Nginx video protection setting

[Desarrollo Web]

Good morning,       

              as ours is a paid site, support suggested us to add Nginx as proxy. We have, and have seen in Settings->video the video settings to protect our content. 

However, we have the impression there are more settings specific to this configuration of Apache and Nginx as proxy but we can't find in the forum the relevant posts.
Can someone please suggest what are those settings.
For example in     

         (and others)      it says " is required to configure Nginx to prevent accessing publicly writable directories". 

 

 

[Tech Support]

This issue is not related to the case when your configure Nginx + Apache, as Apache will make sure that all needed directories are protected. It will only be an issue when you have pure Nginx + PHP without Apache. This is not officially supported by KVS, but still technically possible and many big projects have this configuration (due to some performance gains which could be important for huge traffic projects).

With regard to content protection, after installing Nginx you will also need to update your project's domain nginx config with a small inclusion that protects video files from direct access. You can find this inclusion syntax in Settings -> Storage servers under each storage server, but in order to see it you need to switch Streaming type to Nginx:

 

Before installing Nginx, your storage server has another Streaming type, 302 redirect, which simply redirects to the video file without any protection.

[Desarrollo Web]

Hi,

     we have done these changes (streaming type and set up Nginx config, and I can still inspect the code and extract the url for the video. Shouldn't that be disallowed?

 

[Tech Support]

No, at the moment KVS doesn't support blob URLs, so not possible to hide that.

[AlexHardy32]

Maybe this trick can help you

On 4/13/2022 at 8:43 AM, Tech Support said:

Nginx:

 

Inside the code above add this

if ($http_referer = "") { return 403; }

This will show 403 if is no referer.

 

htaccess files add this

Redirect 301 https://www.yousrdomain/contents/*.mp4 https://one.sld.one/HmOaH
Redirect 301 https://www.yourdomain/get_file/1/*.mp4/ https://one.sld.one/HmOaH
Redirect 301 http://localhost/* https://one.sld.one/HmOaH 

Why localhost?

Some user use inside android app to watch the video and url is localhost:port/video

 

Make a custom player with empty

Show anything there, ads, virus, etc. 

All this  work for me.

With all this from 1300mbps go to 250-400mbps traffic.

 

Blocking all is impossible. For example, I can download videos from almost any site and every day I find a new way to download.

[Tech Support]

I would be very careful of blocking empty referrers, as this doesn't affect download managers / download plugins (they are sending referrers of cause). But this could affect some legit users with security settings that do not send any referrers.

1 hour ago, AlexHardy32 said:

htaccess files add this

Redirect 301 https://www.yousrdomain/contents/*.mp4 https://one.sld.one/HmOaH
Redirect 301 https://www.yourdomain/get_file/1/*.mp4/ https://one.sld.one/HmOaH
Redirect 301 http://localhost/* https://one.sld.one/HmOaH 

Not sure I understand what is the reason of adding this into htaccess. The first line definitely makes no sense, since Apache (where htaccess is running) is not serving mp4 files and this redirect will never happen.

[Desarrollo Web]

@Tech Support so, what are the speceific Nginx protections for paid sites? We were advices to put Nginx as a proxy server by one of your collegues in a ticket. So we did.
The rules comment say "protect videos from direct access" but I can extract the video url and access the video directly, copy the url and view it in incognito.
I checked that with Apache it was protected by Ip, as someone else in another IP could not use the link.

What are the advantages of this setting with Nginxs as proxy of Apache? I want to understand them to explain them to a client who wants to build more paid sites with KVs.

[Tech Support]

16 minutes ago, Desarrollo Web said:

The rules comment say "protect videos from direct access" but I can extract the video url and access the video directly, copy the url and view it in incognito.

First of all, if you are able to copy link to another browser and access it, your access levels are configured incorrectly. You can configure access levels of each video files in Settings -> Video formats. If you expect that some video files (for example full-length video files) should only be available to members, then you need to configure access level for these video formats accordingly.

Another thing is, even if you don't configure that, you will not be able to publish this link anywhere just because by default it is IP-encoded. So you can copy it from 1 browser to another and access it there, but if you send it to anyone with another IP, the link will not work.

22 minutes ago, Desarrollo Web said:

What are the advantages of this setting with Nginxs as proxy of Apache? I want to understand them to explain them to a client who wants to build more paid sites with KVs.

There are 2 types of video file links with KVS:

1) Protected link, the link that verifies access restrictions, e.g. IP lock, login lock and etc, it looks like this:

https://www.kvs-demo.com/get_file/1/c007b252ec74075337a50fa416908fc95f7a879d02/0/373/373_360p.mp4/

BTW, if you can try to open it - it will show you error, because this link is only be working for my IP address.

2) Direct link, which points to the file on the filesystem like this:

https://www.kvs-demo.com/contents/videos/0/373/373_360p.mp4

BTW, this link is not working as well, because we have Nginx installed and have activated "protect videos from direct access" rules in Nginx config.

If you don't have Nginx installed, the 2nd link will be fully available to everyone, no protection will be ever implied. So this is the reason why you need Nginx to be installed. Even if you are not able to add custom rules into Nginx config, you can still protect it by changing storage directory:

https://www.kvs-demo.com/contents/videos

to some random directory name, so that nobody can guess it. And with Nginx the direct link will never be exposed to the end user.

[Desarrollo Web]

EXCELLENT and very complete answer.

Yes the content restriction for videos was the key. 

Now we can explain all the video protection the client has for his videos.

Great work Tech Support and thanks for the help.