• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
Locked
0

How to protect hls stream? (from others serving "my" m3u8's on their site...)

Community Beginner ,
Dec 27, 2011 Dec 27, 2011

Copy link to clipboard

Copied

Situation: live hls multi-bitrate, livepkgr, m3u8 served on "my" website

(iOS user gets on "my" page, clicks on the m3u8 link and views the live content - no problem there...)

What is stopping other to use my playlist on their website and offer the same service with "my" infrastructure?

Nothing?

If i use protected hls - i still will be giving keys to all the viewers - both those who came through my website and also all others - so not much help there with this particular question - right?

Views

6.9K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jan 01, 2012 Jan 01, 2012

Copy link to clipboard

Copied

Currently protected HLS only garuntee (flexible feature) that only valid ios devices can play the stream. But yes, that doesn't solve your problem. You may like to add some sort of authentication  in key delivery part. For example, you may write ios-application to re-write key delivery URL and add some query token to it in NSURLProtocol class. And on apache side, you may check validity of URL sender before request is picked up by the hls module.

This is just a direction.. Though we are looking for some inherent solutions in this direction..

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jan 02, 2012 Jan 02, 2012

Copy link to clipboard

Copied

Hi, thank you for your reply, can you please be more specific on this:
"...on apache side, you may check validity of URL sender before request is picked up by the hls module..."

(how?)

Thank you in advance.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jan 02, 2012 Jan 02, 2012

Copy link to clipboard

Copied

Though it is easily discoverable the hackers but still a direction:

1. For example, in you client app inside NSURLProtocol you may change the key URL from https://example.com/hls-key/liveevent.key to https://example.com/my-app-hsl-key/liveevent.key

Now, inside apache conf, you may change the location directive hls-key to my-app-hls-key.. In this way any key request that comes as former URL will be reected by the module, while later will be passed.

Since later key requests will only from your client app (which re-write key url inside app using ios NSURLProtocol class) they will succeed as apache confs are configured to accept them while former once are failed.

However this can be traced and replicated by others too..

If you want more secure way then, you may like to send some cookies with the key url as query parameter (again you will have to write your custome app to do that).. On apache side you may write your own module which first authenticate the cookie then redirect the "query parameter stripped key url" to the mod_hlshttp.so..

Why am I only talking about authenticating the key URL not the m3u8 or ts because key url is on https which should always hit the origin.. m3u8 or ts are normal http and can be served from the cache..

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jan 03, 2013 Jan 03, 2013

Copy link to clipboard

Copied

Do you have an example of writing an Apache module that does authentication and passes the stripped URL to mod_hlshttp?  This is exactly what I need to do (after beating my head against AMS server-side ActionScript and finally realizing that HLS is handles through Apache...)

I'm sure I could dig on the web, but if you have an example it could probably save me a lot of time/effort/headache...

Thanks in advance.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jan 29, 2013 Jan 29, 2013

Copy link to clipboard

Copied

I am trying to achieve this as well - an example would be really great.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Aug 20, 2013 Aug 20, 2013

Copy link to clipboard

Copied

How about the example? I need it also.

Could you please share it?

Thanks in advance.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
May 21, 2015 May 21, 2015

Copy link to clipboard

Copied

LATEST

Hej there, I have the same situation right now and need some help as well. Unfortunately adobe does not share any further informations regarding their server architecture or any non-out of the box features, which is really annoying. Does anybody has a solution for that so far? Help would be really appreciated! If I will find a solution, I will post it here as well! Thanks

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines