Desarrollo Web Posted April 12, 2022 Share Posted April 12, 2022 Good morning, as ours is a paid site, support suggested us to add Nginx as proxy. We have, and have seen in Settings->video the video settings to protect our content. However, we have the impression there are more settings specific to this configuration of Apache and Nginx as proxy but we can't find in the forum the relevant posts. Can someone please suggest what are those settings. For example in (and others) it says " is required to configure Nginx to prevent accessing publicly writable directories". Quote Link to comment Share on other sites More sharing options...
Tech Support Posted April 13, 2022 Share Posted April 13, 2022 This issue is not related to the case when your configure Nginx + Apache, as Apache will make sure that all needed directories are protected. It will only be an issue when you have pure Nginx + PHP without Apache. This is not officially supported by KVS, but still technically possible and many big projects have this configuration (due to some performance gains which could be important for huge traffic projects). With regard to content protection, after installing Nginx you will also need to update your project's domain nginx config with a small inclusion that protects video files from direct access. You can find this inclusion syntax in Settings -> Storage servers under each storage server, but in order to see it you need to switch Streaming type to Nginx: Before installing Nginx, your storage server has another Streaming type, 302 redirect, which simply redirects to the video file without any protection. 1 Quote Link to comment Share on other sites More sharing options...
Desarrollo Web Posted April 19, 2022 Author Share Posted April 19, 2022 Hi, we have done these changes (streaming type and set up Nginx config, and I can still inspect the code and extract the url for the video. Shouldn't that be disallowed? Quote Link to comment Share on other sites More sharing options...
Tech Support Posted April 19, 2022 Share Posted April 19, 2022 No, at the moment KVS doesn't support blob URLs, so not possible to hide that. Quote Link to comment Share on other sites More sharing options...
AlexHardy32 Posted April 20, 2022 Share Posted April 20, 2022 Maybe this trick can help you On 4/13/2022 at 8:43 AM, Tech Support said: Nginx: Inside the code above add this if ($http_referer = "") { return 403; } This will show 403 if is no referer. htaccess files add this Redirect 301 https://www.yousrdomain/contents/*.mp4 https://one.sld.one/HmOaH Redirect 301 https://www.yourdomain/get_file/1/*.mp4/ https://one.sld.one/HmOaH Redirect 301 http://localhost/* https://one.sld.one/HmOaH Why localhost? Some user use inside android app to watch the video and url is localhost:port/video Make a custom player with empty Show anything there, ads, virus, etc. All this work for me. With all this from 1300mbps go to 250-400mbps traffic. Blocking all is impossible. For example, I can download videos from almost any site and every day I find a new way to download. 1 Quote Link to comment Share on other sites More sharing options...
Tech Support Posted April 20, 2022 Share Posted April 20, 2022 I would be very careful of blocking empty referrers, as this doesn't affect download managers / download plugins (they are sending referrers of cause). But this could affect some legit users with security settings that do not send any referrers. 1 hour ago, AlexHardy32 said: htaccess files add this Redirect 301 https://www.yousrdomain/contents/*.mp4 https://one.sld.one/HmOaH Redirect 301 https://www.yourdomain/get_file/1/*.mp4/ https://one.sld.one/HmOaH Redirect 301 http://localhost/* https://one.sld.one/HmOaH Not sure I understand what is the reason of adding this into htaccess. The first line definitely makes no sense, since Apache (where htaccess is running) is not serving mp4 files and this redirect will never happen. Quote Link to comment Share on other sites More sharing options...
Desarrollo Web Posted April 20, 2022 Author Share Posted April 20, 2022 @Tech Support so, what are the speceific Nginx protections for paid sites? We were advices to put Nginx as a proxy server by one of your collegues in a ticket. So we did. The rules comment say "protect videos from direct access" but I can extract the video url and access the video directly, copy the url and view it in incognito. I checked that with Apache it was protected by Ip, as someone else in another IP could not use the link. What are the advantages of this setting with Nginxs as proxy of Apache? I want to understand them to explain them to a client who wants to build more paid sites with KVs. Quote Link to comment Share on other sites More sharing options...
Tech Support Posted April 20, 2022 Share Posted April 20, 2022 16 minutes ago, Desarrollo Web said: The rules comment say "protect videos from direct access" but I can extract the video url and access the video directly, copy the url and view it in incognito. First of all, if you are able to copy link to another browser and access it, your access levels are configured incorrectly. You can configure access levels of each video files in Settings -> Video formats. If you expect that some video files (for example full-length video files) should only be available to members, then you need to configure access level for these video formats accordingly. Another thing is, even if you don't configure that, you will not be able to publish this link anywhere just because by default it is IP-encoded. So you can copy it from 1 browser to another and access it there, but if you send it to anyone with another IP, the link will not work. 22 minutes ago, Desarrollo Web said: What are the advantages of this setting with Nginxs as proxy of Apache? I want to understand them to explain them to a client who wants to build more paid sites with KVs. There are 2 types of video file links with KVS: 1) Protected link, the link that verifies access restrictions, e.g. IP lock, login lock and etc, it looks like this: https://www.kvs-demo.com/get_file/1/c007b252ec74075337a50fa416908fc95f7a879d02/0/373/373_360p.mp4/ BTW, if you can try to open it - it will show you error, because this link is only be working for my IP address. 2) Direct link, which points to the file on the filesystem like this: https://www.kvs-demo.com/contents/videos/0/373/373_360p.mp4 BTW, this link is not working as well, because we have Nginx installed and have activated "protect videos from direct access" rules in Nginx config. If you don't have Nginx installed, the 2nd link will be fully available to everyone, no protection will be ever implied. So this is the reason why you need Nginx to be installed. Even if you are not able to add custom rules into Nginx config, you can still protect it by changing storage directory: https://www.kvs-demo.com/contents/videos to some random directory name, so that nobody can guess it. And with Nginx the direct link will never be exposed to the end user. 1 1 Quote Link to comment Share on other sites More sharing options...
Desarrollo Web Posted April 20, 2022 Author Share Posted April 20, 2022 EXCELLENT and very complete answer. Yes the content restriction for videos was the key. Now we can explain all the video protection the client has for his videos. Great work Tech Support and thanks for the help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.