Three example nginx locations and the PHP required for mp4 secure_links.
before: https://https://mydomain.com/data/videos/file.mp4
after : https://mydomain.com/data/videos/file.mp4?md5=Vtzs2WCnCqRsE47EH6U6pQ&expires=1617601227
make sure the secret password you use match in both lines below
$remote_addr secretword << in nginx config section
$secret = 'secretword'; << in PHP file
# works
location ~ \.mp4$ {
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$remote_addr secretword";
if ($secure_link = "") { return 403; } # deny direct links
if ($secure_link = "0") { return 410; } # deny expired links
}
# works
location ~ \.(mp3|mp4) {
root /srv/www/webroot;
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$remote_addr secretword";
if ($secure_link = "") { return 403; }
if ($secure_link = "0") { return 410; }
}
# works
location ^~ /data/videos {
alias /srv/www/webroot/data/videos;
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$remote_addr secretword";
if ($secure_link = "") { return 403; }
if ($secure_link = "0") { return 410; }
}
location ~ \.mp4$ {
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$remote_addr secretword";
# In production environment, we should not reveal to potential attacker
# why authentication has failed
if ($secure_link != "1") {
return 404;
}
}
<?php
function buildSecureLink($baseUrl, $path, $secret, $ttl, $userIp)
{
$expires = time() + $ttl;
$md5 = md5("$expires$path$userIp $secret", true);
$md5 = base64_encode($md5);
$md5 = strtr($md5, '+/', '-_');
$md5 = str_replace('=', '', $md5);
return $baseUrl . $path . '?md5=' . $md5 . '&expires=' . $expires;
}
$secret = 'secretword'; // matches with nginx config
$baseUrl = 'https://mydomain.com'; // no trailing slash
$path = '/data/videos/file.mp4'; // path to your mp4 file
$ttl = 15; // IMPORTANT: ttl 15 seconds for testing the expires!!!
// 3600 seconds equals 1 hour, change as you require it
$userIp = $_SERVER["HTTP_CF_CONNECTING_IP"]; // if behind cloudflare nginx & CF https://tinyurl.com/58h3s3et
// normally from something like $_SERVER['REMOTE_ADDR'];
echo $vidurl = buildSecureLink($baseUrl, $path, $secret, $ttl, $userIp); // link built
server {
listen 80;
server_name www.mydomain.com mydomain.com;
return 301 https://mydomain.com$request_uri;
}
server {
listen 443 ssl;
server_name www.mydomain.com;
# managed by Certbot SSL certs
include snippets/ssl.conf;
return 301 https://mydomain.com$request_uri;
}
# above redirects unsecure and www. to https://mydomain.com
server {
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
server_name mydomain.com;
error_log /var/log/nginx/mydomain.log warn;
access_log off;
# managed by Certbot SSL certs
include snippets/ssl.conf;
root /srv/www/webroot;
index index.php index.html;
location / {
try_files $uri $uri/ /index.php?$args;
}
# secure_links for videos
location ^~ /data/videos {
alias /srv/www/webroot/data/videos;
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$remote_addr secretword";
if ($secure_link = "") { return 403; }
if ($secure_link = "0") { return 410; }
}
# handling of the request
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
# include the fastcgi_param setting
include fastcgi_params;
# SCRIPT_FILENAME parameter is used for PHP FPM determining
# the script name. If it is not set in fastcgi_params file,
# i.e. /etc/nginx/fastcgi_params or in the parent contexts,
# please comment off following line:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
I don't know who are you, but I consider you a god