Flowplayer Secure Streaming with Apache

Question

Update: This is now a tutorial on how to give some level of security to streaming videos if:
1) you are using Flowplayer with Apache
2) you don't want users to be able to download the video (streaming only)
3) you don't want users to be able to put the URL of the video in the browser (limited access videos)
4) you only want users to be able to stream the video if they have the proper credentials

You must have prior knowledge of PHP and .htaccess files.

Original Post:
My client wants his videos hidden so that they cannot be streamed until they are purchased on his domain (he doesn't want users to be able to download the video either). I'm trying to do this with Flowplayer's Secure Streaming and I think I'm almost there 9I'm there now!). After searching everywhere I found this post.

I've restricted hot-linking by other sites via .htaccess now I'm trying to restrict access by someone just copying the url and pasting it in the address bar (i.e. http://www.mydomain.com/videos/testVideo.mov)

I've used PHP/AJAX to generate this HTML (most examples out there use the JS Flowplayer Plugin, I'm using the <object> tag to embed the player, no JS involved. If you use the JS plugin, use that instead of the embedded version, the .htaccess file and the video.php file will be the same.)

$videofilename = 'testVideo.mov';    
$hash = md5('1234');
$timestamp = time();
$videoPath = $hash.'/'.$timestamp.'/'.$videofilename;
echo '
<object width="667" height="375" type="application/x-shockwave-flash" data="http://releases.flowplayer.org/swf/flowplayer-3.2.8.swf">
    <param name="wmode" value="transparent"/>
    <param name="movie" value="../swf/flowplayer.securestreaming-3.2.8.swf" />
    <param name="allowfullscreen" value="true" />
    <param name="timestamp" value="'.$timestamp.'" />
    <param name="token" value="'.$hash.'" />    
    <param name="streamName" value="'.$videofilename.'" />      

    <param name="flashvars" value=\'config={
        "playlist":[
            {"url": "'.$videoPath.'", "baseUrl": "http://www.mydomain.com/videos", "autoPlay":false,"autoBuffering":true,"bufferLength":5}
            ]

        }\' />
</object>';

Now in the directory videos I put this .htaccess file:

 RewriteEngine on
 RewriteRule ^(.*)/(.*)/(.*)$ http://www.mydomain.com/vidoeos/video.php?h=$1&t=$2&v=$3
 RewriteRule ^$ - [F]
 RewriteRule ^[^/]+\.(mov|mp4)$ - [F]

Update: The purpose of the php file is to 1) get the data hash, timestamp, and video filename (test.mov or whatever) 2) Make sure everything checks out (I purposely ommitted the security checks in this example for length) and 3) Give Flowplayer the stream of your video. Make sure the $originaltimestamp and $hash are good before giving access. You may also check session credentials, get the 'real' file location from a database, or do any kind of php security checking you want before you give the user access.

Also remember to change the Content-type: field so it correlates with the correct file extension (i.e. video/mp4 if the video is an *.mp4)

And videos/video.php looks like this:

<?php
session_start();

$hash = $_GET['h'];
$streamname = $_GET['v'];
$originaltimestamp = $_GET['t'];

header('Content-Description: File Transfer');
header('Content-type: video/quicktime');
header("Content-length: " . filesize($streamname));
header("Expires: 0");
header("Content-Transfer-Encoding: binary");

$file = fopen($streamname, 'r');
echo stream_get_contents($file);    
fclose($file);
?>

Three files total, the HTML with the player, the .htaccess file and lastly the video.php file. My original problem was the $streamname was wrong. Remember the $streamname should be the file location after (or under) the BaseUrl. Hope this helps someone like me!

Anyone see security issues with doing it this way?

Answer 1

Okay I solved it! In this line:

$streamname = "http://www.mydomain.com/videos/".$streamname; (It's not up there anymore)

I had it all wrong. All I had to do was delete this line and it worked. It will start with your baseUrl. So it was already at the 'videos' folder so the $streamname should equal just the location of the file after the baseUrl.

On a side note, this took me about a week to solve I was looking everywhere on the internet to put the pieces together. I created this into a tutorial so others won't have such a headache (hopefully!)

Answer 2

Took me 2 days to discover this....

If the directory where your videos are stored is CHMOD to 777 then it'll stall the stream...

I went round the houses trying to work out why in hell's name this wouldn't stream my video...

i had an already established directory for video files as used by another popular picture php script which had set that directory to CHMOD 777 during it's time... simply setting it to CHMOD 755 allowed the flv or mp4 to stream to my player embedded into my php page... what i relief!

So thanks for the headache relief... this did help so much, cheers