Content Protection / Using Amazon CloudFront signed URLs (StreamClip VOD) | WS.WebTV Documentation | WebTV Solutions

Print

Introduction

When you have configured a Clip or Channel to be private, the WebTV will restrict the access to it by requiring the user to log in; however, once an user has logged in, if it has enough technical knowledge, it can find a way to get the URLs to the video files and share them with other people. Since the WebTV can't restrict the access to the files, then anyone who has the URLs of the files will be able to access and download them (without logging into the WebTV).

Protecting your files using Amazon CloudFront
If you are using Amazon S3 and CloudFront to store and serve your video files, then you must know that CloudFront allows you to restrict the access to them by using "signed URLs". When you have configured your CloudFront distribution to restrict the access, then no one will be able to access a file without the correct signed URL (which is an URL with some unique parameters). Signed URLs can specify a time expiration (after which it will not work anymore) as well as the IP of the user allowed to access (an user with a different IP will not be allowed to access) - Important: Read more regarding expiration time and IP restriction at the bottom, in the "Integration Details, Advanced Configuration" paragraph.

WS.WebTV signed URL generation
Since WS.WebTV 1.5.1, you can use CloudFront signed URLs on WS.WebTV to complement the WebTV authentication system and get a better protection for your video files. When using in conjunction, the WebTV will automatically generate the signed URLs (in the background) only for users logged in which are allowed to access the content; additionally, by default, the signed URLs will restrict the access using time expiration as well as the current user IP; therefore, even if the user is able to get the actual URL to a file, no one else will be able to use it.

Configuring S3+CloudFront

In case you don't already have cretated a bucket in Amazon S3, start by creating one (from the Amazon AWS Console) to store your private content.
NOTE: It is recommendable not to share, publicly, the URL of your S3 bucket.

The whole bucket (or at least the files in the bucket) must be private
When you upload a file to the S3 bucket you must make sure you have not maked it public.
You have two ways of doing this:
1. Using a "not public" bucket (see the image below). This is the ideal case where you have a bucket exclusively for storing private/restricted objects. Basically you must set the bucket permission so that nothing is public.
2. Using a public bucket (where objects can be public and private) but making sure that the uploaded files do not have anything allowed for "Public access" under the Permission settings.

Example of a fully private bucket:


Example of private file (in a public bucket):


Uploading private video files from WS.WebTV
If you are uploading private video files from the WebTV (this means you have configured video storage to be AWS) you will need to configure the WebTV to set the privacy of the uploaded files as "private". Edit the WebTV configuration file (config/Config.inc.php) and add the following variable before the PHP closing tag (?>):
$AWS_VIDEO_UPLOAD_ACL = "private";

Creating CloudFront Distributions with Access Restriction

Once you have a bucket for storing the video files, you need to create the CloudFront Distributions (they will be in charge of serving files). There are two types of distributions:
Web distribution: Intended for playing back video files, using progressive download/pseudo streaming, on the HTML5 video player.
RTMP distribution: Intended for playing back video files, using streaming, on the Flash video player.
We recommend creating one "RTMP" Distribution for Flash and another "Web" Distribution for HTML5 and download.

Creating a CloudFront "Web" Distribution for playing back videos in HTML5
Go to your AWS Console and go to CloudFront, then click the "Create Distribution" button:


In the next screen click "Get Started" inside the "Web" option:


In the next screen set the Distribution options.
NOTE: We will only focus on the private distribution aspects; for information regarding other options, check the CloudFront documentation.

Make sure all options are set correctly and click "Create Distribution".
NOTES:
- After creating, return to the CloudFront distribution list and write down the "Domain Name" of the new distribution; you will need it at a later time.
- Distributions take several minutes to be enabled.

The resulting Domain Name for the new CloudFront distribution would be something like d#############.cloudfront.net (starting with letter "d").
Write the domain name it down because you'll need it in the following steps.

Creating a CloudFront "RTMP" Distribution for playing back videos in Flash
Go to your AWS Console and access CloudFront, then click the "Create Distribution" button:


In the next screen click "Get Started" inside the "RTMP" option:


In the next screen set the Distribution options.
NOTE: We will only focus on the private distribution aspects. For information regarding other options, check the CloudFront documentation.

Make sure the options are correctly set and click "Create Distribution".
NOTES:
- After creating, return to the CloudFront distribution list and write down the "Domain Name" of the new distribution; you will need it at a later time.
- Distributions take several minutes to be enabled.

The resulting Domain Name for the new CloudFront distribution would be something like s#############.cloudfront.net (starting with letter "s").
Write the domain name it down because you'll need it in the following steps.

CloudFront Credentials

The next step is to get your CloudFront credentials and configure the WebTV to use them (the credentials will be used to "sign" the URLs of the files).

Getting your CloudFront Credentials

*** NOTE: You must have logged in using your AWS Console root credentials ***

Click your Account Name (at the top) and select "Security Credentials":


In the next screen, unfold the "CloudFront Key Pairs" section and click the "Create New Key Pair" button:

IMPORTANT: After clicking the "Create New Key Pair" button, a window will appear notifying you the Key Pair was cerated and offering the option to download the Key files. You must write down your Access Key ID and download the key files.

Configuring the WebTV to use the CloudFront Credentials

The first thing you need to do now, is to upload your private key file to your WebTV's config/ folder.
IMPORTANT NOTE: The private key file downloaded from Amazon includes the Key-Pair-Id in its name; for security reasons, we strognly recommend that you rename the private key file name to include some random numbers or letters. So, if -for example- the downloaded file is pk-AJKAI5XNI8UFLW5E38W7.pem, rename it to pk-AJKAI5XNI8UFLW5E38W7-some-random-numbers.pem.

In order to supply the WebTV your credentials you must edit the WebTV configuration file (config/Config.inc.php) and add the Key Pair ID and name of the Private Key file as follows, before the PHP closing tag (?>):
$AWS_CF_CREDENTIALS["unique_id"] = "Key-Pair-Id,Private_key_file_name";
unique_id: A name to access the the credentials. This is because the WebTV can use multiple credentials if required; if you are only using one, then simple use cf1
Key-Pair-Id: This is the Access Key ID; it should be something like this: AJKAI5XNI8UFLW5E38W7
Private_key_file_name: The name of the Private Key file you must have uploaded previously to your WebTV's config folder; it should be something like this (after you renamed it): pk-AJKAI5XNI8UFLW5E38W7-8998741258991.pem

Example:
$AWS_CF_CREDENTIALS["cf1"] = "AJKAI5XNI8UFLW5E38W7,pk-AJKAI5XNI8UFLW5E38W7-8998741258991.pem";

Referencing/Playing Back Private Video Files Using CloudFront Signed URLs on WS.WebTV

Now that you have created your CloudFront Distributions, got your credentials info and configured the WebTV to use them, you are ready to reference your files in the WebTV!.

Unsing StreamClip VOD

By this time, you should be familiar on how to create and edit a StreamClip. If this is not the case, please check the "StreamClip VOD" tutorial before continue reading.

H.264 Flash Streaming (RTMP Distribution)
If your file has ".mp4" extension, the URL to supply to the corresponding quality (Flash slot) would be like this:
   [cfsig]rtmp://s#############.cloudfront.net:1935/cfx/st/mp4:video-file-name.mp4
   Example: [cfsig]rtmp://s#############.cloudfront.net:1935/cfx/st/mp4:my_private_video.mp4
Please, note the "[cfsig]" at the beginning of the URL and "mp4:" before the file name. Additionally, you'll need to use the corresponding domain name.

HTML5/Progressive Download (Web Distribution)
If your file has ".mp4" extension, the URL to supply to the corresponding quality (HTML5 slot) would be like this:
   [cfsig]http://d#############.cloudfront.net/video-file-name.mp4
   Example: [cfsig]http://d#############..cloudfront.net/my_private_video.mp4
Please, note the "[cfsig]" at the beginning of the URL. Additionally, you'll need to use the corresponding domain name.

Unsing Standard Clip (AWS Integration)

This is done by introducing the corresponding Base URL formulas into Configuration > Video


Flash Formula
The URL Formula to enter into the corresponding quality (Flash slot) would be like this:
   [cfsig]rtmp://s#############.cloudfront.net:1935/cfx/st/mp4:{filename.ext}
Please, note the "[cfsig]" at the beginning of the formula and "mp4:" before the special label.

HTML5 Formula
The URL Formula to enter into the corresponding quality (HTML5, or Flash. slot) would be like this:
   [cfsig]https://d#############.cloudfront.net/{filename.ext}
Please, note the "[cfsig]" at the beginning of the formula.

Integration Details, Advanced Configuration (expiration time and IP restriction)

Integration details
As you could see; in order for the WebTV to use signed URLs it requires the CloudFront URLs to have the "[cfsig]" prefix. When WS.WebTV finds that special tag, it signs the CloudFront URLs (in the background) using the credentials provided in the configuration file.

Advanced Configuration
As we explained at the beginning of this document, the signed URLs use an expiration time and the current user IP; you can modify the options by editing the WebTV configuration file (config/Config.inc.php) and adding the following variables, before the PHP closing tag (?>):
$AWS_CF_SIGNED_URL_EXPIRATION = 3600; // The signed URL will stop working once this time (in seconds) has elapsed (3600 = 1hr)
$AWS_CF_SIGNED_URL_RESTRICT_USER_IP = true; // To restrict the signed URLs by user IP. Options: true, false
IMPORTANT NOTE: If you are using IPv6 support in the CloudFront restricted distribution then, so that the Users with IPv6 can watch the content you will need to disable the IP restriction. If you don't think that IPv6 support is important then disable it for the CloudFront distribution.

Signed Download URLs (Clips with video download option enabled)

For WS.WebTV version 2.0 and newer
When you enable the "Download" menu for a Clip, and it has been set as "Yes, WebTV Files" or "Yes, WebTV Files + Other Files", and the HTML5 quality fields reference .mp4 files (from a "Web" CloudFront distribution) the system will automatically generate the corresponding (signed) download URLs for those files. Although the previous, in case that, in the "Download" menu of a Clip, you want to provide links to files which are different that the ones referenced in the HTML5 qualities fields, and those files also require signed URLs then follow steps 1 and 2 of the following section.

For WS.WebTV versions prior to 2.0
If you plan to enable the "Download" menu for a Clip and you want to provide a (private) CloudFront URL to a file -so it can only be downloaded by authorized users-, then you need to use a special URL generated by the WebTV, which will sign the URL so that authorized users can download the file.

In order to enable the "Download" menu for a Clip which uses private CloudFront URLs, follow these steps:
1. On "Show download menu", select "Yes, Other files".
2. Supply manual download link(s): Download links must be genarated using the WebTV Signer URL generator utility of the WebTV. In order to run the utility, open the following URL in a Web browser (replace your WebTV URL):
http://<url_of_your_webtv>/index.php?go=ajax&do=genawscfsignerurl and supply the corresponding CloudFront Web distribution URL. For example:
The following CloudFront URL:
http://d1g31os05ijtr3.cloudfront.net/private_video.mp4
Will be transformed (by the utility) to something like this:
http://<url_of_your_webtv>/index.php?go=ajax&do=getawscfsignedurl&iq=,,http%3A%2F%2Fd1g31os05ijtr3.cloudfront.net%2Fprivate_video.mp4&tp=download
The transformed URL will be the one that you must enter into the "Other Files" field