Serving embedded video files with X-Accel-Redirect to IE 6 browser

thomas · April 15, 2008, 11:43pm

Hi list,

I am able to serve embedded quicktime movie files to Safari 3.1 and
Firefox2 browsers, but I fail serving to Internet Explorer 6. The
quicktime logo gets displayed, but the movie never starts.

Are there some magical headers I need to add to the response?

Note that embedding the same movie with the same html code but
bypassing Nginx works perfectly (for instance serving the file through
mongrel), so there is an issue between nginx with X-Accel-Redirect and
Internet Explorer I guess.

Best regards,

thomas · April 16, 2008, 12:14am

Can you do a curl -I and post the results, it may be a case that
the wrong mime type is being served. I’m guessing that the Safari 3.1
and FF tests are done on a Mac and the IE6 tests on a PC (or vmware
image). Apple have a vested interest in going the extra mile to play
quicktime video where as on a PC Quicktime is relegated to plugin
status and so the wrong mime type or content disposition may be
causing that plugin to not be triggered.

Cheers

Dave

thomas · April 16, 2008, 9:00am

mind sharing the results for the rest of us?

thanks!

thomas · April 16, 2008, 8:57am

Hi Dave,

Correcting the mimetype made it work on IE.

Thank you very much,

thomas · April 16, 2008, 9:23am

I suspected that was the case

Would you mind sharing your final config with the rest of the list.

Cheers

Dave

thomas · April 16, 2008, 6:04pm

Actually there is nothing fancy in Nginx conf files, simply declare
the folder that holds the protected content as “internal” so users
can’t directly access it:

location /files {
root /var/www/myapp/files;
internal;
}

The real magic happens in your app:

<?php $path = $_GET["path"]; header("Content-Type: video/quicktime"); header("X-Accel-Redirect: /files/" . $path); ?>

Of course you need to add your own protection scheme (like
anti-leeching or paid membership), now you can access the video
content by using the url:
http://mysite.com/downloads.php?path=video.mov

thomas · April 17, 2008, 12:31am

or basename() it and then force a specific parent path.

or just use an integer ID if it’s in the db to check if the file is
valid, etc.

thomas · April 17, 2008, 12:22am

On Wed, 2008-04-16 at 17:55 +0200, Thomas wrote:

The real magic happens in your app:
<?php $path = $_GET["path"]; header("Content-Type: video/quicktime"); header("X-Accel-Redirect: /files/" . $path); ?>

It probably doesn’t matter much for this particular example (since the
request will be punted to Nginx which will presumably forbid access
outside “root”), but in general you should sanitize anything to be used
as part of a filesystem path:

$path = realpath($_GET[“path”]);

This is to prevent requests like:

“http://mysite.com/downloads.php?path=../../../../etc/passwd”.

Regards,
Cliff