Securing HLS with Token Authentication

denizb picture denizb · Jan 6, 2015 · Viewed 8.3k times · Source

I'm trying to protect as best as I can HTTP Live Stream format videos on our CDN. I would like to protect against hot linking, sharing url, preventing access to streams that are not yet published.

Each video has multiple bitrates so the HLS files consist of a master m3u8 manifest which points to several sub manifest files which in turn point to ts files (transport stream). These ts files are 9 second segments of mp4 video.

HLS files are store on our CDN and can be accessed via HTTPS. We have token authentication enabled on the CDN (Edgecast).

The videos are to be streamed from behind a paywall and need to be playable in JWPlayer which does not support AES encryption.

What are my best options? Right now I am generating the m3u8 manifest files on the fly and inserting tokens to the urls for the .ts files. This way the ts files are are only valid for 60 minutes? Is it smarter to secure the sub manifest files with tokens as well?

Is there a better way to secure the content and still have the ability to playback in JWPlayer 6?

Answer

mkorszun picture mkorszun · Nov 3, 2016

I had similar issue. I wanted to protect (Authenticate & Authorize) HLS streams (master playlist + segment files) stored in S3 bucket. This is my solution:

  • I have created VPC endpoint for my bucket which stores private HLS streams
  • Then I have implemented reverse proxy and granted it access to this S3 VPC endpoint

So, every request made by player (for master playlist file or segments) goes through the proxy. The players need to set couple of custom HTTP headers (auth token, user info, etc.). Then reverse proxy is doing Authentication & Authorization against my user API. Based on this result reverse proxy is passing request to given S3 content or refusing it.