Token insert twice when 2 servers using secure token module

[whatvn]

Hi @erankor,

I am using secure token module in simple case to embed secure token into all url of m3u8 playlist. Configuration is simple like this:

secure_token $args;

In usual set up like this it's ok:

NGINX_GATEWAY(with secure token module) -> VOD_PAKAGER

But when setup gets complicated

NGINX_GATEWAY-2(with secure token module) -> NGINX_GATEWAY-1 (with secure token module) -> VOD_PAKAGER

secure token is inserted twice, because it's already inserted by NGINX_GATEWAY-1

I currently fixed it by search thought all response body, look for "?" in m3u8 response body, if it's found I will return immediately and do nothing. Although it work, but I know you will be able to have better way.

The code is simply like this:

for (cl = in; cl; cl = cl->next) {

            p = cl->buf->pos;

            for (p = cl->buf->pos; p < cl->buf->last; p++) {
                if (*p == '?') {
                    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                                "[NGX_SECURE_TOKEN_MODULE] query string exist, ignore");
                    return ngx_http_next_body_filter(r, in);
                }
            }
        }

Other than that, if query string already exist in ts url, secure token failed to insert right query string, for example, ts has uri:

a/ts?abc=1&def=2

and token token=34nbekkdf, in my test secure module will change uri to

a/ts?abc=1&def=2?token=34nbekkdf

which make uri bad.

do you have any idea?

[erankor]

I may be missing something, but this setup looks a bit weird to me -

1. Can't you embed the token in the vod server?
2. What about disabling the token on gateway-1?

If you have to use this setup, my suggestion is to use some header to tell gateway-1 not to tokenize the manifest. gateway-2 can do proxy_set_header x-tokenize no, and gateway-1 would do if ($http_x_tokenize != "no") { nginx_secure_token ... }

Regarding what you wrote about multiple ? in the URL, the code is expected to handle it - https://github.com/kaltura/nginx-secure-token-module/blob/master/ngx_http_secure_token_processor_base.c#L195 are you using the latest version?

[whatvn]

1. I have many vod servers, if setting up embed on vod server I have to end up setting up on all of them.
2. I am not aware that secure_token can be used in if directive, can you confirm?

I use latest version and that check seems not have any effect

-- Hưng

On Feb 17, 2019, at 14:53, erankor notifications@github.com wrote:

I may be missing something, but this setup looks a bit weird to me -

Can't you embed the token in the vod server? What about disabling the token on gateway-1? If you have to use this setup, my suggestion is to use some header to tell gateway-1 not to tokenize the manifest. gateway-2 can do proxy_set_header x-tokenize no, and gateway-1 would do if ($http_x_tokenize != "no") { nginx_secure_token ... }

Regarding what you wrote about multiple ? in the URL, the code is expected to handle it - https://github.com/kaltura/nginx-secure-token-module/blob/master/ngx_http_secure_token_processor_base.c#L195 are you using the latest version?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[whatvn]

One more thing if I do set header on proxying, my setup will not be consistent between gateways

[erankor]

"I am not aware that secure_token can be used in if directive, can you confirm?" Hmm... right, but you can do this -

map $http_x_tokenize $token { 
    "no" ""; 
    default ...; 
}

...
secure_token $token;

When the variable evaluates to an empty string, nginx-secure-token-module won't do anything. I will check regarding URLs with ?...

[erankor]

Tested it now - configured some upstream server to return an m3u8 with query params, and configured nginx with proxy_pass & secure_token to add a token on top of it. It worked for me as expected - the new token param was added with '&'. So I would need more info on how to reproduce this issue, please try to find a minimal configuration that shows the problem.

[whatvn]

hello, configuration is simple like this, on gw-1, gw-1 has same configuration

secure_token $args 

in gw-2

upstream gw-1 {
   server gw1-address;
}

location / {
    proxy_pass http://gw-1;
}

then request http://gw-2/some/index.m3u8?token=2kw45