Event Media Protection

Media links can be added to an event.  These links may point to documents/videos hosted on your own website or other storage systems.  As such, it is possible for users to obtain the direct link to the media and share it with people who have not bought tickets for the event.

ClubEvent does not intend to replace fully featured DRM systems to protect your media files, but it is possible to use a couple of simple strategies to add some protection:

Referrer header

The media is accessed through the ClubEvent URL of https://media.clubevent.co.uk.  In web terms, this is the referrer.  It is possible to configure your server to only allow access to your media if the referrer is the ClubEvent address.  This will only prevent casual access, as it is possible to spoof the referrer header which this relies on.

nginx server:
Add something similar to:

    location ~* ^/mp4s/.*\.mp4$ {
      if ($http_referer !~ “https://media.clubevent.co.uk/”){ return 403; }
    }

Apache
Something like:

    <FilesMatch “(?i)\.mp4$”>
        <If “%{REQUEST_URI} =~ m#^/mp4s/#”>
            Require expr “%{HTTP_REFERER} =~ m#^https://media\.clubevent\.co\.uk/#”
        </If>
    </FilesMatch>

Expiring Token

A much more secure way is to use a token, created by ClubEvent and validated by your server.  This requires you to supply a secret in the Event, by modifying the media URL:
    https://myserver.com/media_files/video1.mp4?secret=ReallySecretString

The secret is then taken by the ClubEvent server and used to create a token that has a relatively short lifetime.  This token is added to the link that is sent to your server, so that media files can only be shown if the token and expiry are correct.

nginx:

    location ~* ^/media_files/.*\.mp4$
    {
        if ($http_referer !~ “https://media.clubevent.co.uk/”){ return 403; }
        secure_link $arg_token,$arg_expires;
        secure_link_md5 “$secure_link_expires$uri ReallySecretString”;
        if ($secure_link = “”) { return 403; }
        if ($secure_link = “0”) { return 410; }
        mp4;
    }

Apache

    RewriteEngine On

    RewriteCond %{REQUEST_URI} ^/mp4s/.*\.mp4$ [NC]

    RewriteCond %{QUERY_STRING} !(^|&)token= [NC,OR]
    RewriteCond %{QUERY_STRING} !(^|&)expires= [NC]
    RewriteRule ^ – [F,L]

    RewriteCond %{QUERY_STRING} (^|&)expires=([0-9]+) [NC]
    RewriteCond %2 < %{TIME_SEC}
    RewriteRule ^ – [G,L]

    RewriteCond %{QUERY_STRING} (^|&)expires=([0-9]+) [NC]
    RewriteCond %{QUERY_STRING} (^|&)token=([^&]+) [NC]
    RewriteCond %{md5:%2%{REQUEST_URI} CEmediaS3cret} !=$3
    RewriteRule ^ – [F,L]