I'm working on a VOD platform in terms of a white-label product.
Most stuff is already done but for the moment I'm not able to solve one problem, how to deliver content in HLS format to the client securely? And with secure, I mean authorization.
All HLS content is stored on a S3 storage (non-AWS) and all m3u8 playlist and all segments must be available to the client as soon as the player (VideoJS) requests an individual segment referenced by a m3u8 playlist. In other words, this means that the Bucket itself must run as public from a bucket policy perspective, otherwise VideoJS will fail to load segments.
My Idea now is that I place NGINX or OpenResty in front of the S3 Storage to handle
authorization of a client request. I have never done something like this, so I would like to get some useful references before I start implementing.
The VOD service itself is basically a combination of a Backend, Django API using DRF, and a Frontend App (AngularJS). The Backend uses JWT to authenticate clients. So it would be awesome if I can simply create some kind of token I can pass to the client, maybe another JWT or the same JWT the Client gets after log in at the frontend.
I'm not sure what exactly I need here, but it seems that I need to make NGINX/OpenResty open a subrequest as soon as a client wants data from the S3 storage if I understood the docs right.
At my Django backend, I have the following 3 endpoints:
re_path(r'^api/v1/token/obtain$', obtain_jwt_token), # Returns a new Token
re_path(r'^api/v1/token/refresh$', refresh_jwt_token), # Returns a new Token in exchange for an old one
re_path(r'^api/v1/token/verify$', verify_jwt_token), # Returns the Token if Valid else Bad Request
What do I need to do in order to make DRF and NGINX marriage?
What kind of key does NGINX expect to validate the JWT?
I'm working on a VOD platform in terms of a white-label product. Most stuff is already done but for the moment I'm not able to solve one problem, how to deliver content in HLS format to the client securely? And with secure, I mean authorization.
All HLS content is stored on a S3 storage (non-AWS) and all m3u8 playlist and all segments must be available to the client as soon as the player (VideoJS) requests an individual segment referenced by a m3u8 playlist. In other words, this means that the Bucket itself must run as public from a bucket policy perspective, otherwise VideoJS will fail to load segments.
My Idea now is that I place NGINX or OpenResty in front of the S3 Storage to handle authorization of a client request. I have never done something like this, so I would like to get some useful references before I start implementing.
The VOD service itself is basically a combination of a Backend, Django API using DRF, and a Frontend App (AngularJS). The Backend uses JWT to authenticate clients. So it would be awesome if I can simply create some kind of token I can pass to the client, maybe another JWT or the same JWT the Client gets after log in at the frontend.
I'm not sure what exactly I need here, but it seems that I need to make NGINX/OpenResty open a subrequest as soon as a client wants data from the S3 storage if I understood the docs right.
At my Django backend, I have the following 3 endpoints:
What do I need to do in order to make DRF and NGINX marriage? What kind of key does NGINX expect to validate the JWT?
please also see:
https://jpadilla.github.io/django-rest-framework-jwt/
Thanks in advance, and sorry for the long reading.