2

I am trying to create an application thats core it will be to show videos in a learning environment based on meteor/nodejs. The problem is the streaming itself. As described on many pages, node is not good for serving static content.

So my idea was to let my nginx server serve the video.

The problem is: The videos should not be public, they should only be accessible to a logged in user that has the right to view this video.

Is there any way to configure nginx to let only users that logged in to my app and have the rights to view a video view the video?

What is the best approach?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Tobi
  • 237
  • 3
  • 12
  • One imperfect but rather trivial way to implement that is to use [secure_link](http://nginx.org/en/docs/http/ngx_http_secure_link_module.html). – AD7six Nov 15 '14 at 21:14

1 Answers1

2

This is indeed the right approach.

Include the auth_request module (not built by default) by recompiling nginx with --with-http_auth_request_module flag.

With it you will be able to grant or deny access to content using the HTTP code of a subrequest sent to your application.

Basically, you will write a controller in your application answering to requests for authentication check and replying either with an HTTP 200 to allow video access or with 401/403 to forbid it.

location /video {
    auth_request /access;
    [ ... ]
}

location = /access {
    internal;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
    proxy_pass_request_body off;
    proxy_pass http://my_server_app:port/my_controller;
}
Xavier Lucas
  • 13,095
  • 2
  • 44
  • 50
  • Do I understand it right? I go to a link of lets say host/video/my-video.mp4 and then the nginx sends a http request to my app on the port with a uri and a set http-header of X-Original-URI and my app decides if the user gets access? But what is the best way to decide on the app to connect which user requested the video? – Tobi Nov 15 '14 at 22:32
  • @Tobi Yes you understand it right. You can forward other headers of the original request using `proxy_set_header 'My-Header' $http_`. For instance pass cookies from the original request to the subrequest, add a header containing user's IP etc. That way you can identify the user. – Xavier Lucas Nov 15 '14 at 22:50