nginx-vod-module icon indicating copy to clipboard operation
nginx-vod-module copied to clipboard

Published 20 hours ago verified publisher icon kaltura

encrypted uri query

Open ruby-fu-ninja opened this issue 3 years ago • 0 comments

Hi many thanks for your work on this library.

I am currently combining encryptioned uris, aes-128 for segments and secure link module for time expiry on my manifest and encryption key uris as follows. This works but I am unable to get the encrypted uri part component as a variable & instead have to use $secure_token_original_uri which results in urls like /media/xyz/index.m3u8encryption.key. I fix this with a rewrite but it'd be nice to tidy this up, I did try and use a capture group in an if statement but this seemed to break the uri decryption process where it was trying to lookup the file using the encrypted part. If you have any insight on this it would be appreciated.

I also noticed that the segment uris are not encrypted is this not supported?

when trying to use capture group:

==> /var/log/nginx/error.log <== 2021/03/12 10:03:47 [error] 27149#0: *2 ngx_file_reader_update_state_file_info: open() "/data/www/media/mjOMKtc01noP_23RyN1YGLDNU9RyXJjrm9VIbt1okrwy_DT6vjihmu4U3Bs940ne" failed (2: No such file or directory), client: 121.75.172.114, server: media-poc.staging.nzonscreen.com, request: "GET /media/mjOMKtc01noP_23RyN1YGLDNU9RyXJjrm9VIbt1okrwy_DT6vjihmu4U3Bs940ne/index.m3u8?md5=9aULOhn2ZrdlF9S3Vvl1mw&expires=1615497204 HTTP/1.1", host: "media-poc.staging.nzonscreen.com"

full config:

        location ~ (.+)/index.m3u8encryption.key$ {
                rewrite (.+)/index.m3u8encryption.key $1/encryption.key last;
        }

        location ~ /media/(.+)/(index\.m3u8|encryption\.key)$ {

                secure_link $arg_md5,$arg_expires;
                secure_link_md5 "$secure_link_expires$1 secretkey";

                if ($secure_link = "") { return 403; }

                if ($secure_link = "0") { return 410; }

                secure_token_encrypt_uri on;
                secure_token_encrypt_uri_key 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f;
                secure_token_encrypt_uri_iv 00000000000000000000000000000000;
                secure_token_encrypt_uri_part $1;

                root /data/www;
                add_header Access-Control-Allow-Origin *;

                vod_mode local;

                vod hls;
                vod_secret_key "secret$vod_filepath";

                vod_hls_encryption_method aes-128;
                vod_hls_encryption_key_format "urn:uuid:edef8ba9-79d6-4ace-a3c8-27dcd51d21ed";
                vod_hls_encryption_key_format_versions "1";

                #if ($secure_token_original_uri ~* "^(.+)index.m3u8$") {
                #       #set $encryption_key_path $1;
                #       break;
                #}

                vod_hls_encryption_key_uri "http://media-poc.staging.nzonscreen.com${secure_token_original_uri}encryption.key?$args";
        }

        location ~ /media/(.+)\.ts$ {
                root /data/www;
                add_header Access-Control-Allow-Origin *;

                vod hls;
                vod_secret_key "secret$vod_filepath";

                vod_hls_encryption_method aes-128;
                vod_hls_encryption_key_format "urn:uuid:edef8ba9-79d6-4ace-a3c8-27dcd51d21ed";
                vod_hls_encryption_key_format_versions "1";
        }

ruby-fu-ninja avatar Mar 11 '21 21:03 ruby-fu-ninja