3

I want to stream an m3u8 file from Google Cloud Storage using signed URLs. I tried to generate a signed URL for the manifest.m3u8 file; however, this didn't work since the different streams don't have a valid signed URL either.

I'm trying to come up with a solution to give a client access to all the needed segments when reading out the manifest.m3u8.

Is it possible to swap out the different streams in the manifest.m3u8 file with signed URLs to each stream? Am I missing something?

Manifest.m3u8

#EXTM3U
#EXT-X-MEDIA:TYPE=AUDIO,GROUP-ID="audio",NAME="Test Language",DEFAULT=YES,AUTOSELECT=YES,URI="audio-hls-fmp4.m3u8"
#EXT-X-STREAM-INF:BANDWIDTH=774348,AVERAGE-BANDWIDTH=530950,RESOLUTION=1920x1080,AUDIO="audio",CODECS="hvc1.1.4.L123.90,mp4a.40.2"
video-hd-hls-fmp4.m3u8 <-- SWAP THIS WITH SIGNED URL
#EXT-X-STREAM-INF:BANDWIDTH=762873,AVERAGE-BANDWIDTH=507776,RESOLUTION=1280x720,AUDIO="audio",CODECS="hvc1.1.4.L123.90,mp4a.40.2"
video-sd-hls-fmp4.m3u8 <-- SWAP THIS WITH SIGNED URL

The only helpful resource I found online was this post, however, this technique seemed fairly cumbersome to me. In the meantime, are there other methods to accomplish this since this post is from 8 years ago?

PS: I'm using Google's NodeJS Cloud Storage library

Objective

In essence, I'm searching for a solution to stream/serve manifest.m3u8 without having to go through my own server. I'm trying to minimize the load on my server as much as possible. This can be done using signed URLs.

The GCP docs use signed URLs, however they set all the m3u8 resources publicly available in order to successfully stream it. AWS uses something like signed cookies, which solves the problem. However GCP only has this feature available within Cloud CDN, not Cloud Storage.

What are some other methods to successfully stream an m3u8 file?

Michiel
  • 1,713
  • 3
  • 16
  • 34
  • 1
    One solution would be to parse the manifest replacing file references with Signed URLs **but** this assumes that the user will play *all* the streams before the Signed URLs expire. An optimization would be to only generate the Signed URL for a stream on-demand but it's unclear whether the clients would support this. – DazWilkin Aug 15 '22 at 22:49
  • 1
    Because Signed URLs don't require credentials, they're often used as a solution where a user **is** still required to provide credentials these are just handled out-of-band. Once the user is auth'd, you generate a Signed URL and give it to the user. To avoid the limitations mentioned above, you may want to consider proxying your users' requests to GCS. The user provides some form of credentials to the proxy and when the user requests a stream from the manifest, the proxy receives the request, authenticates to GCS and provides the stream. – DazWilkin Aug 15 '22 at 22:51
  • Given the first solution, would it be acceptable to set the signed URLs expiration on 30 days? Since the chance that someone would guess a signed URL is very small. – Michiel Aug 16 '22 at 04:45
  • @DazWilkin wouldn't the _"parse the manifest replacing file references with Signed URLs"_ solution require me to create a separate `manifest.m3u8` file for each request made? Since every single manifest file needs to have unique signed URLs? – Michiel Aug 16 '22 at 05:17
  • I don't understand how your solution is architected. I'm providing an *a priori* suggestion in response to your question. Presumably (!) you serve manifests to customers and, when you provide the manifest, you'd generate the Signed URLs. To be clear, from what I understand of your solution, I think Signed URLs is **not* a good solution. – DazWilkin Aug 16 '22 at 14:55
  • 1) The max expiration time for V4 Signed URLs is 7 days. However, Signed URLs created by the SignBlob API should not be issued for longer than 12 hours due to key rotation. 2) The likelihood of someone guessing a Signed URL is very low, but you would be amazed how fast secrets spread on the dark web. Targets with value will be discovered and advertised. – John Hanley Aug 16 '22 at 22:20
  • @DazWilkin I'm kind of new to streaming m3u8 files. So as far as I understand, streaming m3u8 files via a signed URL is not done. What would be a better solution? Streaming directly from the server itself? For me (personally), the main objective is to keep as much load away from the server. That's why I chose signed URLs in the first place. – Michiel Aug 17 '22 at 07:42

0 Answers0