Akamai token validation & rewrite command

[utu2016]

Hi,
we tried to use akamai validate module and rewrite the input request with a different one.

We want to execute the rewrite only if the akamai check works fine.
Is it possible? If not, could you suggest a workaround?

here is the configuration example:

location ~ "(my_path)(..m3u8)(.)" {
akamai_token_validate on;
akamai_token_validate_key xxxxx;
akamai_token_validate_param_name hdnea;
rewrite ^(my_path)(..m3u8)(.) /local_path/master.m3u8 break;
}

location ~ "(local_path)(master.m3u8)(.*)" {
          ....
       }

We noticed that:
-the akamai module is runned only if the break is used in the rewrite command.
With last & redirect it seems that akamai module is not triggered.
-the request uri used by akamai module is the one changed by the rewrite command.
This cause a fault in the akamai check (acl is not compliance...of course).

Thanks for your support.

[erankor]

It makes sense to me that it behaves as you describe, since nginx's rewrite phase runs before the access phase. Don't think there's much that can be done about it (while technically it may be possible to change the module to run in rewrite phase, that sounds wrong...)
In terms of workaround, there 2 things I can think of, both depend on moving the validation to after the rewrite -

1. The acl in the Akamai token supports '*' at the end, it doesn't have to be a full URL, it can be a prefix. So, if you can arrange it so that the identifier of the video comes first, you'll be able to sign it using the token and whatever you change after it in the URL with rewrite won't break the token.
2. Another possibility is to add a setting to this module that will determine what is the "uri" that should be used to validate the acl. By default it will evaluate to $uri, but it will enable you to use map or whatever and compare the acl against something else. This is a very easy change, let me know if you need it.

[utu2016]

Hi Erankor, 

we already tried to use the $uri (adding a config parameter set with $uri; parameter is added as complex value type) ;-)...

But when we dump the uri received by akamai module, we see the one changed by rewrite....the problem is the one you explained me before (...nginx's rewrite phase runs before the access phase...).

my rewrite is like this:
rewrite ^(./)(././)(./././)(.)(/HLS/)(..m3u8)(.*) /LOCAL_FOLDER/$2$3$4/MY_HLS/${content_id}_$rendition,.mp4.csmil/master.m3u8$7 break;

I'm not practice about map, please could you help me to set up it correcly?

input uri is: ^(./)(././)(./././)(.)(/HLS/)(..m3u8)(.*)
rewritten uri is: /LOCAL_FOLDER/$2$3$4/MY_HLS/${content_id}_$rendition,.mp4.csmil/master.m3u8$7

map $uri $new {
^(./)(././)(./././)(.)(/HLS/)(..m3u8)(.*) /LOCAL_FOLDER/$2$3$4/MY_HLS/${content_id}_$rendition,.mp4.csmil/master.m3u8$7
}

Thanks

[erankor]

I'm not sure we're on the same page, my second suggestion was for adding a feature that will enable you to choose what is the uri that should be matched against the token's acl. This is not a feature that currently exists, but can be added.
The map directive, in this case, should be the reverse of rewrite, so that in the location that runs after the rewrite you'll be able to calculate the original uri before the rewrite. The regex seems unnecessarily complex to me, for example, you use $2$3$4 which means you don't really need these separated, and also you don't use $1/$5/$6.
Other than that, it's problematic to use $1/$2/... in map, I don't remember the exact issue, but I've moved to named captures entirely ((?P<var>.*) in the regex, and then $var), and that solves the problem.
But other than that, looking at your configuration, I'm guessing you are migrating from Akamai packaging, is that correct? If so, I don't think you really need all this complexity, you can probably just configure nginx-vod to answer on the same URLs as Akamai, the format of Akamai's csmil is the same as nginx-vod's urlset, you can even set vod_multi_uri_suffix to .csmil to have the same suffix.

[nexusofdoom]

trying to do this
nexusofdoom/lancache-installer#20

can it be done?

[erankor]

I don't understand what you are asking.