Install Apache and PHP to do Secure h264 Pseudo Streaming

If you’ve ever wanted to stream MP4s securely over the internet while preventing hotlinking and stealing of your content, hopefully this helps.

1. Install Ubuntu

Download and install Ubuntu from here

2. Install LAMPP settings

Quick and dirty, just install MySQL Server:

sudo apt-get install mysql-server

Then install PHPMyAdmin – make sure to choose Apache2 when it asks for the server

sudo apt-get install phpmyadmin

3. Install H264 Module

By now you should be able to go to your server (http://localhost/phpmyadmin) and login with PHP. This is the very very first key part to get this all working.

We need to install the APache eXtenSion tool, to build and install the module for the Apache server.

sudo apt-get install apache2-threaded-dev

Then download the latest H264 Streaming Module for Apache and untar it.

cd ~
wget http://h264.code-shop.com/download/apache_mod_h264_streaming-2.2.7.tar.gz
tar -zxvf apache_mod_h264_streaming-2.2.7.tar.gz

Next we need to make and install it

cd ~/mod_h264_streaming-2.2.7
./configure --with-apxs=`which apxs2`
make
sudo make install

Edit the Apache config (i.e.: /etc/apache/httpd.conf) to enable the new module

LoadModule h264_streaming_module /usr/lib/apache2/modules/mod_h264_streaming.so
AddHandler h264-streaming.extensions .mp4

Restart apache and the module will be enabled. Now you have the ability to seek and do HTTP Pseudo Streaming. But the next issue is how to keep people from stealing your content. For that we move to the next step.

4. Install Mod-Auth-Token

What is mod_auth_token? mod_auth_token allows you to generate URIs for a determined time window. Exactly the same as mod_securedownload on lighttpd. Basically it makes a link that is only available for a short period of time and then it no longer works. Typically limited to 60 seconds.

Download and make/install the module as so – I’d recommend you copy and paste most of it:

cd ~
wget "http://mod-auth-token.googlecode.com/files/mod_auth_token-1.0.5.tar.gz"
tar xvzf mod_auth_token-1.0.5.tar.gz
cd mod_auth_token-1.0.5/
sudo rm missing
sudo ln -s /usr/share/automake-1.11/missing missing
sudo rm config.guess
sudo ln -s /usr/share/automake-1.11/config.guess config.guess
sudo rm config.sub
sudo ln -s /usr/share/automake-1.11/config.sub config.sub
sudo rm COPYING
sudo ln -s /usr/share/automake-1.11/COPYING COPYING
sudo rm install-sh
sudo ln -s /usr/share/automake-1.11/install-sh install-sh
sudo ./configure
sudo make
sudo make check
sudo make install
sudo service apache2 restart

5. Configure Apache

Edit your site specific config in Apache for the site you want to use this on (i.e.: sites-enabled/default.conf). Add the following to the config file.

# Disable direct access to the folder
<Directory /var/www/downloads>
        AllowOverride None
        allow from all
</Directory>
ScriptAlias /downloads/ /var/www/downloads/
# Token settings
<Location /downloads/>
      AuthTokenSecret       "mysecretstring"
      AuthTokenPrefix       /downloads/
      AuthTokenTimeout      60
      AuthTokenLimitByIp    off
</Location>

Restart apache and we are done with that part of the configuration.

6. Usage

So how do you use it? In the root of your site (i.e.: /var/www/default.com/) make a directory “downloads”. This matches the folder we setup above in the apache site config. Now from the root of the site (/var/www/default.com/) you can call any file that is stored in the downloads folder by calling the following PHP script:

<?php
// Settings to generate the URI
$secret = "mysecretstring";             // Same as AuthTokenSecret
$protectedPath = "/downloads/";        // Same as AuthTokenPrefix
$hexTime = dechex(time());             // Time in Hexadecimal      
$fileName = "/mymp4file.mp4";    // The file to access

$token = md5($secret . $fileName. $hexTime);

// We build the url
$url = $protectedPath . $token. "/" . $hexTime . $fileName;
?>

7. Follow Up

You can see this setup working here: http://videos.ajb.bz/scene/watch/cure_lovesong

That’s it! I’ve successfully used it to stream MP4s over the internet and to multiple clients – all while requiring a secure login to access the media. Post in the comments if you have any things that could be done better or if you have any questions.

2 thoughts on “Install Apache and PHP to do Secure h264 Pseudo Streaming”

  1. Hi

    Thanks for the information but I still have no idea on how mod h264 and auth_token can be used together, I mean :
    1/ you use php to generate a protected url, php writes this url in the html file which is sent to the browser.
    2/ this protected url is used by the video player which makes an http call to it
    3/ the server receives this call, check if the token/timestamp/… is ok, If yes it sends the video and kills the token, so you can’t use the same url again.

    So if you want to go to the time 0:30 for example, you click in the progress bar of the player… which makes a new http call to the same url as before but with “?start=30” which obviously can’t work because :
    – the url is not valid anymore because already used once
    – the url may be not valid anymore because of the 60 (or similar) seconds timeout of the token
    – (maybe, not verified) the url is not valid because the “?start=30” needs to be used to generate the token

    So I really don’t understand how theses 2 mods could be used together without more work.

    The first solution I think of is to modify the video player itself so it generates the url (and not php) but it seems a very bad idea (for example how to generate and check a timestamp if the client is not in the same timezone than the server ?), it also puts the key in a very unsecure and easy to “reverse engineere” file (the swf player).

    Another solution may be to use the javascript API of the player (jwplayer for example) to intercept every “seeking” click to make an ajax call to a php script, which returns a new and valid url, and tells the player to load this url as a new video. (I will try)

    Am I wrong ? Any other idea ?

    1. You’re missing the token timeout. This allows the link to be good for a limited amount of time – it is not request based. Above in the “5. Configure Apache” you see the link timeout is set to 60. That means the link is valid until that time expires.

Comments are closed.