Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security Kaltura #923

Closed
developpervi opened this issue Nov 14, 2018 · 6 comments
Closed

security Kaltura #923

developpervi opened this issue Nov 14, 2018 · 6 comments

Comments

@developpervi
Copy link

Hello,

I am new to kaltura and I would like to install the security module of the content.

but I do not really understand how it's going?

can you share a detailed documentation please?

like the location of files to modify, a command list to install the nginx module ...

thank you so much
@erankor
Copy link
Contributor

erankor commented Nov 14, 2018

This question is a bit vague, there are several things that can be considered as 'security features'.
Did you read https://github.com/kaltura/nginx-vod-module#security ?

@developpervi
Copy link
Author

Hello

what i want to do is encrypt my kaltura videos and prevent their download with internet download manager and even if we can recover them one way or another i would like the videos to be encrypted and unusable.

I have browsed the NGINX VOD module but I have not quite understood its implementation and installation

would you have a step-by-step procedure for beginners?

Thank you very much for your answer

@erankor
Copy link
Contributor

erankor commented Nov 14, 2018

Assuming you got the basic functionality working, enabling encryption for HLS is easy - you just need to add to nginx.conf:

vod_hls_encryption_method aes-128;
vod_secret_key "somesecret$vod_filepath";

I'm not sure whether that will prevent a video capturing tool from working, a simple one - maybe, a more sophisticated one will probably pull the key (as the player does...) and use it to decrypt the stream.

@developpervi
Copy link
Author

just what I need is to make streaming in a secure way, it's me who upload my videos I do not intend to live for the moment

just that I find the installation procedures very vague it is very difficult to understand the different steps!

I really need to have a kaltura server very quickly but I do not come with security

@citijk
Copy link

citijk commented Jan 21, 2019
edited

working configuration example using "secure_link" module"

        map $uri $hls_uri {
                ~^(?<base_uri>.*)/(.*).m3u8$ $base_uri;
                ~^(?<base_uri>.*)/(.*).ts$   $base_uri;
                ~^(?<base_uri>.*)/(.*).webm$   $base_uri;
                default                 $uri;
            }

server{
    server_name hls.example.com;

	vod_segments_base_url https://$http_host;
	vod_base_url https://$http_host;
	root /home/filme/download/;
	location / {
		deny all;
	}

	location /src {
                secure_link $arg_md5,$arg_expires;
                secure_link_md5 "$secure_link_expires$hls_uri enigma";
                if ($secure_link = "0") { return 410; }
                if ($secure_link = "") { return 403; }
		alias /home/filme/download/;
	}

	location ~^/s2/(?<md5>[^/]+)/(?<exp>[^/]+)/(?<b>.*)/(?<f>.*).ts$ {
		secure_link $md5,$exp;
		secure_link_md5 "$secure_link_expires/$b enigma";
		if ($secure_link = "0") { return 410; }
		if ($secure_link = "") { return 403; }
		rewrite ^ /$b/$f.ts;
		alias /home/filme/download/;
		vod hls;
		include cors.vod;
	}
	location /hls/ {
		vod_segments_base_url https://$http_host/s2/$arg_md5/$arg_expires;
		secure_link $arg_md5,$arg_expires;
		secure_link_md5 "$secure_link_expires$hls_uri enigma";
		if ($secure_link = "0") { return 410; }
		if ($secure_link = "") { return 403; }
		alias /home/filme/download/;
		vod hls;
		include cors.vod;
	}
}

to get links like:

//hls.example.com/hls/directory/src.mp4/index.m3u8?md5=PZRyYExZAGJvpHP9SNXaPg&expires=1548089721
or //hls.example.com/src/directory/src.webm?md5=REqPrC7Q0vdxMZ53etE0pA&expires=1548089721

example in php

<?php
    function buildSecureLink($path, $secret, $ttl, $string="")
    {
        $pa = dirname($path);
        $expires = time() + $ttl;
        $md5 = md5( "{$expires}{$pa}{$string} {$secret}", true);
        $md5 = base64_encode($md5);
        $md5 = strtr($md5, '+/', '-_');
        $md5 = str_replace('=', '', $md5);
        return $path . '?md5=' . $md5 . '&expires=' . $expires;
    }
    function to_player_sec($val){
        return "//hls.example.com" . buildSecureLink($val, "enigma", 60*60*4);
    }
    $player = explode(" or ", str_replace("//hls.example.com", "", "//hls.example.com/hls/directory/src.mp4/index.m3u8 or //hls.example.com/src/directory/src.webm"));
    $player = implode(" or ", array_map("to_player_sec", $player));
?>

upd
files structure note:

/home/filme/download =>
    directory =>
        src.mp4
        src.webm
    other_dir_videoname =>
        src.mp4
        src.webm
    ...

@erankor erankor closed this as completed Feb 22, 2019
@keiskar keiskar mentioned this issue May 16, 2019
Closed
@Alexdrr Alexdrr mentioned this issue Feb 16, 2020
Closed
@ufukomer
Copy link

@citijk I think this config is not working for multi url structure or maybe I'm missing something.

@gianght90 gianght90 mentioned this issue Jul 10, 2020
Closed
@keiskar keiskar mentioned this issue Oct 28, 2020
Open
@erankor erankor mentioned this issue Aug 23, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@erankor @ufukomer @citijk @developpervi