Who uses Lightppd streaming in members area?

[McFly85]

My host set me up with Lighttpd pseudo streaming for mp4s in my member site but I have a security concern and question for anybody who might be using it. Streaming works with jwplayer but since my content is protected with htaccess you can copy and paste the location of my file from the html page source into a browser and download my mp4s without logging in.

The file location variable includes port :81 and since Lighttpd doesn't support htaccess the mp4 will download without any security blocking it.

Just curious if anyone using Lighttpd knows of a solution to prevent this security hole?

[DWB]

Have your host set you up with wowza, then use a security token.

[k0nr4d]

Quote:

Originally Posted by McFly85

My host set me up with Lighttpd pseudo streaming for mp4s in my member site but I have a security concern and question for anybody who might be using it. Streaming works with jwplayer but since my content is protected with htaccess you can copy and paste the location of my file from the html page source into a browser and download my mp4s without logging in.

The file location variable includes port :81 and since Lighttpd doesn't support htaccess the mp4 will download without any security blocking it.

Just curious if anyone using Lighttpd knows of a solution to prevent this security hole?

Two solutions,
1) Install mod_h264 and mod_flv into apache and just stream using apache behind your htaccess
2) Setup mod_secdownload in lighttpd to make protected downloads links

[Babaganoosh]

http://redmine.lighttpd.net/wiki/lig...ModSecDownload like konrad said

wowza is fine but lighttpd is free

[DWB]

Quote:

Originally Posted by k0nr4d

2) Setup mod_secdownload in lighttpd to make protected downloads links

That hides the path if typed in or from a ripper?

[seeandsee]

there must be total protection, so nobody else can access your vid expect player

[k0nr4d]

Quote:

Originally Posted by DWB

Why can't lighttpd support htaccess?

Because they never made it support it...

Anyhow, this guys best solution is just to drop lighttpd completely and install mod_h264 and mod_flv right into apache so that everythign is behidn his htaccess and safe.

[McFly85]

Quote:

Originally Posted by Babaganoosh

ModSecDownload[/url] like konrad said

wowza is fine but lighttpd is free

My host is using mod_secdownload but that's not good enough. That hides part of the url to the file but it doesn't hide the file name. Plus in my case I also have a download link to that same file on the streaming webpage so someone with a brain can see the correct and full path to the file, paste it in and completely bypass security.

I initially was going to go with wowza but my host recommended lighttpd but I guess you get what you pay for.

[DWB]

Quote:

Originally Posted by McFly85

My host is using mod_secdownload but that's not good enough. That hides part of the url to the file but it doesn't hide the file name. Plus in my case I also have a download link to that same file on the streaming webpage so someone with a brain can see the correct and full path to the file, paste it in and completely bypass security.

I initially was going to go with wowza but my host recommended lighttpd but I guess you get what you pay for.

After re-reading your first post, I think you'd have the same problem with wowza and would need to have it adjusted to prevent someone from getting the path to the video.

Borked is the guy who fixed that issue for me on wowza, but he's not around much these days.

[raymor]

Lighttpd is for tiny files, thumbnails, when the server admin doesn't know about "noatime". In no case will it provide any benefit whatsoever on large files such as videos. For files over 200K, the only difference between lighttpd and Apache is that Apache had had about 10 years worth of improvements and bug fixes since the lighttpd fork.

In other words, if it's not thumbnails you're serving OR if you simply use noatime, all that lighttpd gives you is bugs, problems, and reduced performance from tuning twice as much software as you should.

[NemesisEnforcer]

All around good info here.

[McFly85]

I asked my host about not using lighttpd and just going with apache and installing mod_h264. They said it would cause some extra load on apache and I'd also have to upgrade to a newer version. If anyone is using mod_flv and mod_h264 with apache I'm curious what the impact is on your server.

I also realized that since I have 100's of mobile videos in the mp4 format those too could be downloaded for free by just adding a :81 after my domain name using lighty and bypassing apache security.

I could possibly encrypt every single mp4 link I have on my site using mod_secdownload but that doesn't seem right.

Still looking for that streaming solution.

[plsureking]

Quote:

Originally Posted by McFly85

I asked my host about not using lighttpd and just going with apache and installing mod_h264. They said it would cause some extra load on apache and I'd also have to upgrade to a newer version. If anyone is using mod_flv and mod_h264 with apache I'm curious what the impact is on your server.

we use mod_h264 on all the PornCMS (www.porncms.com) servers and some have huge traffic. its simple to set up and fast because its integrated with apache. i dont see any problems since we use quad-core servers with a lot of memory.

if we had separate servers just for streaming, we would probably use lighttpd, but we serve pages and media from the same boxes. youtube uses lighttpd and so does facebook.
.

[k0nr4d]

Quote:

Originally Posted by McFly85

I asked my host about not using lighttpd and just going with apache and installing mod_h264. They said it would cause some extra load on apache and I'd also have to upgrade to a newer version. If anyone is using mod_flv and mod_h264 with apache I'm curious what the impact is on your server.

I also realized that since I have 100's of mobile videos in the mp4 format those too could be downloaded for free by just adding a :81 after my domain name using lighty and bypassing apache security.

I could possibly encrypt every single mp4 link I have on my site using mod_secdownload but that doesn't seem right.

Still looking for that streaming solution.

Many clients using it, no noticable impact on server. If you are running a paysite I doubt you have thousands of people downloading at once anyways. I assure you despite what your host may say this solution should work fine for you.

[JuicyBunny]

Does strongbox prevent any of the free downloading capability? Or can people just reacharound? It seems to be preventing unless session is active..
We run mp4 for streaming and downloading on apache...

[raymor]

Quote:

Originally Posted by JuicyBunny

Does strongbox prevent any of the free downloading capability? Or can people just reacharound? It seems to be preventing unless session is active..
We run mp4 for streaming and downloading on apache...

Absolutely. Strongbox would take care of that. Running a site on a separate server
designed for tiny files (lighttpd) in order to serve very large files (videos) will make
very hard to integrateproper security between the two, though.

We ran the tests, though, ran the test, looked at the code, adjusted configuration -
there's simply absolutely no reason at all to run lighttpd on videos. As a matter of
fact, when serving videos, 99.999% of the time will be spent transferring the video
to the user. The roughly 12 milliseconds spent in server code is nothing compared
to the minutes spent transferring the video.

Consider this. Let's set up the best possible situation for lighttpd:

Let's just say that your server admin doesn't know about "noatime",
so Apache is correctly updating the atime while lighttpd falsifies it -
that's the situation where lighttpd can appear faster.

Let's say that let's lighttpd spends 15% less processing time that Apache.
Not that it actually does, but let's pretend we believe the lighttpd promoters.
Both servers run their processing, then hand it off to the OS to send the actual video via sendfile().
Let's say Apache is poorly configured so it spends 12 milliseconds processing before
handing it off to sendfile. At 15% less lighttpd saves 3 milliseconds, if you believe their claims.

Playing the video takes what, five minutes? Wow you've saved 3 milliseconds on a
five minute video! That'll sure help! That's a 0.0005% improvement. Wow.

Actually, though, by running two different web servers, they are competing for
resources such as cache RAM, so you've actually just knocked your performance down.

On the other hand, consider a thumbnail that only takes 10 milliseconds to transfer.
Saving a couple of milliseconds of processing time makes sense, there, if you
don't know to just friggin use the noatime setting.

[plsureking]

Quote:

Originally Posted by raymor

Absolutely....

great technical comparison between h264 and lighttpd lol

regarding the posters question, how does strongbox prevent using a program like Replay Media Catcher or even easier prevent a user from grabbing the url of the file from the source and downloading it directly?

i dont know much about your product, except that when we built PornCMS we decided to use in-page logins like all the major social sites. strongbox uses its own login page and requires an htaccess controlled members folder.
.

[raymor]

Quote:

Originally Posted by plsureking

great technical comparison between h264 and lighttpd lol

regarding the posters question, how does strongbox prevent using a program like Replay Media Catcher or even easier prevent a user from grabbing the url of the file from the source and downloading it directly?

i dont know much about your product, except that when we built PornCMS we decided to use in-page logins like all the major social sites. strongbox uses its own login page and requires an htaccess controlled members folder.
.

I was actually comparing the lighttpd pseudo streaming that was mentioned versus the same in modern Apache, but in the h264 case the same conclusion can be drawn. Extensive testing shows that the only thing faster about lighttpd is that it (incorrectly) skips atime updates, so using noatime makes Apache as fast, or faster if tuned correctly.

I'd need to look through the mod_h264 source to give precise answers about protection, but my understanding is that most of the Apache hooks run, so it's protected much like http through Apache. If some adjustments are needed, we're quite familiar with designing and coding Apache modules. Apache 2.2 has some real advantages there compared to the old Apache 1.3 code underlying lighttpd.

Replay is another thing entirely. Assuming you allow them access to the video, making it impossible to save requires significant changes and in fact no currently available systems do that too well. You're basically talking DRM there and as we know DRM pretty much failed. However, several years ago we created a solution for a university that we'll be adapting for the public internet. The university system was based on maintaining the encryption even through RAM, only decrypting it on the video card itself. Therefore no program running within the OS could get the media. Watch for an announcement on that soon.

If you happen to know any, we need some good Flex programmers to help implement the new version of that system.

These posts were typed on my phone, so please excuse any typos.

[plsureking]

Quote:

Originally Posted by raymor

These posts were typed on my phone, so please excuse any typos.

lol thats a lot to type on a phone.

ya until the find a way to prevent stream capturing i haven't focused too much on protecting streams. i mean, you can even save cam streams with replay, so no video is safe on any site.

[Konda]

Quote:

Originally Posted by McFly85

I asked my host about not using lighttpd and just going with apache and installing mod_h264. They said it would cause some extra load on apache and I'd also have to upgrade to a newer version. If anyone is using mod_flv and mod_h264 with apache I'm curious what the impact is on your server.

I also realized that since I have 100's of mobile videos in the mp4 format those too could be downloaded for free by just adding a :81 after my domain name using lighty and bypassing apache security.

I could possibly encrypt every single mp4 link I have on my site using mod_secdownload but that doesn't seem right.

Still looking for that streaming solution.

Just serve your download links through apache (.htaccess) and your streaming links encoded with mod_secdownload (you can run apache and lighttpd simultaneously)

[k0nr4d]

Quote:

Originally Posted by Konda

Just serve your download links through apache (.htaccess) and your streaming links encoded with mod_secdownload (you can run apache and lighttpd simultaneously)

That's not nessesarily possible. He'd have to add code to generate the mod_secdownload links into his cms, which may be zend/ioncube encoded. I still stand behind mod_h264/mod_flv behind htaccess or strongbox as being the best choice as it requires no intervention into his existing system. RTMP streaming is also a good choice here but the costs may be prohibitive unless he uses Red5 which from what i've seen isn't very good.