Signed policy IP address behind proxy

[hernanrz]

If OME is behind a reverse proxy, like nginx, OME will see nginx's IP address connected to it, nginx can pass a X-Forwarded-For header with the client's real IP, is there a way OME can securely use this IP, instead of the IP from nginx, when validating signed policy allow_ip?

We use nginx as a caching reverse proxy, which helps us alleviate CPU load from OME by sending out cached stream segments

[getroot]

This has been in our backlog but we haven't processed it in a while. We'll look at this feature soon.

[naanlizard]

Any progress here?

[getroot]

I'm really busy this year! But I will have time soon. I'll try to add it soon.

[getroot]

Sorry for the delay. I finally added this feature. If you have any issues using it or have any additional suggestions, please feel free to comment.

#1665

[getroot]

I have one question.

In order to use SignedPolicy, OME must run LLHLS in non-origin mode, which means that every session has a unique filename. This means that nginx cannot cache the LLHLS files. On the other hand, the fact that nginx serves the cached files immediately means that OME's SignedPolicy does not work. Therefore, this kind of onetime url must be served from the edge, like cloudfront's signed url. In other words, OME's SignedPolicy is not for LLHLS Origin Mode.

When using SignedPolicy, it is essential that every session has a unique filename, because OME needs to distinguish sessions that have passed the ACL of the Master Playlist. When playing LLHLS, the player connects to the server with multiple connections, and disconnects and reconnects frequently. Therefore, it is not possible to distinguish sessions that have passed the ACL based on the connection alone, but rather distinguish sessions based on whether they know the unique filename issued.

What case do you have in this situation?