How to secure downloading mp3 or flv files in nginx

Hi all,

Can nginx achieve this goal?

On my php page,I give the url to my mp3 file in this format
http://mp3.example.com/a.mp3?key=time()
then this request will go to nginx,can nginx do something like compare
the uri /a.mp3?key=time() with the current time() and if it is 180
seconds ago,403 error will return or it will rewrite to the normal file
/a.mp3

Thanks in advance.

Please refer to secure_link module

2009/6/15 XUFENG [email protected]

2009/6/15 XUFENG [email protected]:

   On my php page,I give the url to my mp3 file in this format http://mp3.example.com/a.mp3?key=time()

then this request will go to nginx,can nginx do something like compare the uri /a.mp3?key=time() with the current time() and if it is 180 seconds ago,403 error will return or it will rewrite to the normal file /a.mp3

So if you can do it on your php page, there is no problem that someone
who wants to leech file do same on his page. This solution is useless.

My 2 cents. :stuck_out_tongue:

On Mon, Jun 15, 2009 at 05:05:31PM +0800, Delta Y. wrote:

Please refer to secure_link module

No, ngx_http_secure_link has no timestamp information, it’s just for
URL validating.

On Mon, 15 Jun 2009 13:11:09 +0400, Igor S. wrote:

On Mon, Jun 15, 2009 at 05:05:31PM +0800, Delta Y. wrote:

Please refer to secure_link module

No, ngx_http_secure_link has no timestamp information, it’s just for URL
validating.

I’ve found nginx-accesskey module
(NGINX 3rd Party Modules | NGINX)
quite useful for this.

something like:

    location ~ \.flv$ {
        accesskey   on;
        accesskey_hashmethod        md5;
        accesskey_arg       "key";

        accesskey_signature "secret_$remote_addr";
    }

in the config and then the link would be

http://host/download.php?key=

mind you, the link will be available indefinitely (ie will not expire)
and won’t work if the users REMOTE_ADDR changes between requests (eg is
behind a round-robin cluster of proxies).
But perhaps another variable can control both these factors…

XUFENG at 2009-6-15 16:54 wrote:

Hi all,

Can nginx achieve this goal?

On my php page,I give the url to my mp3 file in this format http://mp3.example.com/a.mp3?key=time()
then this request will go to nginx,can nginx do something like compare the uri /a.mp3?key=time() with the current time() and if it is 180 seconds ago,403 error will return or it will rewrite to the normal file /a.mp3

I think you should write a simple custom handler module.

To Thanos Chatziathanassiou,
Yes,if our url does not expire,then you can put my video on your website
(actually you link to my video),and that is what we donot want to
see,module_access_key cannot relove this.

XUFENG
2009-06-15


发件人:Thanos Chatziathanassiou
发送日期:2009-06-15 17:33:28
收件人:nginx
抄送:
主题:Re: how to secure downloading mp3 or flv files in nginx

On Mon, 15 Jun 2009 13:11:09 +0400, Igor S. wrote:

On Mon, Jun 15, 2009 at 05:05:31PM +0800, Delta Y. wrote:

Please refer to secure_link module

No, ngx_http_secure_link has no timestamp information, it’s just for URL
validating.

I’ve found nginx-accesskey module
(NGINX 3rd Party Modules | NGINX)
quite useful for this.

something like:

    location ~ \.flv$ {
        accesskey   on;
        accesskey_hashmethod        md5;
        accesskey_arg       "key";

        accesskey_signature "secret_$remote_addr";
    }

in the config and then the link would be

http://host/download.php?key=

mind you, the link will be available indefinitely (ie will not expire)
and won’t work if the users REMOTE_ADDR changes between requests (eg is
behind a round-robin cluster of proxies).
But perhaps another variable can control both these factors…

We can add one parameter as the ‘salt’ to encryt what will appear in the
key=?? part,not in plain text.

XUFENG
2009-06-15


发件人:Szymon K.
发送日期:2009-06-15 17:18:37
收件人:nginx
抄送:
主题:Re: how to secure downloading mp3 or flv files in nginx

2009/6/15 XUFENG [email protected]:

???燨n my php page,I give the url to my mp3 file in this format http://mp3.example.com/a.mp3?key=time()
then this request will go to nginx,can nginx do something like compare the uri /a.mp3?key=time() with the current time() and if it is 180 seconds ago,403 error will return or it will rewrite to the normal file /a.mp3

So if you can do it on your php page, there is no problem that someone
who wants to leech file do same on his page. This solution is useless.

My 2 cents. :stuck_out_tongue:

A PHP script with x-accel-redirect is the best way to implement this -
one internal script to generate content keys, and another to decode
and serve content (handling key verification, time-based expiration,
download counting and download-count based expiration, etc.) via
x-accel-redirect. Download counters are best handled using memcached.

Cheers
Kon