Streaming & VOD

NukeVideo delivers video content through proxy nodes running a custom Nginx build with Kaltura's VOD module. This enables on-the-fly packaging of HLS and DASH streams without pre-segmenting files.

Supported Formats

Format	Manifest	Use Case
HLS	`master.m3u8`	Apple devices, most browsers, widest compatibility
DASH	`manifest.mpd`	Android, smart TVs, DRM-ready
MP4	`video.mp4`	Direct download, simple playback

How VOD Works

The proxy node does not store video files locally. Instead, it:

Receives a playback request with a signed token.
Validates the token (expiration + signature).
Fetches the VOD configuration from the API (/vod/config/{ulid}).
Reads the media data from S3 using AWS authentication.
Packages the content into HLS/DASH segments on-the-fly.
Serves the response to the client.

Client → Proxy → API (config) → S3 (media) → Client

Token-Based Access Control

All streaming URLs are signed with a time-limited token to prevent unauthorized access.

Stream token — Long-lived (configurable, default 100 days) for manifest URLs.
Query token — Short-lived (default 1 hour) for individual segment requests.

Tokens are generated by the API when requesting video sources:

GET /api/videos/{ulid}/sources

This returns signed URLs for each available format:

json

{
  "sources": [
    {
      "format": "hls",
      "url": "https://proxy.example.com/hls/..."
    },
    {
      "format": "dash",
      "url": "https://proxy.example.com/dash/..."
    },
    {
      "format": "mp4",
      "url": "https://proxy.example.com/proxy/..."
    }
  ]
}

VOD Configuration

The proxy fetches a JSON configuration from the API that describes the video's streams:

GET /vod/config/{ulid}

This returns a structure with:

Sequences — Up to 32 stream sequences (video, audio, subtitle tracks).
Clips — File paths in S3 for each stream.
Metadata — Language labels for multi-track content.

Nginx VOD Modules

The proxy uses a custom-compiled Nginx with these modules:

Module	Version	Purpose
nginx-vod-module	1.33	On-the-fly HLS/DASH packaging
nginx-aws-auth-module	1.1	S3 authentication
nginx-secure-token-module	1.5	Token generation for segments
nginx-akamai-token-validate-module	1.1	Token validation on requests

Proxy Configuration

Key environment variables for the proxy:

Variable	Default	Description
`VOD_SEGMENT_DURATION`	`10000`	Segment duration in milliseconds
`VOD_METADATA_CACHE_SIZE`	`512m`	Metadata cache size
`VOD_RESPONSE_CACHE_SIZE`	`128m`	Response cache size
`VOD_MAPPING_CACHE_SIZE`	`5m`	Mapping cache size
`VOD_CACHE_MAX_SIZE`	`10g`	Local proxy cache max size
`VOD_CACHE_INACTIVE`	`1h`	Local proxy cache inactive TTL
`API_UPSTREAM_HOST`	`nukevideo-api:8080`	API server address
`SECURE_TOKEN_EXPIRES_TIME`	`100d`	Stream token expiration
`SECURE_TOKEN_QUERY_EXPIRES_TIME`	`1h`	Query token expiration

Caching

The proxy has a two-layer caching architecture:

Nginx proxy cache (port 80) — Caches responses from the VOD module to avoid re-segmenting identical requests. Controlled by VOD_CACHE_MAX_SIZE and VOD_CACHE_INACTIVE.
VOD module caches (port 8090) — Internal metadata, response, and mapping caches for the VOD module itself.

When CDN mode is enabled on a proxy node, the Nginx proxy cache is disabled (proxy_cache off). The CDN handles caching at the edge, and the VOD module caches continue to work normally. See Nodes: CDN Mode for setup.

Bandwidth Monitoring

The proxy includes a Vector.dev pipeline that:

Parses Nginx access logs for bandwidth data.
Aggregates metrics every 10 seconds.
Sends bandwidth and host metrics to ClickHouse for analytics.

Streaming & VOD ​

Supported Formats ​

How VOD Works ​

Token-Based Access Control ​

VOD Configuration ​

Nginx VOD Modules ​

Proxy Configuration ​

Caching ​

Bandwidth Monitoring ​