Adult Script Pro Community Forums

The forum is here for legacy reasons. No new posts will be created. User registration is disabled! If you have any questions, please email us or check https://www.adultscriptpro.com for more details!

You are not logged in.

#1 2012-10-05 01:07:55

Nuevolab
Member
Registered: 2012-08-01
Posts: 189

Video streaming security

Some of you can have huge problem with stealing or leeching your videos.
Even if you use lighttpd, nginx or apache secure download mods - this doesn't stop people and dedictaed software or browser plugins from downloading or leeching your videos.

So as I mentioned already I just finished with writing code for better streaming security.
Basically it is similar to what FlowPlayer does, the advantage is that you don't need to provide hexadecimal value of timestamp, but simple timestamp, which is easy to get in PHP ( command: time(); ). In FLowPlayer you can have problem with defining server port if streaming port is differet than website port. In my solution you can provide port number separately even for each single video.

Of course such security is worth nothing if someone can see streaming secret password and secret url-prefix.
It must be all hardcoded inside flash action script and player swf must be recompiled.

What such security does?

1. In player config file you do not provide full hashed URL of video which can be easily used to steal video, just only video filename.
2. You can low down secure streaming timeout value to few seconds only. For me it works even with "1" second timeout.
3. Hashed URL is calculated inside flash, and everytime you seek in video new one is calculated , which expires almost immediately.

This secures your video files against download or leeching a lot.

However I have some doubts about lighttpd mod_secdownload.
It doesn't protect original (not hashed) URL. So everybody who knows videos folder can download video easily.
My conclusion is that mod_secdownload doesn't protect videos almost at all.
Maybe Symtab can say something more about it?

I'm not sure how nginx ngx_http_secure_download_module works, didn't check it yet.

I am sure about Apache  MOD-AUTH-TOKEN.
This works great. It doesn't allow to download or stream original URL
So downloading/leeching video with such short timeout and mod_auth_token is practically not possible.
This is also what I personally use ( streaming mods for flv and x264 + mod-auth-toke)

Apache has also advantage when using streaming mods through 80 default port.
In many locations port other than 80 is blocked.
(it's possible to use reverse proxy but even this is not 100% solution)

This post is mainly to those who suffer because of video stealing, by downloads or leeched.

Offline

#2 2012-10-05 06:32:49

symtab
Administrator
Registered: 2010-08-23
Posts: 7,501
Website

Re: Video streaming security

Lighttpd mod_secdownload protects videos from leeching/hotlinking (like you said dedicated people/software can still download/leech (leeching by loading the config file every time they want to display the video in their flash player)) in most of the cases. This module wont stop visitors from downloading the video, but it will stop them from leeching/hotlinking. In order to stop direct access to the video via media/videos/flv/ID.flv you have to use auth.require for lighttpd and .htaccess for apache.

Nginx mod_secure_link works in a similar way except that no auth.require is required to secure the URL, direct access is not allowed by default. Also it uses a IP for hash creation, so it makes it harder to leech/hotlink the videos. Download is still possible.

I have to do some more research with Apache. I only used it once. It locks down a entire folder (if i remember correctly) which is not good, but there must be some way around this.


Adult Scripts: Adult Script Pro - Adult Search Script
Adult Advertising/Traffic: Plug Rush - EXOClick - PopAds

Offline

#3 2012-10-05 16:03:33

Nuevolab
Member
Registered: 2012-08-01
Posts: 189

Re: Video streaming security

As you know I know almost everything about streaming, who can know it better if not players developer who does it from years?

Whatever webserver and antihotlink system used, for semi experienced people it is easy to find hashed URL and download video as download timeout must be enough long. It is also possible to get video with most of browser download plugins and with most of video download services or implement download inside video grabber.
And this is what I'm talking about.

This is also why Flowplayer and now Nuevoplayer (does it even better) has an option to compile player in special way, and then not to show hashed URL in configuration php file, do all hash job inside flash app, and additionally set minimum download timeout (3-5 sec) for anti-hotlink mods, whatever webserver is.
This works well against browser downloaders, download services, grabbers, also against those programmers who can try to get video URL from http headers.
Maybe not all people can understand it, but you Symtab surely can smile

You wrote about Apache, that auth_token mod locks down entire folder.
What did you mean by saying "lock folder" ?
I don't see any issue with the folder. I can access multiple videos at the same time, I can proccess video programatically anytime.
If by "locking folder" you mean that original video URL is not accessible - isn't it this what we just want?

Last edited by Nuevolab (2012-10-05 17:22:32)

Offline

#4 2012-10-05 17:24:54

Eri
Member
Registered: 2011-03-18
Posts: 977

Re: Video streaming security

I have used Lighthttpd and Apache..
Apache was more stable and had faster streaming for me and better security. Moreover i was paying less for bandwidth.


Best Adult Affilitate Network:
ExoClick
Best Deals on Dedicated Servers - CDN
INXY

Offline

#5 2012-10-05 18:20:36

Nuevolab
Member
Registered: 2012-08-01
Posts: 189

Re: Video streaming security

Eri wrote:

Apache was more stable and had faster streaming for me and better security. Moreover i was paying less for bandwidth.

Indeed Apache is little bit faster with streaming mods. But that's normal as it hits standard 80 port.
This is another advantage - streaming through 80 port.
If port is other (like eg.81 for lighttpd) it is not accessible from each location and people may complain they cannot watch video
Reverse proxy can be helpful then, but that's another millisecnds lost for download speed.

Last edited by Nuevolab (2012-10-05 18:30:13)

Offline

#6 2012-10-06 06:50:34

symtab
Administrator
Registered: 2010-08-23
Posts: 7,501
Website

Re: Video streaming security

I'm not worried about the download of videos. I'm worried about leeching/hotlinking, thats what will cost our clients money. We have clients with premium sites and they use flash media server and wowza for streaming. So no downloading either.

Hmm...for me apache locked down (retricted access without the right hash) to the entire /media folder. Probably i did something wrong.


Adult Scripts: Adult Script Pro - Adult Search Script
Adult Advertising/Traffic: Plug Rush - EXOClick - PopAds

Offline

#7 2012-10-06 15:18:40

Nuevolab
Member
Registered: 2012-08-01
Posts: 189

Re: Video streaming security

symtab wrote:

Hmm...for me apache locked down (retricted access without the right hash) to the entire /media folder. Probably i did something wrong.

Setting '/media/' folder as restricted folder is bad idea. There are thumbs,photos.banners, etc. Indeed, everything will be restricted then.
Apache allows to define restricted folder as simple "Location" directive, so you can set multiple separate and selected locations for video folders only. EVen for each single directory you can set different password...

Symtab, don't take me wrong, but I really have huge experience with different type of streaming, just because of what I'm specialized in.
So I do have Wowza account, and Amazon s3, had even access to Akamai and BigGravity for test purposes.
Did tests with smil playlists, auto bitrate selector on flash servers, and many more advanced flash operations, like sound post-process actions.
Personally I do not find RTMP streaming useful, it costs too much bandwith and limits some useful flash operations.
Eg. flash servers do not allow for flash bitmap operations, so such nice features like screenshot, smooth switch between SD/HD, progressbar thumbs will not work.

From other hand streaming through Apache/nginx/lighttpd is not secure, and video always can be downloaded or leeched until timeout value is enough long.

Of course streaming type choice is each user individal case and experience.
Personally for my video site I used lighttpd with streaming mods, mod_secdownload and reverse proxy.
I tried with nginx as well, but it was not working well behind Apache.
Currently for test period I switched to Apache streaming with mod_auth_token and streaming mods of course, and... it's not bad, better than lighttpd.
If I use my latest flash code to limit download timeout, this can be full protection.
I don't hope to surprise the world, not many people even understand what I'm talking about, but as a developer I need to experiment with each advanced or new idea

Last edited by Nuevolab (2012-10-06 16:01:51)

Offline

#8 2012-10-06 23:48:40

symtab
Administrator
Registered: 2010-08-23
Posts: 7,501
Website

Re: Video streaming security

I started using nginx + php-fpm + streaming for some of my new sites. Works pretty good. I like that it also limits the hash for a specific ip.


Adult Scripts: Adult Script Pro - Adult Search Script
Adult Advertising/Traffic: Plug Rush - EXOClick - PopAds

Offline

Board footer

Powered by FluxBB