## How to use Nginx ngx_http_secure_link_module and PHP

Three example nginx locations and the PHP required for mp4 secure_links.
```
before: https://https://mydomain.com/data/videos/file.mp4
after : https://mydomain.com/data/videos/file.mp4?md5=Vtzs2WCnCqRsE47EH6U6pQ&expires=1617601227
```
make sure the secret password you use match in both lines below
```
$remote_addr secretword << in nginx config section
$secret = 'secretword'; << in PHP file
```

#### nginx location

```
# works
location ~ \.mp4$ {
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$remote_addr secretword"; 
   if ($secure_link = "")  { return 403; } # deny direct links
   if ($secure_link = "0") { return 410; } # deny expired links
}
```
#### or use option (2)

```
# works
location ~ \.(mp3|mp4) {
   root /srv/www/webroot;
   secure_link $arg_md5,$arg_expires;
   secure_link_md5 "$secure_link_expires$uri$remote_addr secretword";
   if ($secure_link = "")  { return 403; }
   if ($secure_link = "0") { return 410; }
}
```

#### or use option (3)

```
# works
location ^~ /data/videos {
   alias /srv/www/webroot/data/videos;
   secure_link $arg_md5,$arg_expires;
   secure_link_md5 "$secure_link_expires$uri$remote_addr secretword";
   if ($secure_link = "")  { return 403; }
   if ($secure_link = "0") { return 410; }
}
```

#### another optional way of handling status errors, 404 it all

```
location ~ \.mp4$ {
    secure_link $arg_md5,$arg_expires;
    secure_link_md5 "$secure_link_expires$uri$remote_addr secretword";
    # In production environment, we should not reveal to potential attacker
    # why authentication has failed
    if ($secure_link != "1") {
        return 404;
    }
}
```
#### secure_links.php will build and echo the expires URL 

```
<?php
function buildSecureLink($baseUrl, $path, $secret, $ttl, $userIp)
{
    $expires = time() + $ttl;
    $md5 = md5("$expires$path$userIp $secret", true);
    $md5 = base64_encode($md5);
    $md5 = strtr($md5, '+/', '-_');
    $md5 = str_replace('=', '', $md5);
    return $baseUrl . $path . '?md5=' . $md5 . '&expires=' . $expires;
}

$secret = 'secretword';                      // matches with nginx config
$baseUrl = 'https://mydomain.com';           // no trailing slash
$path = '/data/videos/file.mp4';             // path to your mp4 file
$ttl = 15;                                   // IMPORTANT: ttl 15 seconds for testing the expires!!!
                                             // 3600 seconds equals 1 hour, change as you require it
$userIp = $_SERVER["HTTP_CF_CONNECTING_IP"]; // if behind cloudflare nginx & CF https://tinyurl.com/58h3s3et
                                             // normally from something like $_SERVER['REMOTE_ADDR'];

echo $vidurl = buildSecureLink($baseUrl, $path, $secret, $ttl, $userIp); // link built
```

#### full domain.conf example

```
server {
    listen              80;
    server_name         www.mydomain.com mydomain.com;
    return              301 https://mydomain.com$request_uri;
}

server {
    listen              443 ssl;
    server_name         www.mydomain.com;
    # managed by Certbot SSL certs
    include snippets/ssl.conf;
    return              301 https://mydomain.com$request_uri;
}

# above redirects unsecure and www. to https://mydomain.com

server {
    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    server_name mydomain.com;
    error_log /var/log/nginx/mydomain.log warn;
    access_log off;

    # managed by Certbot SSL certs
    include snippets/ssl.conf;

    root /srv/www/webroot;
    index index.php index.html;

    location / {
         try_files $uri $uri/ /index.php?$args;
    }

    # secure_links for videos
    location ^~ /data/videos {
    alias /srv/www/webroot/data/videos;
    secure_link $arg_md5,$arg_expires;
    secure_link_md5 "$secure_link_expires$uri$remote_addr secretword";
    if ($secure_link = "")  { return 403; }
    if ($secure_link = "0") { return 410; }
    }
   
    # handling of the request
    location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
        return 404;
    }

    # Mitigate https://httpoxy.org/ vulnerabilities
    fastcgi_param HTTP_PROXY "";

    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;

    # include the fastcgi_param setting
    include fastcgi_params;

    # SCRIPT_FILENAME parameter is used for PHP FPM determining
    #  the script name. If it is not set in fastcgi_params file,
    # i.e. /etc/nginx/fastcgi_params or in the parent contexts,
    # please comment off following line:
    fastcgi_param  SCRIPT_FILENAME   $document_root$fastcgi_script_name;
    }
}
```