• Stars
    star
    111
  • Rank 314,510 (Top 7 %)
  • Language
    C
  • License
    GNU Affero Genera...
  • Created about 10 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Secure token module for Nginx Build Status

Generates CDN tokens, either as a cookie or as a query string parameter (m3u8,mpd,f4m only). Currently supports Akamai v2 tokens, and Amazon CloudFront tokens. In addition, the module supports the encryption of URIs with a configured key.

Build

To link statically against nginx, cd to nginx source directory and execute:

./configure --add-module=/path/to/nginx-secure-token-module

To compile as a dynamic module (nginx 1.9.11+), use:

./configure --add-dynamic-module=/path/to/nginx-secure-token-module

In this case, the load_module directive should be used in nginx.conf to load the module.

Requires OpenSSL.

Configuration

Generic token parameters

secure_token

  • syntax: secure_token value
  • default: none
  • context: http, server, location

Sets the value of the token that should be embedded in the manifest/returned as a cookie. The parameter value can contain variables, and often points to variables set by this module (using secure_token_akamai / secure_token_cloudfront blocks)

secure_token_avoid_cookies

  • syntax: secure_token_avoid_cookies on/off
  • default: on
  • context: http, server, location

When enabled the module prefers to use a query string token instead of a cookie token. A query string token is currently supported only for the following mime types (other mime types return a cookie token):

  • application/vnd.apple.mpegurl
  • application/dash+xml
  • video/f4m

secure_token_types

  • syntax: secure_token_types mime_type ...
  • default: none
  • context: http, server, location

Defines a set of mime types that should return a token

secure_token_uri_filename_prefix

  • syntax: secure_token_uri_filename_prefix prefix
  • default: none
  • context: http, server, location

Defines a set of prefixes that will be matched against the URI file name, only URIs whose file name starts with one of the defined prefixes will return a token

secure_token_expires_time

  • syntax: secure_token_expires_time time
  • default: none
  • context: http, server, location

Sets the expiration time of responses that are not tokenized (determines the values of the Cache-Control and Expires HTTP headers)

secure_token_cookie_token_expires_time

  • syntax: secure_token_cookie_token_expires_time time
  • default: none
  • context: http, server, location

Sets the expiration time of responses that are tokenized with a cookie token (determines the values of the Cache-Control and Expires HTTP headers)

secure_token_query_token_expires_time

  • syntax: secure_token_query_token_expires_time time
  • default: none
  • context: http, server, location

Sets the expiration time of responses that are tokenized with a query string token (determines the values of the Cache-Control and Expires HTTP headers)

secure_token_cache_scope

  • syntax: secure_token_cache_scope scope
  • default: public
  • context: http, server, location

Sets the cache scope (public/private) of responses that are not tokenized

secure_token_token_cache_scope

  • syntax: secure_token_token_cache_scope scope
  • default: private
  • context: http, server, location

Sets the cache scope (public/private) of responses that are tokenized (query / cookie)

secure_token_last_modified

  • syntax: secure_token_last_modified time
  • default: Sun, 19 Nov 2000 08:52:00 GMT
  • context: http, server, location

Sets the value of the last-modified header of responses that are not tokenized. An empty string leaves the value of last-modified unaltered, while the string "now" sets the header to the server current time.

secure_token_token_last_modified

  • syntax: secure_token_token_last_modified time
  • default: now
  • context: http, server, location

Sets the value of the last-modified header of responses that are tokenized (query / cookie) An empty string leaves the value of last-modified unaltered, while the string "now" sets the header to the server current time.

secure_token_content_type_m3u8

  • syntax: secure_token_content_type_m3u8 type
  • default: application/vnd.apple.mpegurl
  • context: http, server, location

Sets the content type that should be parsed as m3u8 for token insertion

secure_token_content_type_mpd

  • syntax: secure_token_content_type_mpd type
  • default: application/dash+xml
  • context: http, server, location

Sets the content type that should be parsed as mpd for token insertion

secure_token_content_type_f4m

  • syntax: secure_token_content_type_f4m type
  • default: video/f4m
  • context: http, server, location

Sets the content type that should be parsed as f4m for token insertion

Akamai token parameters

secure_token_akamai

  • syntax: secure_token_akamai $variable { ... }
  • context: http

Creates a new variable whose value is an Akamai token, created according to the parameters specified within the block.

The block supports the following parameters:

key

  • syntax: key key_hex
  • default: N/A (mandatory)

Sets the secret key.

param_name

  • syntax: param_name name
  • default: __hdnea__

Sets the token parameter name (either the name of the cookie or the query string parameter)

acl

  • syntax: acl acl
  • default: $secure_token_baseuri_comma

Sets the signed part of the URL (ACL). The parameter value can contain variables.

start

  • syntax: start time
  • default: 0

Sets the start time of the token (see Time format below)

end

  • syntax: end time
  • default: 86400

Sets the end time of the token (see Time format below)

ip_address

  • syntax: ip_address address
  • default: none

Sets the IP address that should be embedded in the token. The parameter value can contain variables, e.g. $remote_addr.

CloudFront token parameters

secure_token_cloudfront

  • syntax: secure_token_cloudfront $variable { ... }
  • context: http

Creates a new variable whose value is a CloudFront token, created according to the parameters specified within the block.

The block supports the following parameters:

private_key_file

  • syntax: private_key_file filename
  • default: N/A (mandatory)

Sets the file name of the private key (PEM file)

key_pair_id

  • syntax: key_pair_id id
  • default: N/A (mandatory)

Sets the key pair id

acl

  • syntax: acl acl
  • default: $secure_token_baseuri_comma

Sets the signed part of the URL (ACL). The parameter value can contain variables.

end

  • syntax: end time
  • default: 86400

Sets the end time of the token (see Time format below)

ip_address

  • syntax: ip_address address
  • default: none

Sets the IP address that should be embedded in the token. The parameter value can contain variables, e.g. $remote_addr/32 can be used to limit the token to the specific IP of the client.

Broadpeak token parameters

secure_token_broadpeak

  • syntax: secure_token_broadpeak $variable { ... }
  • context: http

Creates a new variable whose value is a Broadpeak token, created according to the parameters specified within the block.

The block supports the following parameters:

key

  • syntax: key key
  • default: N/A (mandatory)

Sets the secret key. The parameter value can contain variables.

param_name

  • syntax: param_name name
  • default: token

Sets the token parameter name (either the name of the cookie or the query string parameter)

acl

  • syntax: acl acl
  • default: $secure_token_baseuri_comma

Sets the signed part of the URL (ACL). The parameter value can contain variables.

start

  • syntax: start time
  • default: 0

Sets the start time of the token (see Time format below)

end

  • syntax: end time
  • default: 86400

Sets the end time of the token (see Time format below)

session_start

  • syntax: session_start time
  • default: N/A

Sets the start time of the session, required for catchup. The parameter value can contain variables.

session_end

  • syntax: session_end time
  • default: N/A

Sets the end time of the session, required for catchup. The parameter value can contain variables.

additional_querylist

  • syntax: additional_querylist expr
  • default: N/A

Sets the primary token value, the value needs to be a list of name=value pairs without any separator. For example, "ip=${arg_ip}account=${arg_account}device=${arg_device}". The parameter value can contain variables.

URI encryption parameters

secure_token_encrypt_uri

  • syntax: secure_token_encrypt_uri on/off
  • default: off
  • context: http, server, location

Enables/disables uri encryption

secure_token_encrypt_uri_key

  • syntax: secure_token_encrypt_uri_key key_hex
  • default: none
  • context: http, server, location

Sets the encryption key, the key has to be 256 bits (64 hex characters)

secure_token_encrypt_uri_iv

  • syntax: secure_token_encrypt_uri_iv iv_hex
  • default: none
  • context: http, server, location

Sets the encryption iv, the iv has to be 128 bits (32 hex characters)

secure_token_encrypt_uri_part

  • syntax: secure_token_encrypt_uri_part expression
  • default: none
  • context: http, server, location

An expression that calculates the part of the URL that should be encrypted in regular expression locations. For non-regular expression locations, the encrypted part is everything following the path defined on the location block.

Example 1:

  location /secret_param/([^/]+)/some_other_param/.* {
  	secure_token_encrypt_uri_part $1;
	...
  }

In this configuration, only the value of secret_param will be encrypted/decrypted.

Example 2:

  location /base/ {
    ...
  }

In this configuration, everything following /base/ will be encrypted/decrypted.

secure_token_encrypt_uri_hash_size

  • syntax: secure_token_encrypt_uri_hash_size size
  • default: 8
  • context: http, server, location

The size in bytes of hash used to validate the uri after decryption, the value has to be between 0 and 16.

Time format

Some of the configuration parameters mentioned above, support both absolute timestamps, and timestamps relative to now. These parameters can be set in the configuration using one of the following formats:

  • epoch - unix timestamp 0 (01/01/1970)
  • max - unix timestamp 2147483647 (18/01/2038)
  • @1481230000 - unix timestamp 1481230000 (8/12/2016)
  • 10d / +10d - now + 10 days
  • -5m - now - 5 minutes

Sample configurations

HLS packaging with Akamai tokens

	secure_token_akamai $token {
		key 1234;
		acl "$secure_token_baseuri_comma*";
	}

	server {
	
		location ~ ^/hls/p/\d+/(sp/\d+/)?serveFlavor/ {
			vod hls;

			g2o        on;

			secure_token $token;
			secure_token_types application/vnd.apple.mpegurl;
			
			secure_token_expires_time 100d;
			secure_token_query_token_expires_time 1h;

			more_set_headers 'Access-Control-Allow-Headers: *';
			more_set_headers 'Access-Control-Expose-Headers: Server,range,Content-Length,Content-Range';
			more_set_headers 'Access-Control-Allow-Methods: GET, HEAD, OPTIONS';
			more_set_headers 'Access-Control-Allow-Origin: *';
		}
		
	}

HDS packaging with CloudFront tokens

	secure_token_cloudfront $token {
		private_key_file /path/to/pem;
		key_pair_id ABCDEF;
		acl "$scheme://$http_host$secure_token_baseuri_comma*";
	}

	server {
	
		location ~ ^/hds/p/\d+/(sp/\d+/)?serveFlavor/ {
			vod hds;
			vod_segment_duration 6000;
			vod_align_segments_to_key_frames on;
			vod_segment_count_policy last_rounded;

			secure_token $token;
			secure_token_types video/f4m;
			
			secure_token_expires_time 100d;
			secure_token_query_token_expires_time 1h;

			more_set_headers 'Access-Control-Allow-Headers: *';
			more_set_headers 'Access-Control-Expose-Headers: Server,range,Content-Length,Content-Range';
			more_set_headers 'Access-Control-Allow-Methods: GET, HEAD, OPTIONS';
			more_set_headers 'Access-Control-Allow-Origin: *';
		}
		
	}

Encrypted HLS with token security on the encryption key

This configuration enables token security while having static URLs for the video segments, this enables the caching of the segments transparently by proxies.

	secure_token_akamai $token {
		key 1234;
		acl "$secure_token_baseuri_comma*";
	}

	server {
	
		location ~ ^/s/hls/enc/p/\d+/(sp/\d+/)?serveFlavor/ {
			vod hls;
			vod_secret_key "password$vod_filepath";

			secure_token $token;
			secure_token_types application/vnd.apple.mpegurl;
			
			secure_token_expires_time 100d;
			secure_token_query_token_expires_time 1h;
			
			secure_token_uri_filename_prefix index;
			secure_token_tokenize_segments off;

			akamai_token_validate $arg___hdnea__;
			akamai_token_validate_key 1234;
			akamai_token_validate_uri_filename_prefix encryption;
			akamai_token_validate_uri_filename_prefix index;
		}
		
	}

Note: this configuration requires the module https://github.com/kaltura/nginx-akamai-token-validate-module in addition to nginx-secure-token-module

Adding token security on top of an existing HDS/HLS live stream

	secure_token_akamai $token {
		key 1234;
		acl "$secure_token_baseuri_comma*";
	}

	server {
	
		location /secure-live/ {
			proxy_pass http://original.live.domain;

			secure_token $token;
			secure_token_types text/xml application/vnd.apple.mpegurl;		
			secure_token_content_type_f4m text/xml;
			
			secure_token_expires_time 100d;
			secure_token_query_token_expires_time 1h;

			akamai_token_validate $arg___hdnea__;
			akamai_token_validate_key 1234;
			akamai_token_validate_strip_token __hdnea__;
		}
	
	}

Note: this configuration requires the module https://github.com/kaltura/nginx-akamai-token-validate-module in addition to nginx-secure-token-module

URI encryption

	location ~ ^/hls/p/\d+/(sp/\d+/)?serveFlavor/entryId/([^/]+)/(.*) {
		vod hls;
		vod_secret_key "password$2";

		secure_token_encrypt_uri on;
		secure_token_encrypt_uri_key 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f;
		secure_token_encrypt_uri_iv 00000000000000000000000000000000;
		secure_token_encrypt_uri_part $3;
		secure_token_types application/vnd.apple.mpegurl;

		add_header Last-Modified "Sun, 19 Nov 2000 08:52:00 GMT";
		expires 100d;
	}

Nginx variables

The module adds the following nginx variables:

  • $secure_token_baseuri - contains the value of the $uri built in variable truncated up to the last slash (/). For exmaple, if $uri is /a/b/c.htm then $secure_token_baseuri will be /a/b/.
  • $secure_token_baseuri_comma - same as $secure_token_baseuri, except that if this value contains a comma (,) the value is truncated up to the comma position. For exmaple, if $uri is /a/b/c.htm then $secure_token_baseuri_comma will be /a/b/; if $uri is /a/b,c/d.htm then $secure_token_baseuri_comma will be /a/b.
  • $secure_token_original_uri - contains the original (encrypted) uri when using uri encryption. Note that the built in $uri variable contains the modified (decrypted) uri in this case.

Copyright & License

All code in this project is released under the AGPLv3 license unless a different license for a particular library is specified in the applicable library path.

Copyright © Kaltura Inc. All rights reserved.

More Repositories

1

nginx-vod-module

NGINX-based MP4 Repackager
C
1,980
star
2

platform-install-packages

Official deployment packages to install the Kaltura platform on a server or cluster environments using native OS package managers
Shell
514
star
3

server

The Kaltura Platform Backend. To install Kaltura, visit the install packages repository.
PHP
373
star
4

mwEmbed

Kaltura's Cross Platform Video Player ToolKit
JavaScript
210
star
5

media-framework

Kaltura Live Media Framework
C
151
star
6

kaltura-player-js

Kaltura Player JS Platform - Cloud TV and OVP Media Players
TypeScript
118
star
7

playkit-js

State of the Art HTML5 Player
JavaScript
104
star
8

player-sdk-native-android

Kaltura Android Player SDK
Java
93
star
9

playkit-ios

PlayKit: Kaltura Player SDK for iOS
Swift
83
star
10

nginx-srt-module

Nginx SRT/TCP gateway
C
82
star
11

nginx-kafka-log-module

Send Kafka messages from Nginx
C
63
star
12

playkit-android

PlayKit: Kaltura Mobile Player SDK for Android
Java
54
star
13

nginx-aws-auth-module

C
45
star
14

player-sdk-native-ios

Kaltura iOS Player SDK
Objective-C
45
star
15

media-server

Kaltura Wowza Media Server
Java
44
star
16

kaltura-player-android

Kaltura Player is a rich, easy to integrate and easy to use video player for all media types and ad scenarios you need. - based on Google ExoPlayer
Java
42
star
17

playkit-js-ui

UI Application Framework for the PlayKit JS Player
TypeScript
30
star
18

kaltura-device-info-android

Kaltura Device Info
Java
27
star
19

kdp

Kaltura's Open Source OSMF based Flash Dynamic Player. KDP3 powers thousands of sites with rich media playback.
ActionScript
27
star
20

playkit-ios-dtg

Download-to-Go for iOS
Swift
26
star
21

liveDVR

DVR implementation built on top of live streams
Python
24
star
22

playkit-ios-samples

PlayKit Samples
Swift
20
star
23

player-studio

HTML5 player studio widget/page
JavaScript
20
star
24

clients-generator

Kaltura API Client Libraries Generator - PHP source code introspection based automation for API native SDKs generation for various programming languages and API platforms
C#
19
star
25

playkit-ios-vr

VR support for PlayKit iOS
Swift
19
star
26

nginx-parallel-module

Nginx module for boosting upstream requests by issuing them in parallel
C
18
star
27

nginx-akamai-token-validate-module

C
18
star
28

all-in-one-video-pack.wordpress

A Wordpress Plugin to simplify adding Kaltura to your Blog
PHP
18
star
29

kmc-ng

Kaltura Management Console HTML5 based application (a.k.a KMCng).
TypeScript
18
star
30

playkit-dtg-android

DTG - Download To Go
Java
16
star
31

Kaltura-Library-Export-Excel

Export Kaltura media data
PHP
15
star
32

IOSReferenceApp

Kaltura Reference Mobile app for iOS
Objective-C
14
star
33

hls-toolkit

Record&Replay HLS streams
JavaScript
13
star
34

HLS-OSMF

HLS OSMF plugin - help to view m3u8 streams in the KDP/V2 player
ActionScript
13
star
35

kanalony

Kaltura's next generation Analytics solution based on Spark, Cassandra and Kafka
Scala
12
star
36

krecord

Flash Video and Audio Recording Widget for Kaltura. KRecord is a chromeless (no UI) Flash application that simplify webcam recording on websites, uploading the recordings to Kaltura.
ActionScript
12
star
37

php-api-examples

PHP
11
star
38

kmc

Kaltura Management Console (aka KMC). For the login project see: https://github.com/kaltura/kmc-login
ActionScript
10
star
39

nginx-json-var-module

C
9
star
40

KalturaGeneratedAPIClientsNodeJS

NodeJS auto generated clients libs which will then be built and test by Travis CI
JavaScript
9
star
41

chunked-file-upload-jquery

Based on blueimp/jQuery-File-Upload library, this upload widget provides JavaScript based chunked upload with pause-and-resume and automatic optimization of file chunk size. Use this widget to implement a Kaltura file upload workflow in your web based applications.
JavaScript
9
star
42

nginx-aggr-module

Aggregates JSON events received over UDP/TCP
C
8
star
43

EmbedCodeGenerator

Kaltura Embed Code generator library.
JavaScript
8
star
44

moodle_plugin

PHP
8
star
45

playkit-js-dash

Shaka Player Adapter for the PlayKit JS Player
JavaScript
8
star
46

kaltura-ng

Kaltura Angular Infrastructure
TypeScript
8
star
47

Clipping-tool

Kaltura's Clipping Application
PHP
8
star
48

kaltura-player-android-samples

Kotlin
8
star
49

KalturaAPISampleListEntries

Sample code showing how to use the Kaltura media.list API in PHP
PHP
8
star
50

KalturaGeneratedAPIClientsPHP53

PHP53 auto generated clients libs which will then be built and test by Travis CI
PHP
8
star
51

DeveloperPortalDocs

Kaltura VPaaS website including the Kaltura API and SDKs developer guides
JavaScript
8
star
52

platform-continuous-integration

Continuous Integration for the Kaltura Platform - Packaging, Build, Deploy, Test and Distribute
PHP
8
star
53

adobe-connect-to-mkv-to-kaltura

Generate MKV files out of Adobe Connect recordings and [optionally] ingest them onto Kaltura
Ruby
7
star
54

server-cluster-container-install

This repository contains docker files and scripts to be used for installing Kaltura server as clustered enviroment
Shell
7
star
55

express-recorder

Kaltura Express Capture enables recording content directly from the browser without the need to install any additional software. aka kSelfie
TypeScript
7
star
56

playkit-js-hls

HLS.JS Adapter for the PlayKit JS Player
JavaScript
7
star
57

playkit-android-vr

Java
6
star
58

KalturaGeneratedAPIClientsAngular

Angular auto generated clients libs
TypeScript
6
star
59

VideoChaptersByCuePoints

How to increase video SEO by leveraging in-video chapters driven by cue-points using Kaltura
PHP
6
star
60

KalturaGeneratedAPIClientsJava

Java auto generated clients libs which will then be built and test by Travis CI
Java
6
star
61

live_analytics

Collect and process Kaltura's live steam analytics
Java
6
star
62

kaltura-player-rn

Kaltura Player React Native Component
Kotlin
6
star
63

kaltura-player-ios-samples

Swift
5
star
64

play-server

vast
JavaScript
5
star
65

playkit-js-cast-receiver

PlayKit JS Custom Receiver SDK for the Kaltura Player JS
JavaScript
5
star
66

ovp-tf-module-lightlytics

A terraform module connecting AWS account to Lightlytics
HCL
5
star
67

Kaltura-Facebook-App-Media-Page

Facebook Page Tab application for displaying a Kaltura gallery
PHP
5
star
68

kaltura-interactive-player

TypeScript
5
star
69

kaltura-management-console-html5

Kaltura Management Console (aka KMC) Built in HTML5 By The Community For The Community :)
PHP
5
star
70

player-sdk-demo-android

Java
5
star
71

kaltura-parallel-upload-resumablejs

resumable.js based parallel chunked upload to Kaltura
JavaScript
5
star
72

playkit-js-providers

Cloud TV and OVP Media Provider Plugins for the PlayKit JS Player
JavaScript
5
star
73

playkit-android-samples

Code Samples for Kaltura PlayKit
Java
5
star
74

KalturaGeneratedAPIClientsPython

Python auto generated clients libs which will then be built and test by Travis CI
Python
5
star
75

Sample-Kaltura-Chunked-Upload-Java

Simple Java code that splits a big video file into smaller chunks and uploads it to the Kaltura server using the uploadToken API
Java
5
star
76

Tags-Editor

An efficient way to edit the tags for all the media entries in your Kaltura account.
PHP
4
star
77

live-analytics-front-end

Kaltura Live Analytics JS Front End
JavaScript
4
star
78

KalturaGeneratedAPIClientsCsharp

C# auto generated clients libs which will then be built and test by Travis CI
C#
4
star
79

analytics-front-end

New analytics front end
TypeScript
4
star
80

Video-Wall

The Video Wall post code
JavaScript
4
star
81

player-sdk-demo-ios

Objective-C
4
star
82

kcw

ActionScript
4
star
83

playkit-android-googlecast

Google Cast support for PlayKit Android
Java
4
star
84

kaltura-player-ios

Swift
4
star
85

playkit-js-youbora

Youbora analytics SDK plugin for the PlayKit JS Player
JavaScript
4
star
86

AndroidReferenceApp

Kaltura Reference Mobile app for Android
Java
4
star
87

Kaltura-Paid-Content-Gallery-With-PayPal-Sample-App

Kaltura Sample Application showing how to setup your Kaltura account and use PayPal for creating a gallery of pay-to-watch videos. This sample shows you how to sell single videos and also setup subscriptions for channels (categories).
PHP
4
star
88

playkit-js-ima

IMA Plugin for the Kaltura Player JS
JavaScript
4
star
89

KalturaGeneratedAPIClientsPHP

PHP auto generated clients libs which will then be built and test by Travis CI
PHP
4
star
90

Metadata-Dump

This is an old script. Please use the new version at https://github.com/kaltura/Kaltura-Library-Export-Excel instead
PHP
4
star
91

KalturaGeneratedAPIClientsAndroid

Android auto generated clients libs which will then be built and test by Travis CI
Java
4
star
92

kmc-login

Kaltura's Management Console Login Screen (Adobe Flex project) See the full KMC repo at: https://github.com/kaltura/kmc
ActionScript
4
star
93

playkit-js-visibility

Visibility Plugin for the Kaltura Player JS
JavaScript
3
star
94

developer-platform-generated

The result of generating the templates from kaltura/developer-platform, used for developer.kaltura.com
HTML
3
star
95

playkit-ios-googlecast

Google Cast support for PlayKit iOS
Swift
3
star
96

playkit-ios-ima

Swift
3
star
97

VidyoReplayToKaltura

API connector to synchronize recordings from VidyoReplay server (http://www.vidyo.com) to Kaltura accounts (corp.kaltura.com).
PHP
3
star
98

server-bin-linux-64bit

HTML
3
star
99

clipper

ActionScript
3
star
100

playkit-js-env-manager

An environment manager to setup playkit-js-* projects across repos
JavaScript
3
star