Securing URLs with Secure Link + HLS

Francis Daly francis at
Wed Aug 31 22:18:47 UTC 2022

On Wed, Aug 31, 2022 at 05:42:27PM -0400, LewisMM wrote:

Hi there,

> I make a request with the .m3u8 file with the MD5 Hash and expiration. It
> receives a 200 code. Then the m3u8 playlist file tries to load the first
> segment in the playlist, however, I receive 403 "Not Authorised" error.
> Nginx isn't passing the MD5 hash and expiration to the segment file.

The client is not including the MD5 hash and expiration in its second
request, because nothing told the client to include it. And nginx is
configured not to allow requests without MD5 hash and expiration.

So the system is acting as it is configured to do. Just not as you would it to.

> I hope you understand my problem.

I think that you may have the same misunderstanding of how secure_link
and m3u8/ts files should work together, as was displayed initially in the
(long-ish) thread at,284473,284473

If you read through that entire thread, maybe the various design
possibilities will become clear.

(Don't worry about the S3 part; it is only the secure_link that is
relevant here.)

Basically, you have to decide why you are using secure_link, and whether
you want that to happen just for the m3u8 file, or also for the ts
files. And if you decide "yes" for the ts files, then you need to ensure
that the client knows to include the information in the request that
it sends to nginx -- either by you changing the m3u8 file so that each
link has the information needed; or by you changing your url layout so
that the simple m3u8 file "just works".


Francis Daly        francis at

More information about the nginx mailing list