From d9f6b5d04437fb7d36bce5f242fd019b7eb55b21 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 14 Sep 2020 10:07:57 +0200 Subject: [PATCH] NGINX and OvenMediaEngine configuration --- README.md | 19 +++++ doc/ghostream.svg | 1 + doc/nginx/modules-available/60-ghostream.conf | 36 +++++++++ doc/nginx/sites-available/ghostream | 64 ++++++++++++++++ doc/ovenmediaengine/conf/Server.xml | 75 +++++++++++++++++++ 5 files changed, 195 insertions(+) create mode 100644 README.md create mode 100644 doc/ghostream.svg create mode 100644 doc/nginx/modules-available/60-ghostream.conf create mode 100644 doc/nginx/sites-available/ghostream create mode 100644 doc/ovenmediaengine/conf/Server.xml diff --git a/README.md b/README.md new file mode 100644 index 0000000..98350eb --- /dev/null +++ b/README.md @@ -0,0 +1,19 @@ +# Ghostream + +*Boooo!* A simple streaming server with authentication and open-source technologies. + +![logo](doc/ghostream.svg) + +## Installation + +### NGINX + +Copy [60-ghostream.conf module](doc/nginx/modules-available/60-ghostream.conf) to `/etc/nginx/modules-available/60-ghostream.conf`. + +Copy [ghostream site](doc/nginx/sites-available/ghostream) to `/etc/nginx/sites-available/ghostream`. + +### OvenMediaEngine + +Copy [Server.xml](doc/ovenmediaengine/conf/Server.xml) to `/usr/share/ovenmediaengine/conf/Server.xml`. + +Now enable and start OvenMediaEngine, `sudo systemctl enable --now ovenmediaengine`. diff --git a/doc/ghostream.svg b/doc/ghostream.svg new file mode 100644 index 0000000..2800592 --- /dev/null +++ b/doc/ghostream.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/doc/nginx/modules-available/60-ghostream.conf b/doc/nginx/modules-available/60-ghostream.conf new file mode 100644 index 0000000..58894cf --- /dev/null +++ b/doc/nginx/modules-available/60-ghostream.conf @@ -0,0 +1,36 @@ +# This file is part of Ghostream +# Copyright (C) 2020 by Crans +# SPDX-License-Identifier: GPL-2.0-or-later + +# Reverse RTMPS to RTMP +# As the user may put a password in his stream key, we only expose RTMPS. +stream { + server { + listen 1935 ssl; + listen [::]:1935 ssl; + + # Send to NGINX RTMP server + proxy_pass 127.0.0.1:1925; + + ssl_certificate /etc/letsencrypt/live/stream.crans.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/stream.crans.org/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + } +} + +# Authenticate then stream RTMP +# This RTMP server will be used when clients play directly RTMPS. +# It also push RTMP stream to OvenMediaEngine to generate WebRTC stream. +rtmp { + server { + listen 127.0.0.1:1925; + + chunk_size 4096; + application app { + live on; + record off; + push rtmp://127.0.0.1:1915; + on_publish http://127.0.0.1:5000/; + } + } +} diff --git a/doc/nginx/sites-available/ghostream b/doc/nginx/sites-available/ghostream new file mode 100644 index 0000000..189adff --- /dev/null +++ b/doc/nginx/sites-available/ghostream @@ -0,0 +1,64 @@ +# This file is part of Ghostream +# Copyright (C) 2020 by Crans +# SPDX-License-Identifier: GPL-2.0-or-later + +# Automatic Connection header for WebSocket support +# See http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + + server_name stream.crans.org; + + location / { + return 301 https://$host$request_uri; + } +} + +# HTTPS server +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name stream.crans.org; + + # SSL configuration based on https://ssl-config.mozilla.org/ + ssl_certificate /etc/letsencrypt/live/stream.crans.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/stream.crans.org/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/letsencrypt/dhparam + ssl_dhparam /etc/letsencrypt/dhparam; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # Log into separate log files + access_log /var/log/nginx/ghostream.log; + error_log /var/log/nginx/ghostream_error.log; + + # Serve static HTML page with URL rewriting + root /var/www/stream; + try_files $uri $uri/ /index.html; + + # Pass WebSocket to OvenMediaEngine for WebRTC signalling + location /app/ { + proxy_pass http://127.0.0.1:3333; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} diff --git a/doc/ovenmediaengine/conf/Server.xml b/doc/ovenmediaengine/conf/Server.xml new file mode 100644 index 0000000..909379f --- /dev/null +++ b/doc/ovenmediaengine/conf/Server.xml @@ -0,0 +1,75 @@ + + + + OvenMediaEngine + origin + 127.0.0.1 + + + + + 1915 + + + + + + 3333 + + + *:10000-10005/udp + + + + + + + + default + + + * + + + + + app + live + + + opus_only + + + + + + + ${OriginStreamName} + + opus_only + + + + + + true + + + + 2 + + 30000 + + + + + + +