Jump to content

Nginx video protection setting


Recommended Posts

Good morning,       

              as ours is a paid site, support suggested us to add Nginx as proxy. We have, and have seen in Settings->video the video settings to protect our content. 

However, we have the impression there are more settings specific to this configuration of Apache and Nginx as proxy but we can't find in the forum the relevant posts.
Can someone please suggest what are those settings.
For example in     

         (and others)      it says " is required to configure Nginx to prevent accessing publicly writable directories". 

 

 

Link to comment
Share on other sites

This issue is not related to the case when your configure Nginx + Apache, as Apache will make sure that all needed directories are protected. It will only be an issue when you have pure Nginx + PHP without Apache. This is not officially supported by KVS, but still technically possible and many big projects have this configuration (due to some performance gains which could be important for huge traffic projects).

With regard to content protection, after installing Nginx you will also need to update your project's domain nginx config with a small inclusion that protects video files from direct access. You can find this inclusion syntax in Settings -> Storage servers under each storage server, but in order to see it you need to switch Streaming type to Nginx:

nginx_protection.png.98140b1c9dfe1fbf99602081e152f0ad.png

 

Before installing Nginx, your storage server has another Streaming type, 302 redirect, which simply redirects to the video file without any protection.

  • Like 1
Link to comment
Share on other sites

Maybe this trick can help you

On 4/13/2022 at 8:43 AM, Tech Support said:

Nginx:

 

Inside the code above add this

if ($http_referer = "") { return 403; }

This will show 403 if is no referer.

 

htaccess files add this

Redirect 301 https://www.yousrdomain/contents/*.mp4 https://one.sld.one/HmOaH
Redirect 301 https://www.yourdomain/get_file/1/*.mp4/ https://one.sld.one/HmOaH
Redirect 301 http://localhost/* https://one.sld.one/HmOaH 

Why localhost?

Some user use inside android app to watch the video and url is localhost:port/video

 

Make a custom player with empty

Show anything there, ads, virus, etc. 

All this  work for me.

With all this from 1300mbps go to 250-400mbps traffic.

 

Blocking all is impossible. For example, I can download videos from almost any site and every day I find a new way to download.

  • Like 1
Link to comment
Share on other sites

I would be very careful of blocking empty referrers, as this doesn't affect download managers / download plugins (they are sending referrers of cause). But this could affect some legit users with security settings that do not send any referrers.

1 hour ago, AlexHardy32 said:

htaccess files add this

Redirect 301 https://www.yousrdomain/contents/*.mp4 https://one.sld.one/HmOaH
Redirect 301 https://www.yourdomain/get_file/1/*.mp4/ https://one.sld.one/HmOaH
Redirect 301 http://localhost/* https://one.sld.one/HmOaH 

Not sure I understand what is the reason of adding this into htaccess. The first line definitely makes no sense, since Apache (where htaccess is running) is not serving mp4 files and this redirect will never happen.

Link to comment
Share on other sites

@Tech Support so, what are the speceific Nginx protections for paid sites? We were advices to put Nginx as a proxy server by one of your collegues in a ticket. So we did.
The rules comment say "protect videos from direct access" but I can extract the video url and access the video directly, copy the url and view it in incognito.
I checked that with Apache it was protected by Ip, as someone else in another IP could not use the link.

What are the advantages of this setting with Nginxs as proxy of Apache? I want to understand them to explain them to a client who wants to build more paid sites with KVs.

Link to comment
Share on other sites

16 minutes ago, Desarrollo Web said:

The rules comment say "protect videos from direct access" but I can extract the video url and access the video directly, copy the url and view it in incognito.

First of all, if you are able to copy link to another browser and access it, your access levels are configured incorrectly. You can configure access levels of each video files in Settings -> Video formats. If you expect that some video files (for example full-length video files) should only be available to members, then you need to configure access level for these video formats accordingly.

Another thing is, even if you don't configure that, you will not be able to publish this link anywhere just because by default it is IP-encoded. So you can copy it from 1 browser to another and access it there, but if you send it to anyone with another IP, the link will not work.

22 minutes ago, Desarrollo Web said:

What are the advantages of this setting with Nginxs as proxy of Apache? I want to understand them to explain them to a client who wants to build more paid sites with KVs.

There are 2 types of video file links with KVS:

1) Protected link, the link that verifies access restrictions, e.g. IP lock, login lock and etc, it looks like this:

https://www.kvs-demo.com/get_file/1/c007b252ec74075337a50fa416908fc95f7a879d02/0/373/373_360p.mp4/

BTW, if you can try to open it - it will show you error, because this link is only be working for my IP address.

2) Direct link, which points to the file on the filesystem like this:

https://www.kvs-demo.com/contents/videos/0/373/373_360p.mp4

BTW, this link is not working as well, because we have Nginx installed and have activated "protect videos from direct access" rules in Nginx config.

If you don't have Nginx installed, the 2nd link will be fully available to everyone, no protection will be ever implied. So this is the reason why you need Nginx to be installed. Even if you are not able to add custom rules into Nginx config, you can still protect it by changing storage directory:

https://www.kvs-demo.com/contents/videos

to some random directory name, so that nobody can guess it. And with Nginx the direct link will never be exposed to the end user.

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...