⬆️ ⬇️

Restrictions in the secure_link "real" world

Hello.

Encouraged me to write this note to be Undocumented secure_link features.

Where by and large there was a theory but few practical examples.

That's why I decided to correct the situation a little and share my small ideas.



So the original data.




Additional restrictions: ucoz.ru - only HTML + JavaScript. No php, perl, python, etc. etc.

Currently, the uppod player on ucoz contains direct links to video from a dedicated server. And accordingly, any more or less savvy user can easily download any of the favorite movies without any problems.



The task:


  1. Secure the material on a dedicated server, giving the opportunity only to watch online.


First of all, rummaging through the Internet, I discovered the secure_link module which was put in a trial version and worked perfectly. But after the customer wanted the video files to be rewound, I ran into a small problem. Specifically, with the fact that the HTTP GET method with a parameter is used for rewinding, and secure_link, by default , it considers the hash for the entire string that is after the specified location.

In this way:



- have different hash.

After a few minutes of googling, it was decided to abandon secure_link and organize the hash on its own (i.e. by other nginx modules)



For this, ngx_devel_kit [1] and ngx_http_set_hash [2] were downloaded and compiled.

Then the location was configured in a certain way:

location ~ /secure/(.*)/(X-FACTOR-EYYRBBFHR64534)/(.*) {

flv;

set $secret_value "JOP3zneXLjM";

set $hash_value $1;

set_md5 $secret_hash $2$secret_value;

set $value $3;

if ($hash_value != $secret_hash) { rewrite ^ /error.html break; }

rewrite ^ /X-FACTOR-EYYRBBFHR64534/$value?$args break;

}

location /X-FACTOR-EYYRBBFHR64534 { flv; internal; }



After these manipulations, the format of the URL has changed a bit because now it’s not the file that is hashed, but the directory and the file arguments are passed normally and rewind works accordingly. Yes, theoretically, this is an omission. Knowing the hash of the directory, you can download all the files that are in it, but after 2 years of work there were no precedents + having a little thought we put the program into cron, which dynamically changes $ secret_value every N minutes. That, in principle, already satisfied the customer.

')

Playlist Formation


Since the playlist is passed as parameters to uppod, it was necessary to take care of its dynamic formation in accordance with the hashes. I remind you that we have the opportunity on the site to use only html + javascript. After a brief consultation with the customer, the following solution was developed:

The PHP script is invoked by the dedicated server that forms the ready-made player object and displays it in the iframe-e. The site introduces Javascipt with the following content:

function loadPlayer(p) {var D = new Date(); var T = D.getTime();document.write("");}



It is called by a simple loadPlayer ("X-FACTOR-EYYRBBFHR64534");

Main.php looks like this (non-optimal but working) way:



<?php

header("Pragma: no-cache");

header("Cache-Control: no-cache,must-revalidate");



require "secret.php";



$value = "st=http://SITE/uppod/video7-1005.txt&pl=";

$value = $value . "http://HOST/secure/playlists/";



if(preg_match("/SITE/i",$_SERVER["HTTP_REFERER"]))

{ $value = $value . md5($_GET["playlist"].".txt".$secret); }

$value = $value . "/".$_GET["playlist"].".txt&poster=";

?>

<object id="videoplayer113031" type="application/x-shockwave-flash" data=http://SITE/uppod/uppod.swf width="500" height="650">

<param name="allowFullScreen" value="true" />

<param name="allowScriptAccess" value="always" />

<param name="wmode" value="transparent" />

<param name="movie" value="http://SITE/uppod/uppod.swf" />

<param name="flashvars" value="<?php echo $value; ?>" />

</object>





As a result, we have a working server that allows you to view video content via secure links with the ability to rewind, which has been working without interruption for more than a year.



PS

1. ngx_devel_kit: github.com/simpl/ngx_devel_kit

2. ngx_http_set_hash: github.com/simpl/ngx_http_set_hash

Source: https://habr.com/ru/post/125934/



All Articles