Using Apache's mod_auth_token

Table of Contents

This module is not compiled by default, so you may have to install it first. Please see the mod_auth_token page for instructions.

Server

We will be securing our content in the directory /protected.

AuthTokenSecret "secret"
AuthTokenPrefix "/protected/"
AuthTokenTimeout 3600

Client

On the client we generate an MD5 hash for a specific URL.

#!/bin/bash

ISM_TIMESTAMP=$(php -r "print dechex(time());")
ISM_HASH=$(php -r "print md5('secret/alvin/alvin.ism$(ISM_TIMESTAMP)');"

The ISM_HASH hash is calculated over your secret password, the path to the video server manifest file and the current time.

The last thing to do is to add the hash and timestamp parameters to the URLs that you would normally provide to the player.

For HSS:

http://localhost/protected/$(ISM_HASH)/$(ISM_TIMESTAMP)/alvin/alvin.ism/manifest

For HLS:

http://localhost/protected/$(ISM_HASH)/$(ISM_TIMESTAMP)/alvin/alvin.ism/alvin.m3u8

For HDS:

http://localhost/protected/$(ISM_HASH)/$(ISM_TIMESTAMP)/alvin/alvin.ism/alvin.f4m

Notes

All the requests for a presentation (the playlists, the media playlists, the fragments) are secured, and thus all URLs must have the security hash and timestamp tagged on to their URL. Note that you do not have to do anything for this.

You only have to add the security attributes to the presentation manifest/playlist file. The webserver takes care of adding the security parameters to any URLs referenced in the playlists and media playlists.

Just make sure that you do not have static copies of the playlists (.m3u8 / .f4m / .ismc) stored on disk and let the webserver generate them dynamically.