Signed HLS Content

The standard "signed URL" access control method used by the Video plug-in works fine for downloadable media content, but does not fully prevent unauthorized access to HLS content. Signed URLs prevent unauthorized access to top level media files, but do not protect the underlying .m3u8 files and the .ts segment files that hold the actual video content. Amazon CloudFront offers the use of a signed cookies method as an alternative to signed URLs, which solves this problem. Using signed cookies, all the components of an HLS stream are only accessible via your web site, and cannot be directly accessed by users. This method also protects downloadable media content, so it is a complete replacement for the use of signed URLs that also fully protects HLS content.

The signed cookies feature is only available on Amazon CloudFront. It is not available when serving media content directly from S3. It is also only available for CUE Front-based publications – you cannot use this feature with JSP-based publications.

To make use of the signed cookies feature you need to:

• Create a CloudFrontSignedCookieGenerator.properties file (see CloudFrontSignedCookieGenerator.properties)

• Set the defaultURLGenerator property in MediaInfoGenerator.properties to /com/escenic/video/presentation/CloudFrontSignedCookieGenerator (see AWSMediaInfoGenerator.properties). Alternatively, you may want to set up a publication-specific profile containing this setting (see URL Generator Profiles).

• Make sure that both S3 and CloudFront are set up with the correct CORS policies:

  • For a site with the domain name mysite.com, the S3 output bucket would need a CORs configuration like this:

    <?xml version="1.0" encoding="UTF-8"?>
    <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
      <CORSRule>
        <AllowedOrigin>http://mysite.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <ExposeHeader>ETag</ExposeHeader>
        <AllowedHeader>*</AllowedHeader>
      </CORSRule>
    </CORSConfiguration>

    If content is being served via CUE front, then your Cook endpoints must also be included as allowed origins. For the tomorrow-online publication, for example, you would need to specify:

    <?xml version="1.0" encoding="UTF-8"?>
    <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
      <CORSRule>
        <AllowedOrigin>http://mysite.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <ExposeHeader>ETag</ExposeHeader>
        <AllowedHeader>*</AllowedHeader>
      </CORSRule>
      <CORSRule>
        <AllowedOrigin>http://tomorrow-online.mysite.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <ExposeHeader>ETag</ExposeHeader>
        <AllowedHeader>*</AllowedHeader>
      </CORSRule>
      <CORSRule>
        <AllowedOrigin>http://tomorrow-online.mysite.com:8101</AllowedOrigin> <!-- port 8101 used for cookies -->
        <AllowedMethod>GET</AllowedMethod>
        <ExposeHeader>ETag</ExposeHeader>
        <AllowedHeader>*</AllowedHeader>
      </CORSRule>
    </CORSConfiguration>

  • Set up CloudFront to forward the following headers:

    Access-Control-Allow-Credentials
    Access-Control-Allow-Origin
    Access-Control-Request-Headers
    Access-Control-Request-Method
    Origin

    For more information about Cloudfront cache configuration and CORs, see here and here.