search

kaltura / nginx-vod-module

NGINX-based MP4 Repackager
GNU Affero General Public License v3.0
1.98k stars 439 forks source link

securing vod URLs #1055

Open Sulieman9 opened 4 years ago

Sulieman9 commented 4 years ago

Hello There, I have a php code that generate a secured URL, found it in the discussions here, and attached the nginx conf file, i need to know what to change into the nginx conf file to get it work, and to deny URLs without the hash to be played. php: function buildSecureLink($baseUrl, $path, $secret, $ttl, $userIp) { $expires = time() + $ttl; $md5 = md5("$expires$path$userIp $secret", true); $md5 = base64_encode($md5); $md5 = strtr($md5, '+/', '-_'); $md5 = str_replace('=', '', $md5); return $baseUrl . $path . '?md5=' . $md5 . '&expires=' . $expires; } // example usage $secret = 'sulieman'; $baseUrl = 'https://cdn.alarab.com'; $path = 'vod,6,15,00/128223.mp4.urlset/playlist.m3u8'; $ttl = 5000; //no of seconds this link is active $userIp = $_SERVER['REMOTE_ADDR']; // normally you would read this from something like $_SERVER['REMOTE_ADDR']; echo buildSecureLink($baseUrl, $path, $secret, $ttl, $userIp); conf: `

user nobody;

worker_processes auto ;

error_log logs/error.log;

error_log logs/error.log notice;

error_log logs/error.log info;

pid logs/nginx.pid;

events { worker_connections 1024; }

http { upstream fallback { server 127.0.0.1:80; }

server {

listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;

ssl on;
ssl_certificate /usr/local/nginx/ssl/cdn.alarab.com.chained.crt;
ssl_certificate_key /usr/local/nginx/ssl/server.key;

server_name  cdn.alarab.com;    
access_log  /dev/null;
error_log /dev/null;
    # vod settings
    vod_mode local;
    vod_fallback_upstream_location /fallback;
    vod_last_modified 'Sun, 19 Nov 2000 08:52:00 GMT';
    vod_last_modified_types *;
    vod_hls_master_file_name_prefix playlist;

    # vod caches
    vod_metadata_cache metadata_cache 2048m;
    vod_response_cache response_cache 2048m;

    # gzip manifests
    gzip on;
    gzip_types application/vnd.apple.mpegurl;

    # file handle caching / aio
    open_file_cache max=100000 inactive=1m;
    open_file_cache_valid 5m;
    open_file_cache_min_uses 1;
    open_file_cache_errors on;

    aio on;

    location ^~ /fallback/ {
        internal;
        proxy_pass http://fallback/;
        proxy_set_header Host $http_host;
    }

    location / {
        root /storage/;
        vod hls;
        add_header Access-Control-Allow-Headers '*';
        add_header Access-Control-Expose-Headers 'Server,range,Content-Length,Content-Range';
        add_header Access-Control-Allow-Methods 'GET, HEAD, OPTIONS';
        add_header Access-Control-Allow-Origin '*';
        expires 100d;
    }
}

}

`

mlevkov commented 4 years ago

In the location, you need to add 

if ($http_x_cloudfront_secret != "$g_secret") {
                 return 403;

then, if you want to sign your URLs, you need to have a "secure" module installed along with the SSL library. Then, add this in the location secure_token_types application/vnd.apple.mpegurl; if your location is servicing HLS, and/or secure_token_types application/dash+xml video/mpd; if your location is servicing DASH.

@erankor might add additional details if I missed something or did not fully understand your question.

Sulieman9 commented 4 years ago

Hello there I am not using cloud front for this, I am only seeking configure the Nginx server to start using secured URLs using a secret hash, but didnt fount how to that. Also i have secure module installed and working with SSL. Thanks in advance