diff options
| author | yum <yum.food.vr@gmail.com> | 2025-10-15 15:12:11 -0700 |
|---|---|---|
| committer | yum <yum.food.vr@gmail.com> | 2025-10-28 17:19:37 -0700 |
| commit | cf2724be776925338c0e5b45638eab140c80b3d5 (patch) | |
| tree | c382c59e101f6737d9a336c71f4c0e922f50345d | |
| parent | 8caabef3412f9368888bc50eacda1fac3f08b039 (diff) | |
tighten up configs
| -rw-r--r-- | README.md | 11 | ||||
| -rw-r--r-- | etc/nginx/modules-available/rtmp.conf | 2 | ||||
| -rw-r--r-- | etc/nginx/nginx.conf | 10 | ||||
| -rw-r--r-- | etc/nginx/sites-available/yummers.dev | 35 | ||||
| -rwxr-xr-x | push.sh | 3 |
5 files changed, 40 insertions, 21 deletions
@@ -1,5 +1,16 @@ Shitty service to proxy data from OBS into an HTTP Live Streaming (HLS) feed VRChat understands. +## Cost + +- One connection is about 7 Mb/s +- GCE charges $0.05 per GiB + +($0.05 $/GiB) * (1 byte / 8 bits) = 0.00625 $/Gib +(0.00625 $/Gib) * 0.007 Gib/s = $4.375 * 10^-5 $/sec (per connection) +[$4.375 * 10^-5 / (sec * connection)] * 100 connections = $0.004375 / sec + +7 Mb/s is 3.076 GiB/hr + ## Streamer instructions 1. Configure OBS with a custom server pointing at `rtmps://<your-domain>:1935/live` diff --git a/etc/nginx/modules-available/rtmp.conf b/etc/nginx/modules-available/rtmp.conf index 2e852a1..e1fad29 100644 --- a/etc/nginx/modules-available/rtmp.conf +++ b/etc/nginx/modules-available/rtmp.conf @@ -35,7 +35,7 @@ stream { listen 1935 ssl; proxy_pass rtmp_backend; access_log /var/log/nginx/rtmp_stream_access.log stream_basic; - error_log /var/log/nginx/rtmp_stream_error.log debug; + error_log /var/log/nginx/rtmp_stream_error.log error; ssl_certificate /etc/letsencrypt/live/yummers.dev/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yummers.dev/privkey.pem; diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index 8830be7..763c968 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -18,7 +18,15 @@ http { sendfile on; tcp_nopush on; types_hash_max_size 2048; - # server_tokens off; + server_tokens off; + + ## + # Rate Limiting + ## + + # Define rate limit zones + limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s; + limit_req_zone $binary_remote_addr zone=hls_limit:10m rate=100r/s; # server_names_hash_bucket_size 64; # server_name_in_redirect off; diff --git a/etc/nginx/sites-available/yummers.dev b/etc/nginx/sites-available/yummers.dev index 5a40c66..bb5bbc5 100644 --- a/etc/nginx/sites-available/yummers.dev +++ b/etc/nginx/sites-available/yummers.dev @@ -6,6 +6,12 @@ server { server_name yummers.dev www.yummers.dev; + # Security headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. @@ -18,10 +24,7 @@ server { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + include snippets/proxy-headers.conf; proxy_read_timeout 300s; proxy_send_timeout 300s; proxy_buffering off; @@ -29,15 +32,16 @@ server { # OBS Proxy API endpoints location /api/ { + limit_req zone=api_limit burst=20 nodelay; + proxy_pass http://127.0.0.1:5000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + include snippets/proxy-headers.conf; } # OBS Proxy HLS playlist + segments location /hls/ { + limit_req zone=hls_limit burst=200 nodelay; + alias /var/www/streams/live/; add_header Cache-Control "no-cache" always; @@ -50,18 +54,13 @@ server { } } - # OBS Proxy health check - location /health { - proxy_pass http://127.0.0.1:5000/health; - proxy_set_header Host $host; - } - - # Add RTMP callbacks route + # Add RTMP callbacks route (internal only) location /rtmp_callbacks/ { + allow 127.0.0.1; + deny all; + proxy_pass http://127.0.0.1:5000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + include snippets/proxy-headers.conf; } listen [::]:443 ssl ipv6only=on; # managed by Certbot @@ -5,7 +5,7 @@ HOST="yummers.dev" DEPLOY_DIR="~/obsproxy" echo "Creating deploy directory on remote host..." -ssh "$HOST" "mkdir -p $DEPLOY_DIR/etc/systemd/system $DEPLOY_DIR/etc/nginx/modules-available $DEPLOY_DIR/etc/nginx/sites-available $DEPLOY_DIR/opt/obsproxy" +ssh "$HOST" "mkdir -p $DEPLOY_DIR/etc/systemd/system $DEPLOY_DIR/etc/nginx/modules-available $DEPLOY_DIR/etc/nginx/sites-available $DEPLOY_DIR/etc/nginx/snippets $DEPLOY_DIR/opt/obsproxy" echo "Copying files to remote host..." scp -r * "$HOST:$DEPLOY_DIR/" @@ -36,6 +36,7 @@ sudo cp etc/nginx/modules-available/rtmp.conf /etc/nginx/modules-available/ sudo ln -sf /etc/nginx/modules-available/rtmp.conf /etc/nginx/modules-enabled/rtmp.conf # Ship the sanitized nginx.conf so only the TLS stream listener owns :1935. sudo cp etc/nginx/nginx.conf /etc/nginx/nginx.conf +sudo cp etc/nginx/snippets/proxy-headers.conf /etc/nginx/snippets/ sudo cp etc/nginx/sites-available/yummers.dev /etc/nginx/sites-available/ sudo ln -sf /etc/nginx/sites-available/yummers.dev /etc/nginx/sites-enabled/yummers.dev sudo cp opt/obsproxy/server.py /opt/obsproxy/ |