Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
223 views
in Technique[技术] by (71.8m points)

php - Flowplayer Secure Streaming with Apache

Update: This is now a tutorial on how to give some level of security to streaming videos if:
1) you are using Flowplayer with Apache
2) you don't want users to be able to download the video (streaming only)
3) you don't want users to be able to put the URL of the video in the browser (limited access videos)
4) you only want users to be able to stream the video if they have the proper credentials

You must have prior knowledge of PHP and .htaccess files.

Original Post:
My client wants his videos hidden so that they cannot be streamed until they are purchased on his domain (he doesn't want users to be able to download the video either). I'm trying to do this with Flowplayer's Secure Streaming and I think I'm almost there 9I'm there now!). After searching everywhere I found this post.

I've restricted hot-linking by other sites via .htaccess now I'm trying to restrict access by someone just copying the url and pasting it in the address bar (i.e. http://www.mydomain.com/videos/testVideo.mov)

I've used PHP/AJAX to generate this HTML (most examples out there use the JS Flowplayer Plugin, I'm using the <object> tag to embed the player, no JS involved. If you use the JS plugin, use that instead of the embedded version, the .htaccess file and the video.php file will be the same.)

$videofilename = 'testVideo.mov';    
$hash = md5('1234');
$timestamp = time();
$videoPath = $hash.'/'.$timestamp.'/'.$videofilename;
echo '
<object width="667" height="375" type="application/x-shockwave-flash" data="http://releases.flowplayer.org/swf/flowplayer-3.2.8.swf">
    <param name="wmode" value="transparent"/>
    <param name="movie" value="../swf/flowplayer.securestreaming-3.2.8.swf" />
    <param name="allowfullscreen" value="true" />
    <param name="timestamp" value="'.$timestamp.'" />
    <param name="token" value="'.$hash.'" />    
    <param name="streamName" value="'.$videofilename.'" />      

    <param name="flashvars" value='config={
        "playlist":[
            {"url": "'.$videoPath.'", "baseUrl": "http://www.mydomain.com/videos", "autoPlay":false,"autoBuffering":true,"bufferLength":5}
            ]

        }' />
</object>';

Now in the directory videos I put this .htaccess file:

 RewriteEngine on
 RewriteRule ^(.*)/(.*)/(.*)$ http://www.mydomain.com/vidoeos/video.php?h=$1&t=$2&v=$3
 RewriteRule ^$ - [F]
 RewriteRule ^[^/]+.(mov|mp4)$ - [F]

Update: The purpose of the php file is to 1) get the data hash, timestamp, and video filename (test.mov or whatever) 2) Make sure everything checks out (I purposely ommitted the security checks in this example for length) and 3) Give Flowplayer the stream of your video. Make sure the $originaltimestamp and $hash are good before giving access. You may also check session credentials, get the 'real' file location from a database, or do any kind of php security checking you want before you give the user access.

Also remember to change the Content-type: field so it correlates with the correct file extension (i.e. video/mp4 if the video is an *.mp4)

And videos/video.php looks like this:

<?php
session_start();

$hash = $_GET['h'];
$streamname = $_GET['v'];
$originaltimestamp = $_GET['t'];

header('Content-Description: File Transfer');
header('Content-type: video/quicktime');
header("Content-length: " . filesize($streamname));
header("Expires: 0");
header("Content-Transfer-Encoding: binary");

$file = fopen($streamname, 'r');
echo stream_get_contents($file);    
fclose($file);
?>

Three files total, the HTML with the player, the .htaccess file and lastly the video.php file. My original problem was the $streamname was wrong. Remember the $streamname should be the file location after (or under) the BaseUrl. Hope this helps someone like me!

Anyone see security issues with doing it this way?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Okay I solved it! In this line:

$streamname = "http://www.mydomain.com/videos/".$streamname; (It's not up there anymore)

I had it all wrong. All I had to do was delete this line and it worked. It will start with your baseUrl. So it was already at the 'videos' folder so the $streamname should equal just the location of the file after the baseUrl.

On a side note, this took me about a week to solve I was looking everywhere on the internet to put the pieces together. I created this into a tutorial so others won't have such a headache (hopefully!)


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...