Unable to playback m3u8 streams

[Jake4-CX]

Hello, I have spent the last hour deploying your m3u8 playlist proxy solution (via docker - latest version) but I'm unable to proxy the provided m3u8 streams, and I also found a potential vulnerability within your proxy.

Vulnerability: If I provide an m3u8 playlist with no headers (I.e. let's say your moj-m3u8 bit.ly link), the generated link will not proxy each stream (direct URL to moveonjoy's servers) - Exposing the requesters IP, potentially resulting in troubles with your ISP (If the user is intentionally deploying the proxy remotely to avoid this).

The other problem is that when individual streams are proxied, if I try and access them, I always run into HTTP errors (i.e. 403) preventing proxied playback.

Example requests (For DaddyLive - Channel: ABC.(WABC).New.York,.NY.us):

200: http://0.0.0.0:4123/playlist?url=https%3A%2F%2Fbit.ly%2Fddy-m3u1&data=VXNlci1BZ2VudD1Nb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTMwLjAuMC4wIFNhZmFyaS81MzcuMzZ8UmVmZXJlcj1odHRwczovL2lsb3ZldG9wbGF5Lnh5ei98T3JpZ2luPWh0dHBzOi8vaWxvdmV0b3BsYXkueHl6&epgMerging=true
200: http://0.0.0.0:4123?url=https%3A%2F%2Fxyzdddd.mizhls.ru%2Flb%2Fpremium51%2Findex.m3u8&data=VXNlci1BZ2VudD1Nb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTMwLjAuMC4wIFNhZmFyaS81MzcuMzZ8UmVmZXJlcj1odHRwczovL2lsb3ZldG9wbGF5Lnh5ei98T3JpZ2luPWh0dHBzOi8vaWxvdmV0b3BsYXkueHl6
403: http://0.0.0.0:4123?url=https%3A%2F%2Fddy1.iosplayer.ru%2Ftshttp%2Fddy1%2Fpremium51%2Fmono.m3u8%3Ftoken%3Dnone&data=VXNlci1BZ2VudD1Nb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTMwLjAuMC4wIFNhZmFyaS81MzcuMzZ8UmVmZXJlcj1odHRwczovL2lsb3ZldG9wbGF5Lnh5ei98T3JpZ2luPWh0dHBzOi8vaWxvdmV0b3BsYXkueHl6&type=/index.m3u8

Here is also a screenshot of my created link along with the URL created

http://0.0.0.0:4123/playlist?url=https%3A%2F%2Fbit.ly%2Fddy-m3u1&data=VXNlci1BZ2VudD1Nb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTMwLjAuMC4wIFNhZmFyaS81MzcuMzZ8UmVmZXJlcj1odHRwczovL2lsb3ZldG9wbGF5Lnh5ei98T3JpZ2luPWh0dHBzOi8vaWxvdmV0b3BsYXkueHl6&epgMerging=true

Docker console screenshot (of requests)

[dtankdempse]

It's not a vulnerability; the behavior of not proxying URLs when no headers are passed is intentional. Click the "More Info" link to learn more about how it works. This script isn’t designed to hide streams from your ISP, so it’s not a proxy in the typical sense. Instead, it acts as a bridge to access streams from a client that doesn’t support setting the required headers.

Streams without assigned headers aren’t proxied to save bandwidth when using free-tier services like Vercel. However, if you want to proxy these streams from another location, you can simply set a User-Agent or similar header to force the proxy.

Additionally, I’ve tested the same setup you’re using for DaddyLive and haven’t encountered a 403 error. Just to check, can you access the DaddyLive streams directly from their website in your browser from the same location where you’re running the script?

Edit: Check if you can access the key directly, or if you’re receiving a 403 error when trying. I know Daddylive recently began blocking Cloudflare Workers, so it’s possible they've restricted other servers from accessing the key request as well.

http://0.0.0.0:4123/?url=https%3A%2F%2Fkey2.keylocking.ru%2Fwmsxx.php%3Ftest%3Dtrue%26name%3Dpremium303%26number%3D1&data=VXNlci1BZ2VudD1Nb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTMwLjAuMC4wIFNhZmFyaS81MzcuMzZ8UmVmZXJlcj1odHRwczovL2lsb3ZldG9wbGF5Lnh5ei98T3JpZ2luPWh0dHBzOi8vaWxvdmV0b3BsYXkueHl6&key=true