $request_uri $the_md5 {
    default "";
    ~^/vod/(?P<one>[^/]+)/(?P<the_time>[0-9]+)(?P<the_directory>.*)/(?P<the_file>[^/]+) $one;
  }

where "$the_md5" becomes "all of the non-slashes after /vod/", $the_time
becomes "all of the numbers after that", $the_directory becomes
"everything else up to the last slash", and $the_file is "everything
after the last slash".

You will probably want to change things such that "/hls" is either
excluded from $the_directory, or excluded from the rewrite directive.

You can check the debug log, or temporarily do things like

  return 200 "md5 = $the_md5; file=$the_file;\n";

to see what values the variables have when you are testing.

You can use "curl" to make a test request and see whether the response
is what you expect.

Good luck with it,

        f
--
Francis Daly        francis at daoine.org
_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20190617/f06d8857/attachment.html>

More information about the nginx mailing list