mikhailov · December 26, 2022 19:30 · Apr 11, 2014 · Apr 11, 2014 · Jul 26, 2012 · Jul 25, 2012
diff --git a/2. nginx.conf b/2. nginx.conf
@@ -24,7 +24,6 @@ http {
     ssl_certificate_key         /opt/nginx/ssl_certs/server.key;
     ssl_session_timeout         15m;
     ssl_protocols               SSLv3 TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers                 RC4:HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers   on;
     ssl_session_cache           shared:SSL:10m;
 

diff --git a/0. nginx_setup.sh b/0. nginx_setup.sh
@@ -4,18 +4,15 @@
 #
 # NOTE: see more details at coderwall: http://coderwall.com/p/3hksyg
 
-$ cd /usr/src
-$ wget http://nginx.org/download/nginx-1.2.2.tar.gz
-$ tar xzvf ./nginx-1.2.2.tar.gz && rm -f ./nginx-1.2.2.tar.gz
+cd /usr/src
+wget http://nginx.org/download/nginx-1.5.13.tar.gz
+tar xzvf ./nginx-1.5.13.tar.gz && rm -f ./nginx-1.5.13.tar.gz
 
-$ wget http://zlib.net/zlib127.zip
-$ unzip zlib127.zip && rm -f zlib127.zip
+wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.32.tar.gz
+tar xzvf pcre-8.32.tar.gz && rm -f ./pcre-8.32.tar.gz
 
-$ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.gz
-$ tar xzvf pcre-8.30.tar.gz && rm -f ./pcre-8.30.tar.gz
+wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
+tar xzvf openssl-1.0.1g.tar.gz && rm -f openssl-1.0.1g.tar.gz
 
-$ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
-$ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz
-
-$ cd nginx-1.2.2 && ./configure --prefix=/opt/nginx --with-pcre=/usr/src/pcre-8.30 --with-zlib=/usr/src/zlib-1.2.7 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --with-http_stub_status_module --with-http_secure_link_module --with-http_flv_module
-$ make && make install
+cd nginx-1.5.13 && ./configure --prefix=/opt/nginx --with-pcre=/usr/src/pcre-8.32 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1g --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --with-http_stub_status_module --with-http_secure_link_module --with-http_flv_module --with-http_mp4_module
+make && make install
diff --git a/0. nginx_setup.sh b/0. nginx_setup.sh
@@ -1,6 +1,8 @@
 # Nginx can serve FLV/MP4 files by pseudo-streaming way without any specific media-server software. 
 # To do the custom build we use 2 modules: --with-http_secure_link_module --with-http_flv_module
 # This module "secure-link" helps you to protect links from stealing away.
+#
+# NOTE: see more details at coderwall: http://coderwall.com/p/3hksyg
 
 $ cd /usr/src
 $ wget http://nginx.org/download/nginx-1.2.2.tar.gz

diff --git a/3. signature.rb b/3. signature.rb
@@ -1,3 +1,7 @@
+require 'rubygems'
+require 'activesupport'
+require 'digest/md5'
+
 class Signature
   PASSWORD    = 'YOUR_SECRET_PASSWORD_HERE'   # use this password for nginx directive "secure_link_md5"
   DIR         = 'flv'                         # the internal nginx location to access to media files
@@ -27,6 +31,6 @@ def md5_calculate
 
 
 url = Signature.new('video1.flv')
-url.expiration_time #=> 1326559618
-url.md5             #=> HLz1px_YzSNcbcaskzA6nQ
-url.generate        #=> http://your_server.com:8080/video/HLz1px_YzSNcbcaskzA6nQ/1326559618/video1.flv
+puts url.expiration_time #=> 1326559618
+puts url.md5             #=> HLz1px_YzSNcbcaskzA6nQ
+puts url.generate        #=> http://your_server.com:8080/video/HLz1px_YzSNcbcaskzA6nQ/1326559618/video1.flv
diff --git a/3. signature.rb b/3. signature.rb
@@ -11,7 +11,7 @@ def initialize(file_name)
   end
 
   def generate
-    # nginx public protected URL to access to media files, "video" is the location, not real directory on filesystem
+    # nginx secured URL to access to media files, "video" is the location, not real directory on filesystem
     "#{SERVER_NAME}/video/#{@md5}/#{expiration_time}/#{file_name}"
   end
 

diff --git a/3. signature.rb b/3. signature.rb
@@ -11,6 +11,7 @@ def initialize(file_name)
   end
 
   def generate
+    # nginx public protected URL to access to media files, "video" is the location, not real directory on filesystem
     "#{SERVER_NAME}/video/#{@md5}/#{expiration_time}/#{file_name}"
   end
 

diff --git a/3. signature.rb b/3. signature.rb
@@ -1,7 +1,7 @@
 class Signature
-  PASSWORD    = 'YOUR_SECRET_PASSWORD_HERE'
-  DIR         = '/flv/'
-  SERVER_NAME = 'http://your_server.com:8080'
+  PASSWORD    = 'YOUR_SECRET_PASSWORD_HERE'   # use this password for nginx directive "secure_link_md5"
+  DIR         = 'flv'                         # the internal nginx location to access to media files
+  SERVER_NAME = 'http://your_server.com:8080' # nginx listen address and port
   attr_reader :expiration_time, :file_name, :md5
 
   def initialize(file_name)

diff --git a/3. signature.rb b/3. signature.rb
@@ -1,7 +1,7 @@
 class Signature
   PASSWORD    = 'YOUR_SECRET_PASSWORD_HERE'
   DIR         = '/flv/'
-  SERVER_NAME = 'http://your_server.com:8080/'
+  SERVER_NAME = 'http://your_server.com:8080'
   attr_reader :expiration_time, :file_name, :md5
 
   def initialize(file_name)

diff --git a/3. signature.rb b/3. signature.rb
@@ -28,4 +28,4 @@ def md5_calculate
 url = Signature.new('video1.flv')
 url.expiration_time #=> 1326559618
 url.md5             #=> HLz1px_YzSNcbcaskzA6nQ
-url.generate        #=> "http://your_server.com:8080/video/HLz1px_YzSNcbcaskzA6nQ/1326559618/video1.flv"
+url.generate        #=> http://your_server.com:8080/video/HLz1px_YzSNcbcaskzA6nQ/1326559618/video1.flv
diff --git a/2. nginx.conf b/2. nginx.conf
@@ -1,6 +1,4 @@
 # Nginx uses the protected links that build with md5 of YOUR_SECRET_PASSWORD_HERE, URI and Unix timestamp
-# NOTE: see this discussion http://stackoverflow.com/questions/8848919/secure-pseudo-streaming-flv-files 
-#       to know how to generate protected links.
 
 user                            app;
 worker_processes                2;

diff --git a/3. signature.rb b/3. signature.rb
@@ -27,4 +27,5 @@ def md5_calculate
 
 url = Signature.new('video1.flv')
 url.expiration_time #=> 1326559618
+url.md5             #=> HLz1px_YzSNcbcaskzA6nQ
 url.generate        #=> "http://your_server.com:8080/video/HLz1px_YzSNcbcaskzA6nQ/1326559618/video1.flv"
diff --git a/3. signature.rb b/3. signature.rb
@@ -0,0 +1,30 @@
+class Signature
+  PASSWORD    = 'YOUR_SECRET_PASSWORD_HERE'
+  DIR         = '/flv/'
+  SERVER_NAME = 'http://your_server.com:8080/'
+  attr_reader :expiration_time, :file_name, :md5
+
+  def initialize(file_name)
+    @expiration_time = (Time.now + 2.hours).to_i
+    @file_name       = file_name
+    md5_calculate
+  end
+
+  def generate
+    "#{SERVER_NAME}/video/#{@md5}/#{expiration_time}/#{file_name}"
+  end
+
+
+  private
+
+  def md5_calculate
+    s    = "#{PASSWORD}#{@expiration_time}/#{DIR}/#{@file_name}"
+    a    = Base64.encode64(Digest::MD5.digest(s))
+    @md5 = a.tr("+/", "-_").sub('==', '').chomp
+  end
+end
+
+
+url = Signature.new('video1.flv')
+url.expiration_time #=> 1326559618
+url.generate        #=> "http://your_server.com:8080/video/HLz1px_YzSNcbcaskzA6nQ/1326559618/video1.flv"
diff --git a/2. nginx.conf b/2. nginx.conf
@@ -37,10 +37,10 @@ http {
         access_log              logs/access.log;
 
         location /video/ {
-          rewrite               /video/([a-zA-Z0-9_\-]*)/([0-9]*)/(.*)\.flv$ /content/$3.flv?st=$1&e=$2;
+          rewrite               /video/([a-zA-Z0-9_\-]*)/([0-9]*)/(.*)\.flv$ /flv/$3.flv?st=$1&e=$2;
         }
 
-        location /content/ {
+        location /flv/ {
           internal;
           secure_link           $arg_st,$arg_e;
           secure_link_md5       YOUR_SECRET_PASSWORD_HERE$arg_e$uri;

diff --git a/0. nginx_setup.sh b/0. nginx_setup.sh
@@ -1,10 +1,6 @@
 # Nginx can serve FLV/MP4 files by pseudo-streaming way without any specific media-server software. 
 # To do the custom build we use 2 modules: --with-http_secure_link_module --with-http_flv_module
 # This module "secure-link" helps you to protect links from stealing away.
-#
-# NOTE: see this discussion http://stackoverflow.com/questions/8848919/secure-pseudo-streaming-flv-files 
-#       to know how to generate protected links.
-
 
 $ cd /usr/src
 $ wget http://nginx.org/download/nginx-1.2.2.tar.gz

diff --git a/2. nginx.conf b/2. nginx.conf
@@ -1,3 +1,7 @@
+# Nginx uses the protected links that build with md5 of YOUR_SECRET_PASSWORD_HERE, URI and Unix timestamp
+# NOTE: see this discussion http://stackoverflow.com/questions/8848919/secure-pseudo-streaming-flv-files 
+#       to know how to generate protected links.
+
 user                            app;
 worker_processes                2;
 timer_resolution                100ms;
@@ -39,7 +43,7 @@ http {
         location /content/ {
           internal;
           secure_link           $arg_st,$arg_e;
-          secure_link_md5       YOUR_SECRET_PASSWORD_HERE $arg_e$uri;
+          secure_link_md5       YOUR_SECRET_PASSWORD_HERE$arg_e$uri;
 
           if ($secure_link = "")  { return 403; }
           if ($secure_link = "0") { return 403; }

diff --git a/1. misc_setup.sh b/1. misc_setup.sh
@@ -1,6 +1,6 @@
 $ cd /opt/nginx/html
 $ echo "<cross-domain-policy>
-   <allow-access-from domain="*.your_domain.com" />
+   <allow-access-from domain='*.your_domain.com' />
 </cross-domain-policy>" > crossdomain.xml
 
 $ echo "User-Agent: *

diff --git a/0. nginx_setup.sh b/0. nginx_setup.sh
@@ -19,4 +19,5 @@ $ tar xzvf pcre-8.30.tar.gz && rm -f ./pcre-8.30.tar.gz
 $ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
 $ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz
 
-$ cd nginx-1.2.2 && ./configure --prefix=/opt/nginx --with-pcre=/usr/src/pcre-8.30 --with-zlib=/usr/src/zlib-1.2.7 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --with-http_stub_status_module --with-http_secure_link_module --with-http_flv_module
+$ cd nginx-1.2.2 && ./configure --prefix=/opt/nginx --with-pcre=/usr/src/pcre-8.30 --with-zlib=/usr/src/zlib-1.2.7 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --with-http_stub_status_module --with-http_secure_link_module --with-http_flv_module
+$ make && make install
diff --git a/0. nginx_setup.sh b/0. nginx_setup.sh
@@ -0,0 +1,22 @@
+# Nginx can serve FLV/MP4 files by pseudo-streaming way without any specific media-server software. 
+# To do the custom build we use 2 modules: --with-http_secure_link_module --with-http_flv_module
+# This module "secure-link" helps you to protect links from stealing away.
+#
+# NOTE: see this discussion http://stackoverflow.com/questions/8848919/secure-pseudo-streaming-flv-files 
+#       to know how to generate protected links.
+
+
+$ cd /usr/src
+$ wget http://nginx.org/download/nginx-1.2.2.tar.gz
+$ tar xzvf ./nginx-1.2.2.tar.gz && rm -f ./nginx-1.2.2.tar.gz
+
+$ wget http://zlib.net/zlib127.zip
+$ unzip zlib127.zip && rm -f zlib127.zip
+
+$ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.gz
+$ tar xzvf pcre-8.30.tar.gz && rm -f ./pcre-8.30.tar.gz
+
+$ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
+$ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz
+
+$ cd nginx-1.2.2 && ./configure --prefix=/opt/nginx --with-pcre=/usr/src/pcre-8.30 --with-zlib=/usr/src/zlib-1.2.7 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --with-http_stub_status_module --with-http_secure_link_module --with-http_flv_module
diff --git a/1. misc_setup.sh b/1. misc_setup.sh
@@ -0,0 +1,7 @@
+$ cd /opt/nginx/html
+$ echo "<cross-domain-policy>
+   <allow-access-from domain="*.your_domain.com" />
+</cross-domain-policy>" > crossdomain.xml
+
+$ echo "User-Agent: *
+Disallow: /" > robots.txt
diff --git a/2. nginx.conf b/2. nginx.conf
@@ -0,0 +1,68 @@
+user                            app;
+worker_processes                2;
+timer_resolution                100ms;
+error_log                       logs/error.log;
+pid                             logs/nginx.pid;
+
+events {
+    worker_connections          1024;
+}
+
+
+http {
+    include                     mime.types;
+    default_type                application/octet-stream;
+
+    access_log                  off;
+    sendfile                    on;
+    server_tokens               off;
+    keepalive_timeout           65;
+
+    ssl_certificate             /opt/nginx/ssl_certs/server.crt;
+    ssl_certificate_key         /opt/nginx/ssl_certs/server.key;
+    ssl_session_timeout         15m;
+    ssl_protocols               SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers                 RC4:HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers   on;
+    ssl_session_cache           shared:SSL:10m;
+
+
+    server {
+      	ssl                     on;
+        listen                  443 default ssl;
+        access_log              logs/access.log;
+
+        location /video/ {
+          rewrite               /video/([a-zA-Z0-9_\-]*)/([0-9]*)/(.*)\.flv$ /content/$3.flv?st=$1&e=$2;
+        }
+
+        location /content/ {
+          internal;
+          secure_link           $arg_st,$arg_e;
+          secure_link_md5       YOUR_SECRET_PASSWORD_HERE $arg_e$uri;
+
+          if ($secure_link = "")  { return 403; }
+          if ($secure_link = "0") { return 403; }
+
+          root                  /mnt/your_directory;
+          flv;
+
+          add_header            Cache-Control  'private, max-age=0, must-revalidate';
+          add_header            Strict-Transport-Security "max-age=16070400; includeSubdomains";
+          add_header            X-Frame-Options DENY;
+        }
+
+        location =/ {
+          root                  /404.html;
+        }
+
+        location = /50x.html {
+          root                  html;
+        }
+
+        location ~ \.(php|html)$ {
+          deny                  all;
+        }
+
+    }
+}