All geek questions in one place

Token Authentication HLS Security

I am trying to protect as many HTTP Live Stream videos as possible on our CDN. I would like to protect against a hot link, sharing url, preventing access to streams that are not yet published.

Each video has several bitrates, so HLS files consist of a master m3u8 manifest, which points to several sub-manifest files, which in turn point to ts files (transport stream). These ts files are 9 second segments of mp4 video.

HLS files are stored on our CDN and can be accessed via HTTPS. We have token authentication on CDN (Edgecast).

Videos must be transferred due to a paid server and must be played in JWPlayer, which does not support AES encryption.

What are my best options? Right now, I am generating m3u8 manifest files on the fly and pasting tokens into the urls for the .ts files. So ts files are only valid for 60 minutes? Is it smarter to protect sub-manifest files with tokens?

Is there a better way to protect content and still be playable in JWPlayer 6?

+5
source share
2 answers

I had a similar problem . I wanted to protect (authentication and authorization) HLS streams (main playlist + segment files) stored in the S3 bucket. This is my decision:

  • I created a VPC endpoint for my bucket that stores private HLS streams
  • Then I implemented a reverse proxy and granted him access to this S3 VPC endpoint

Thus, each request made by the player (for the main file of the playlist or segments) goes through the proxy. Players need to set a couple of custom HTTP headers (authentication token, user information, etc.). The reverse proxy then authenticates and authorizes against my user API. Based on this result, the reverse proxy server transmits a request for the given S3 content or refuses it.

+1
source

Source: https://habr.com/ru/post/1210462/

More articles:


All Articles