If you’ve ever wanted to stream MP4s securely over the internet while preventing hotlinking and unauthorized sharing of your content, this guide should help you get started. We’ll walk you through installing Ubuntu, setting up Apache with H.264 pseudo-streaming, and finally enabling token authentication with mod_auth_token.
1. Install Ubuntu
For a fresh server setup, use the latest Ubuntu LTS. You can download Ubuntu from the official Ubuntu website. Install Ubuntu as you normally would.
2. Install LAMP Components
We’ll assume you want to keep things quick and simple. First, install MySQL and PHPMyAdmin. If Apache isn’t installed yet, we’ll include that too.
- Install Apache & MySQL
sudo apt-get updatesudo apt-get install apache2 mysql-server - Secure your MySQL installation (highly recommended)
sudo mysql_secure_installation
Follow the prompts to set a root password and improve MySQL security defaults. - Install PHP and PHPMyAdmin
sudo apt-get install php php-mysql libapache2-mod-php phpmyadmin
When prompted, choose “apache2” as the server for PHPMyAdmin.
By now, you should be able to navigate to http://<your-server-ip>/phpmyadmin and log into PHPMyAdmin.
3. Install the H.264 Streaming Module
The H.264 streaming module (mod_h264_streaming) adds support for HTTP pseudo-streaming, letting you seek within MP4 files without re-downloading the entire file.
- Install Apache development tools
sudo apt-get install apache2-dev
Note: In older Ubuntu versions, the package might be calledapache2-threaded-dev. On newer releases, it’s usually justapache2-dev. - Download and extract the H.264 streaming module
cd ~ wget http://h264.code-shop.com/download/apache_mod_h264_streaming-2.2.7.tar.gztar -zxvf apache_mod_h264_streaming-2.2.7.tar.gzcd mod_h264_streaming-2.2.7 - Compile and install
./configure --with-apxs=$(which apxs2)make sudo make install - Enable the module
Edit your Apache config (e.g.,/etc/apache2/apache2.confor a site-specific config in/etc/apache2/sites-available/) and add:LoadModule h264_streaming_module /usr/lib/apache2/modules/mod_h264_streaming.soAddHandler h264-streaming.extensions .mp4 - Restart Apache
sudo service apache2 restart
You should now have HTTP pseudo-streaming for your .mp4 files. Next, let’s secure your content so only authorized links can access those MP4s.
4. Install mod_auth_token
mod_auth_token allows you to generate time-limited URLs, so links can “expire” after a certain period. This is crucial to prevent hotlinking, as anyone trying to share the direct link will soon find it invalid.
- Download and extract mod_auth_token
cd ~ wget "http://mod-auth-token.googlecode.com/files/mod_auth_token-1.0.5.tar.gz"tar -xvzf mod_auth_token-1.0.5.tar.gz cd mod_auth_token-1.0.5/ - Fix missing files and configure (some Ubuntu setups require these symlinks)
sudo rm missingsudo ln -s /usr/share/automake-1.16/missing missingsudo rm config.guesssudo ln -s /usr/share/automake-1.16/config.guess config.guesssudo rm config.subsudo ln -s /usr/share/automake-1.16/config.sub config.subsudo rm COPYINGsudo ln -s /usr/share/automake-1.16/COPYING COPYINGsudo rm install-shsudo ln -s /usr/share/automake-1.16/install-sh install-shsudo ./configuresudo makesudo make check
Note: If your version of automake is different (e.g., 1.15, 1.16, etc.), adjust the commands accordingly. - Install mod_auth_token
sudo make installsudo service apache2 restart
5. Configure Apache
Let’s configure token-based access for your MP4 directory. For example, assume your files will live in /var/www/downloads.
Edit your Apache site config
Open /etc/apache2/sites-available/000-default.conf (or another .conf file you use) and add something like:
# Disable direct directory indexing
<Directory /var/www/downloads>
AllowOverride None
Require all granted
</Directory>
ScriptAlias /downloads/ /var/www/downloads/
<Location /downloads/>
AuthTokenSecret "mysecretstring"
AuthTokenPrefix /downloads/
AuthTokenTimeout 60
AuthTokenLimitByIp off
</Location>
Restart Apache sudo service apache2 restart
At this point, direct requests to /downloads/mymp4file.mp4 will no longer work unless a valid time-limited token is provided.
6. Usage Example in PHP
Below is a quick PHP snippet you can use to generate time-sensitive URLs. This should be placed somewhere in your site’s code (e.g., index.php or a dedicated script) where you control who has access to download or view the video.
<?php // Settings to generate the URI $secret = "mysecretstring"; // Must match AuthTokenSecret in Apache config $protectedPath = "/downloads/"; // Must match AuthTokenPrefix $hexTime = dechex(time()); // Current Unix time in Hex $fileName = "/mymp4file.mp4"; // The file you want to serve // Generate the token $token = md5($secret . $fileName . $hexTime); // Build the full URL $url = $protectedPath . $token . "/" . $hexTime . $fileName; // Output or redirect to this URL to serve the MP4 echo $url; ?>
When a user accesses the generated $url, mod_auth_token validates that it’s valid and not expired. After 60 seconds (in our example), the URL becomes invalid, thwarting hotlinkers.
7. Conclusion
That’s it! With H.264 pseudo-streaming and mod_auth_token, you can securely stream MP4 files over the internet while preventing unauthorized sharing of your content.
Remember:
- Keep your secrets truly secret. Don’t hardcode them in public repositories.
- Increase or decrease the
AuthTokenTimeoutbased on your needs. - For extra security, consider enabling HTTPS and requiring authentication before generating the URL.
If you run into any issues or have suggestions for improvements, drop them in the comments below or reach out on forums. Happy streaming!
Discover more from AJB Blog
Subscribe to get the latest posts sent to your email.
Hi
Thanks for the information but I still have no idea on how mod h264 and auth_token can be used together, I mean :
1/ you use php to generate a protected url, php writes this url in the html file which is sent to the browser.
2/ this protected url is used by the video player which makes an http call to it
3/ the server receives this call, check if the token/timestamp/… is ok, If yes it sends the video and kills the token, so you can’t use the same url again.
So if you want to go to the time 0:30 for example, you click in the progress bar of the player… which makes a new http call to the same url as before but with “?start=30” which obviously can’t work because :
– the url is not valid anymore because already used once
– the url may be not valid anymore because of the 60 (or similar) seconds timeout of the token
– (maybe, not verified) the url is not valid because the “?start=30” needs to be used to generate the token
So I really don’t understand how theses 2 mods could be used together without more work.
The first solution I think of is to modify the video player itself so it generates the url (and not php) but it seems a very bad idea (for example how to generate and check a timestamp if the client is not in the same timezone than the server ?), it also puts the key in a very unsecure and easy to “reverse engineere” file (the swf player).
Another solution may be to use the javascript API of the player (jwplayer for example) to intercept every “seeking” click to make an ajax call to a php script, which returns a new and valid url, and tells the player to load this url as a new video. (I will try)
Am I wrong ? Any other idea ?
You’re missing the token timeout. This allows the link to be good for a limited amount of time – it is not request based. Above in the “5. Configure Apache” you see the link timeout is set to 60. That means the link is valid until that time expires.