search

kaltura / nginx-secure-token-module

GNU Affero General Public License v3.0
114 stars 42 forks source link

index manifest returned by nginx is rejected by CloudFront #117

Open comiconomenclaturist opened 1 week ago

comiconomenclaturist commented 1 week ago

I've compiled nginx with nginx-vod-module, nginx-aws-auth and nginx-secure-token-module and have generated a signed URL using the instructions here.

The master playlist loads, but the index doesn't. Nginx replies with a different set of query arguments which is rejected by CloudFront (403 / Access denied). I know the private_key works because the master playlist works.

The other difference is that nginx replies with a manifest containing http links instead of https. All urls should be https.

The nginx server is currently running in a docker container upstream from the main nginx server which terminates the SSL connection.

What could be the problem here?

curl 'https://example.com/hls/api/playlist.json/master.m3u8?Expires=1728691200&Signature=fdEfJ-bNzoPryfZvJtP53u3Wpx8PZVGg8eCeHFalTmnlOiHVpEH6v7iOcEpqV9ZL4jtrfHgaPEl8KoBUdudzeNGMD4MsI6we7jxjWYkgewd6MMw0fIceze1AE9TtcIn6TX8uiGMoPj30DGNl3ItuMpsD9sXSxgxtx-5BFcBSkVp~TKBnMiAPnpZf9plVYQElLttEJQMUDqSuJ5zK5q-F7CLzapHZCU3JMRBHfLtzwBGTycgNkoKC1sSdWJkw00yHbWkQ1p1ErHSdQo8NFt~DkYTw-q4AeG4Hrihrbcdf9H9OM5bLXSwqostCA9nivnJtV1ba8jcoEbDuN51F~8QtGw__&Key-Pair-Id=KKKKKKKKKKKKKK'

#EXTM3U
#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=161274,CODECS="mp4a.40.2"
http://example.com/hls/api/playlist.json/index-a1.m3u8?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cDovL3N0cmVhbTMuY2FmZW90by5jby51ay9obHMvb3RvbW8teW9zaGloaWRlLXNhY2hpa28tbS1xdWludGV0LXNleHRldC1kdW9zLUNELmpzb24vKiIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTcxOTQ5NTM1N319fV19&Signature=niyR-CZPLY4K06dhEE4~644hsPr8DHZXpsJT6YTnuM9OdHS4S5jb8dvugbPMkUvRpdTViOLOqKvsaHyPkPVbgwHNDUEeu4RAYidplplYPML6~4Q6DWubPC2mm8NffQ3B4nId6uK7P-0rY9kSywWX4OzjrF~Pk71klnN0XJ1CdoFOpLZnubcLLBkjPS9KAKdMrp~VYxmuxbI6dTi2c5N7YsL9G3KU-J7D~-xB4pRHb-z0hKzbd~kY9vdqe6AVak-89~HQLcNfKX2yUKHdz70ExG8cT4M3E9vZlQJt6Ae~dnGos3sbOT59bBN0k~MqERpHqVRD8jBBB2zEmzha4dCD4g__&Key-Pair-Id=KKKKKKKKKKKKKK

curl 'http://example.com/hls/api/playlist.json/index-a1.m3u8?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cDovL3N0cmVhbTMuY2FmZW90by5jby51ay9obHMvb3RvbW8teW9zaGloaWRlLXNhY2hpa28tbS1xdWludGV0LXNleHRldC1kdW9zLUNELmpzb24vKiIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTcxOTQ5NTM1N319fV19&Signature=niyR-CZPLY4K06dhEE4~644hsPr8DHZXpsJT6YTnuM9OdHS4S5jb8dvugbPMkUvRpdTViOLOqKvsaHyPkPVbgwHNDUEeu4RAYidplplYPML6~4Q6DWubPC2mm8NffQ3B4nId6uK7P-0rY9kSywWX4OzjrF~Pk71klnN0XJ1CdoFOpLZnubcLLBkjPS9KAKdMrp~VYxmuxbI6dTi2c5N7YsL9G3KU-J7D~-xB4pRHb-z0hKzbd~kY9vdqe6AVak-89~HQLcNfKX2yUKHdz70ExG8cT4M3E9vZlQJt6Ae~dnGos3sbOT59bBN0k~MqERpHqVRD8jBBB2zEmzha4dCD4g__&Key-Pair-Id=KKKKKKKKKKKKKK'

<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access denied</Message></Error>%
erankor commented 4 days ago

nginx-vod-module by default uses the scheme seen by nginx ($scheme), you can override it by setting vod_base_url