2
votes

I took a lot of time searching for answers and believe me I tried everything. I am running a nginx server that pushes rtmp streams to HLS streams.

Below is a part of my nginx.conf

location /hls {
        types {
            application/vnd.apple.mpegurl m3u8;
        }

        root /mnt/;
        set $auth_request_uri "http://SERVER:8000/auth_ext.php?token=$arg_token";
        auth_request /auth/;
        add_header Cache-Control no-cache; # Prevent caching of HLS fragments
        add_header Access-Control-Allow-Origin *; # Allow web player to access our playlist
    }

location /auth/ {
        internal;
        proxy_pass              $auth_request_uri;
        proxy_pass_request_body off;
        proxy_set_header        Content-Length "";
        proxy_set_header        X-Original-URI $request_uri;
    }

I am trying to authenticate a stream through a php page, where I am getting the parameters from the URL and then responds a 200 OK if it matches a token in my DB.

So far I managed to authenticate, meaning I can access http://SERVER:8080/hls/stream.m3u8?token=TOKEN if the token is matching but here is what happens.

I have a main m3u8 stream that adapts the streams according to the bandwidth, and when I access stream.m3u8 in the console I see this

 http://SERVER:8080/hls/stream.m3u8?token=TOKEN
 http://SERVER:8080/hls/stream_mid.m3u8
 http://SERVER:8080/hls/stream_hd720.m3u8
 http://SERVER:8080/hls/stream_src.m3u8

where the last three m3u8 responds 404 because the parameters dont pass through, therefore I have a stream that never loads but the URL does respond. Moreover in the m3u8 themselves, the .ts files also get 404.

How to deal with this so whenever ONE first call to the first m3u8 is authenticated, the remaining m3u8 and the ts files can be accessed or return a 200 code ?

I really hope I made myself clear, I can provide with more details

Thank you all

1

1 Answers

2
votes

The authentication result is not shared across requests. You have to provide the same token with each new request for all variant playlists and media segments.

To achieve this you have to rewrite both the master and variant HLS manifests and add the token to each contained URL. One solution is to use a PHP wrapper to intercept all .m3u8 requests, parse the playlists and add the token on-the-fly and then return the result with the correct MIME type (application/x-mpegURL or vnd.apple.mpegURL).

As a final note you should be using a signed token to avoid reuse.