Signed HLS Content
The standard "signed URL" access control method used by the
Video plug-in
works fine for downloadable media content, but does not fully prevent
unauthorized access to HLS content. Signed URLs prevent unauthorized
access to top level media files, but do not protect the underlying
.m3u8
files and the .ts
segment
files that hold the actual video content. Amazon CloudFront offers the
use of a signed cookies method as an alternative to signed URLs, which
solves this problem. Using signed cookies, all the components of an
HLS stream are only accessible via your web site, and cannot be
directly accessed by users. This method also protects downloadable
media content, so it is a complete replacement for the use of signed
URLs that also fully protects HLS content.
The signed cookies feature is only available on Amazon CloudFront. It is not available when serving media content directly from S3. It is also only available for CUE Front-based publications – you cannot use this feature with JSP-based publications.
To make use of the signed cookies feature you need to:
-
Create a
CloudFrontSignedCookieGenerator.properties
file (see CloudFrontSignedCookieGenerator.properties) -
Set the
defaultURLGenerator
property inMediaInfoGenerator.properties
to/com/escenic/video/presentation/CloudFrontSignedCookieGenerator
(see AWSMediaInfoGenerator.properties). Alternatively, you may want to set up a publication-specific profile containing this setting (see URL Generator Profiles). -
Make sure that both S3 and CloudFront are set up with the correct CORS policies:
-
For a site with the domain name
mysite.com
, the S3 output bucket would need a CORs configuration like this:<?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <CORSRule> <AllowedOrigin>http://mysite.com</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <ExposeHeader>ETag</ExposeHeader> <AllowedHeader>*</AllowedHeader> </CORSRule> </CORSConfiguration>
If content is being served via CUE front, then your Cook endpoints must also be included as allowed origins. For the
tomorrow-online
publication, for example, you would need to specify:<?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <CORSRule> <AllowedOrigin>http://mysite.com</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <ExposeHeader>ETag</ExposeHeader> <AllowedHeader>*</AllowedHeader> </CORSRule> <CORSRule> <AllowedOrigin>http://tomorrow-online.mysite.com</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <ExposeHeader>ETag</ExposeHeader> <AllowedHeader>*</AllowedHeader> </CORSRule> <CORSRule> <AllowedOrigin>http://tomorrow-online.mysite.com:8101</AllowedOrigin> <!-- port 8101 used for cookies --> <AllowedMethod>GET</AllowedMethod> <ExposeHeader>ETag</ExposeHeader> <AllowedHeader>*</AllowedHeader> </CORSRule> </CORSConfiguration>
-
Set up CloudFront to forward the following headers:
Access-Control-Allow-Credentials Access-Control-Allow-Origin Access-Control-Request-Headers Access-Control-Request-Method Origin
For more information about Cloudfront cache configuration and CORs, see here and here.
-