Securing URLs with the Secure Link Module in NGINX

Hung Nguyen hungnv at opensource.com.vn
Mon Jun 17 16:14:33 UTC 2019


How to compile this module into nginx is provided in readme, also on Github.
You can also compile it dynamically and load into nginx if you are using recent version of nginx, how to do it also included in readme, I guess.

Regarding Akamai, this module was made to work with various cdn provider, but without them it also work.
All you need is:

secure_token $args;

Then arguments in m3u8 url will be insert into ts segment url in playlist content.

--
Hưng

> On Jun 17, 2019, at 19:58, Andrew Andonopoulos <andre8525 at hotmail.com> wrote:
> 
> also i don't have Akamai CDN behind nginx. Can i use this module without using other CDN ?
> 
> Thanks
> Andrew
> 
> From: Andrew Andonopoulos <andre8525 at hotmail.com>
> Sent: Monday, June 17, 2019 12:25 PM
> To: nginx at nginx.org
> Subject: Re: Securing URLs with the Secure Link Module in NGINX
>  
> Hi Hung,
> 
> I presume i need to re-compile nginx. I never installed a module before so i think i need to follow these steps:
> 
> 1) get the module in the server, in the folder /tmp/
> 2) compile nginx with this command: ./configure --add-module=/tmp/nginx-secure-token-module (this will be the module folder? so i just point it to the folder in tmp?
> 
> Thanks
> Andrew
> 
> From: nginx <nginx-bounces at nginx.org> on behalf of Hung Nguyen <hungnv at opensource.com.vn>
> Sent: Monday, June 17, 2019 12:01 PM
> To: nginx at nginx.org
> Subject: Re: Securing URLs with the Secure Link Module in NGINX
>  
> Hi,
> 
> Actually you can use a module developed by Kaltura call secure token module (1). This module can examine your response to see its content-type, if it matches configured parameter, it will automatically inject secure params into hls playlist. Use this module, please note you dont use anything relate to uri in secure link (ie: dont use $uri to calculate secure link)
> 
> (1): https://github.com/kaltura/nginx-secure-token-module
> 
> 
> 
> 
>> On Jun 17, 2019, at 3:17 PM, Andrew Andonopoulos <andre8525 at hotmail.com> wrote:
>> 
>> Hi Francis and thank you for your quick response / support.
>> 
>> Now is more clear how locations and secure link works. 
>> 
>> I would like to add the secure link in each m3u8 and ts file but can't modify the files on the fly with the free nginx version, i think nginx plus have this capability ? (receive fmp4 and deliver manifests on the fly)
>> https://www.nginx.com/products/nginx/streaming-media/
>> 
>> What you would suggest in case i want to use secure link for all the files?
>> 
>> 
>> Thanks
>> Andrew
>> 
>> 
>> 
>> 
>> 
>> From: nginx <nginx-bounces at nginx.org> on behalf of Francis Daly <francis at daoine.org>
>> Sent: Monday, June 17, 2019 7:40 AM
>> To: nginx at nginx.org
>> Subject: Re: Securing URLs with the Secure Link Module in NGINX
>>  
>> On Sat, Jun 15, 2019 at 06:08:07PM +0000, Andrew Andonopoulos wrote:
>> 
>> Hi there,
>> 
>> > In my case the player will request the m3u8 URL:
>> > 
>> > https://<domain>/hls/justin-timberlake-encrypted/playlist.m3u8?md5=u808mTXsFSpZt7b8wLvlIw&expires=1560706367
>> > 
>> > The response from the server will be:
>> > 
>> > #EXTM3U
>> > #EXT-X-VERSION:3
>> > #EXT-X-STREAM-INF:BANDWIDTH=200000,RESOLUTION=416x234
>> > Justin_Timberlake_416_234_200.m3u8
>> > #EXT-X-STREAM-INF:BANDWIDTH=300000,RESOLUTION=480x270
>> > Justin_Timberlake_480_270_300.m3u8
>> 
>> > Can I instruct Nginx to use secure link only for the playlist.m3u8 and not for the other m3u8 and ts files?
>> 
>> Yes.
>> 
>> I am not sure why you would do that; or what benefit it will give you;
>> but that's ok. I do not need to understand that part.
>> 
>> 
>> In nginx, a request in handled in a location.
>> 
>> So you want one location that will handle playlist.m3u8 requests and
>> does the secure_link thing; and a separate location that will handle
>> all of the other /hls/ requests.
>> 
>> I think you want to proxy_pass all of the requests, so you need proxy_pass
>> in both locations.
>> 
>> I think you want lots of common config -- add_header, proxy_hide_header --
>> so it is probably simplest to use nested locations to allow inheritance
>> rather than duplication.
>> 
>> For example (untested):
>> 
>>   location /hls/ {
>> 
>>     # all of the common config goes here
>> 
>>     proxy_pass http://s3test.s3.amazonaws.com;
>> 
>>     location ~ /playlist\.m3u8$ {
>>       secure_link $arg_md5,$arg_expires;
>>       secure_link_md5 "enigma$hls_uri$secure_link_expires";
>> 
>>       if ($secure_link = "") { return 403; }
>>       if ($secure_link = "0") { return 410; }
>>       proxy_pass http://s3test.s3.amazonaws.com;
>>     }
>> 
>>   }
>> 
>> Adjust to fit the rest of your requirements.
>> 
>> Good luck with it,
>> 
>>         f
>> -- 
>> Francis Daly        francis at daoine.org
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20190617/6a2befcf/attachment-0001.html>


More information about the nginx mailing list