Oğuzhan Karaman

NGINX, İstenilen Alan Adlarına Erişim İzni

Selamlar,
NGINX kullanırken, 3 – 4 farklı sunucum arasında bir bağlantı oluşturup, bu bağlantıları birbirileri ile köprülüyordum. Ancak, 3 – 4 sunucu benim dışarıdan aldığım bağlantıları başkaları kopyalayabiliyordu. Yani bunun için dışarıdan erişim izinlerini kapatıp, sadece kendi izin verdiğim web sitelerinin o içeriği görmesini sağlamam gerekiyordu.

Bunun için neler yapabiliriz ?
Anahtar Kelime:

nginx.conf

Config dosyası içerisinde bir kaç kısıtlama yaparak istenilen klasöre, veri ve veri türüne erişim iznini kısıtlayabiliyoruz.

Bunu nasıl yapıyoruz ?

Aşağıya eklemiş olduğum kod bloğunu incelediğinizde, m3u8 dosya uzantısı olduğunu farkedeceksiniz. Benim dışarıdan erişim iznine kapatmak istediğim dosya uzantısı m3u8 kaynaklı.

add_header 'Access-Control-Allow-Origin' '*' always;
			add_header 'Cache-Control' 'no-cache' always;
			if ($request_uri ~* "/.*\.m3u8") {
				set $test A;
			}
			if ($http_referer !~ "^(http://|https://)(oguzhankaraman\.com.tr)/") {
				set $test "${test}B";
			}
			if ($test = AB) {
				return 403;
			}

Buraya yapmış olduğumuz if içerisinde if kullanımıyla, HTTP_REFERER
yani bizim tarafımızdan sağlanan REFERANS linklerini erişim iznine açmış olduk.

nginx.conf;

worker_processes  1;
error_log  logs/error.log;
events {
	worker_connections  1024;
}

http {

	keepalive_timeout	60;
	send_timeout        10;
	keepalive_requests  10;
	client_body_timeout 10;

	#gzip		on;
	sendfile		on;
	include		mime.types;
	default_type	application/octet-stream;

	log_format	main  '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';
	access_log	logs/access.log  main;

	server {

		listen		80;
		# listen [::]:	80 ipv6only;

		server_name	localhost;
		access_log	logs/host.access.log  main;
		add_header	Strict-Transport-Security "max-age=63072000;";
		index index.php index-nginx.html index.html index.htm index.m3u8 index.mpd;

		error_page   500 502 503 504  /50x.html;
		location = /50x.html {
			root   site;
		}

		# location ~ \.php$ {
			#	include        fastcgi_params;
			#	fastcgi_pass   127.0.0.1:9000;
			#	fastcgi_index  index.php;
			#	fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
		#	}

		location / {
#			location ~* \.m3u8$ {
#				add_header Cache-Control no-cache;
##			}
			try_files $uri $uri/ =404;
			add_header 'Access-Control-Allow-Origin' '*' always;
			add_header 'Strict-Transport-Security' 'max-age=31536000';
			add_header 'X-Content-Type-Options' "nosniff" 'always';
			if ($request_method = 'OPTIONS') {
				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
				add_header 'Access-Control-Max-Age' 1728000;
				# add_header 'Content-Type' 'text/plain; charset=utf-8';
				add_header 'Content-Length' 0;
				return 204;
			}
			if ($request_method = 'POST') {
				add_header 'Access-Control-Allow-Origin' '*' always;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
				add_header 'Access-Control-Expose-Headers' 'Content-Length';
			}
			if ($request_method = 'GET') {
				add_header 'Access-Control-Allow-Origin' '*' always;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
				add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
			}

			root site;
			index index.php index.html index-nginx.html index.htm index.m3u8 index.mpd;
		}

		location /stat {
			rtmp_stat all;
			rtmp_stat_stylesheet stat.xsl;
			# auth_basic "Restricted Content";
			# auth_basic_user_file .htpasswd;
		}

		location /stat.xsl {
			root site;
		}

		#location /control {
			#rtmp_control all;
			# auth_basic "stream";
			# auth_basic_user_file .htpasswd;
		#}

		#location /publish {
			#    return 201;
		#}
		#location /play {
			#    return 202;
		#}
		#location /record_done {
			#    return 203;
		#}

		location /tmp_hls {
			if ($request_method = 'OPTIONS') {
				add_header 'Access-Control-Allow-Origin' '*' always;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
				add_header 'Access-Control-Max-Age' 1728000;
				add_header 'Content-Type' 'text/plain; charset=utf-8';
				add_header 'Content-Length' 0;
				return 204;
			}
			if ($request_method = 'POST') {
				add_header 'Access-Control-Allow-Origin' '*' always;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
				add_header 'Access-Control-Expose-Headers' 'Content-Length';
			}
			if ($request_method = 'GET') {
				add_header 'Access-Control-Allow-Origin' '*' always;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
				add_header 'Access-Control-Expose-Headers' 'Content-Length';
			}
			types {
				application/vnd.apple.mpegurl m3u8;
				text/html html;
			}
			add_header 'Access-Control-Allow-Origin' '*' always;
			add_header 'Cache-Control' 'no-cache' always;
			if ($request_uri ~* "/.*\.m3u8") {
				set $test A;
			}
			if ($http_referer !~ "^(http://|https://)(oguzhankaraman\.com.tr|oguzhankaraman\.com)/") {
				set $test "${test}B";
			}
			if ($test = AB) {
				return 403;
			}
			add_header "test3" $test;
			autoindex on;
			autoindex_localtime on;
			autoindex_exact_size off;
			alias temp/tmp_hls;							# <----- 
			expires -1;
		}

		location /tmp_dash {
			alias temp/tmp_dash;							# <----- 
			autoindex on;
			autoindex_localtime on;
			autoindex_exact_size off;
			expires -1;

			if ($request_method = 'OPTIONS') {
				add_header 'Access-Control-Allow-Origin' '*' always;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
				add_header 'Access-Control-Max-Age' 1728000;
				add_header 'Content-Type' 'text/plain; charset=utf-8';
				add_header 'Content-Length' 0;
				return 204;
			}
			if ($request_method = 'POST') {
				add_header 'Access-Control-Allow-Origin' '*' always;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
				add_header 'Access-Control-Expose-Headers' 'Content-Length';
			}
			if ($request_method = 'GET') {
				add_header 'Access-Control-Allow-Origin' '*' always;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
				add_header 'Access-Control-Expose-Headers' 'Content-Length';
			}
			types {
				application/dash+xml mpd;
				application/vnd.apple.mpegurl m3u8;
				video/mp2t ts;
				text/html html;
			}
		}

		location /recordings {
			alias recordings;  
			autoindex on;
			autoindex_localtime on;
			autoindex_exact_size off;
			expires -1;

			if ($request_method = 'OPTIONS') {
				add_header 'Access-Control-Allow-Origin' '*' always;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
				add_header 'Access-Control-Max-Age' 1728000;
				add_header 'Content-Type' 'text/plain; charset=utf-8';
				add_header 'Content-Length' 0;
				return 204;
			}
			if ($request_method = 'POST') {
				add_header 'Access-Control-Allow-Origin' '*' always;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
				add_header 'Access-Control-Expose-Headers' 'Content-Length';
			}
			if ($request_method = 'GET') {
				add_header 'Access-Control-Allow-Origin' '*' always;
				add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
				add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
				add_header 'Access-Control-Expose-Headers' 'Content-Length';
			}
			types {
				application/dash+xml mpd;
				application/vnd.apple.mpegurl m3u8;
				video/mp2t ts;
				video/mp4 mp4;
				text/html html;
			}
		}
	}
}

rtmp {
	server {
		listen 1935;
		chunk_size 4096;

		application live {
			live on;
			interleave on;
			meta on;
			session_relay on;
			max_connections 1500;
			record_path recordings;
			record_suffix all-%d-%b-%y-%T.flv;
			# record_interval 30s;
			# record keyframes;

			push rtmp://localhost/hls;
			push rtmp://localhost/dash;
			# push rtmp://localhost/youtube

			# exec ffmpeg -i rtmp://localhost/$app/$name  -async 1 -vsync -1 
			#-c:v libx264 -acodec copy -b:v 256k -vf "scale=480:trunc(ow/a/2)*2" -tune zerolatency -preset veryfast -crf 23 -g 60 -hls_list_size 0 -f flv rtmp://localhost/hls/$name_low
			#-c:v libx264 -acodec copy -b:v 768k -vf "scale=720:trunc(ow/a/2)*2" -tune zerolatency -preset veryfast -crf 23 -g 60 -hls_list_size 0 -f flv rtmp://localhost/hls/$name_mid
			#-c:v libx264 -acodec copy -b:v 1024k -vf "scale=960:trunc(ow/a/2)*2" -tune zerolatency -preset veryfast -crf 23 -g 60 -hls_list_size 0 -f flv rtmp://localhost/hls/$name_high
			#-c:v libx264 -acodec copy -b:v 1920k -vf "scale=1280:trunc(ow/a/2)*2" -tune zerolatency -preset veryfast -crf 23 -g 60 -hls_list_size 0 -f flv rtmp://localhost/hls/$name_higher
			#-c copy -f flv rtmp://localhost/hls/$name_src;
		}

		application hls {
			live on;
			hls on;
			hls_nested on;
			hls_cleanup on;
			meta copy;
			# hls_sync 100ms;
			hls_type live;
			hls_fragment 5s;
			hls_playlist_length 30s;
			hls_path temp/tmp_hls;							# <----- 
			hls_fragment_naming system;

			hls_variant _low BANDWIDTH=288000;	# Low bitrate, sub-SD resolution
			hls_variant _mid BANDWIDTH=448000;	# Medium bitrate, SD resolution
			hls_variant _high BANDWIDTH=1152000;	# Higher-than-SD resolution 
			hls_variant _higher BANDWIDTH=2048000;	# High bitrate, HD 720p resolution
			hls_variant _src BANDWIDTH=4096000;	# Source bitrate, source resolution
		}

		application dash {
			live on;
			dash on;
			dash_nested on;
			dash_cleanup on;
			dash_fragment 5s;
			dash_playlist_length 30s;
			dash_path temp/tmp_dash;						# <----- 
		}

		#application youtube {
			#live on;
			#push rtmp://a.rtmp.youtube.com/live2/YOUR_STREAM_KEY;
			#allow publish 127.0.0.1;
			#deny publish all;
		#}
	}
}

Bir Yorum Yazın