Hiding your video location with secure streaming Streaming Extensions - Demo 9 / 13
Secure HTTP streaming
This demo shows you the theory behind hiding a video's URL. The URL is secured using the secure streaming plugin which is available only for Flowplayer versions 3.1 and above. You can download the free version or upgrade to the latest commercial version of Flowplayer here. The purpose of this demo is to teach you the basics of securing the video path; however, the level of security is not enough here. If you need "real" security, move on to demos farther below.
With HTTP-based security, the trick is to alter the requested URL. This example uses the ExtremistsHd.flv video file that can be seen in the page's source code. When the video file is requested, the path of the file is "hashed" and it takes the following format:
/vod/demo.flowplayervod/efc272931609b7cc3a3fdfa0f0bcd258/987987987/ExtremistsHd.flvHTML coding
Here you can see the video file name which is visible to the user.
<!-- player container. file name is visible. path will be secret -->
<a
href="ExtremistsHd.flv"
style="display:block;width:425px;height:300px;"
id="player">
<!-- splash image inside the container -->
<img src="/img/home/flow_eye.jpg" alt="Search engine friendly content" />
</a>Flowplayer configuration
We need to configure our secure plugin with two important variables: timestamp and token. Both of these variables are used in generating the hashed file path. This simple demo uses a hard coded timestamp value so that the hashed path will not change from request to request. This gives us the ability to demostrate the principles of hashing without any server-side logic.
flowplayer("player", "http://releases.flowplayer.org/swf/flowplayer-3.2.7.swf", {
// enable secure streaming plugin
plugins: {
secure: {
// path to the latest version
url: 'flowplayer.securestreaming-3.2.3.swf',
// a hard-coded timestamp
timestamp: '987987987',
// a secure token
token: 'my-token'
}
},
// make the video clip use our secure streaming plugin
clip: {
urlResolvers: 'secure',
// must be given
baseUrl: 'http://pseudo01.hddn.com/vod/demo.flowplayervod'
}
});After this configuration, the actual video URL takes the following format:
/baseUrl/hash/timestamp/streamName
The parts of this URL are as follows:
- baseURL is determined based on the baseURL given in the clip/common clip or in the clip's URL. If baseURL is not explicitly specified, it's the same as the embedding HTML page location.
- hash is calculated as follows: MD5.hash(token + "/" + streamName + timestamp) where token is specified in the configuration and should match the value on the server.
-
timestamp is a timestamp given as a hex string. This is the number of seconds since January 1, 1970, 00:00:00 in hexidecimal notation. You can calculate this value in the following ways:
- Java: Long.toHexString(System.currentTimeMillis()/1000)
- PHP: sprintf("%08x", time())
- streamName is the name of the video file, for example, Extremists.flv, flowplayer.flv, or rocknroll.mp4.
The example above will always generate the following URL:
/video/51c3544ac33a24b012ba69bf6349db78/987987987/Extremists.flv
and when we have the directories on the server, the video file can be loaded directly. We have not achieved our goals yet because anyone can copy-and-paste that URL anywhere they want and load the video. The trick is to alter this video URL from request to request and make those URLs expire after a certain amount of time. You can see such a cofiguration in the next demo.