switch to rtmps

3 files changed, 137 insertions, 0 deletions

diff --git a/etc/nginx/modules-available/rtmp.conf b/etc/nginx/modules-available/rtmp.conf
new file mode 100644
index 0000000..2e852a1
--- /dev/null
+++ b/etc/nginx/modules-available/rtmp.conf
@@ -0,0 +1,48 @@
+# RTMP ingest pipeline with TLS termination via the stream module.
+# - External publishers connect over RTMPS on tcp/1935.
+# - The stream module terminates TLS and forwards plain RTMP to nginx-rtmp on 127.0.0.1:1936.
+# - nginx-rtmp still triggers publish callbacks consumed by obsproxy.
+
+rtmp {
+    server {
+        listen 1936;                # internal plain RTMP listener
+        chunk_size 4096;
+
+        application live {
+            live on;
+            record off;
+
+            # Allow publish/play; obsproxy enforces the ingest PSK.
+            allow publish all;
+            allow play all;
+
+            on_publish http://127.0.0.1:5000/rtmp_callbacks/on_publish;
+            on_publish_done http://127.0.0.1:5000/rtmp_callbacks/on_publish_done;
+        }
+    }
+}
+
+stream {
+    log_format stream_basic '$remote_addr:$remote_port -> $server_addr:$server_port '
+                              'sent=$bytes_sent received=$bytes_received '
+                              'time=$session_time';
+
+    upstream rtmp_backend {
+        server 127.0.0.1:1936;
+    }
+
+    server {
+        listen 1935 ssl;
+        proxy_pass rtmp_backend;
+        access_log /var/log/nginx/rtmp_stream_access.log stream_basic;
+        error_log /var/log/nginx/rtmp_stream_error.log debug;
+
+        ssl_certificate /etc/letsencrypt/live/yummers.dev/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/yummers.dev/privkey.pem;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_session_cache shared:rtmp_stream_cache:10m;
+        ssl_session_timeout 10m;
+        proxy_timeout 5m;
+    }
+}
diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
new file mode 100644
index 0000000..3eab3a5
--- /dev/null
+++ b/etc/nginx/nginx.conf
@@ -0,0 +1,87 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+
+	##
+	# Gzip Settings
+	##
+
+	# If a .gz version of any given file exists, serve it instead.
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+
+	# If a .gz suffixed version of a file exists, serve it instead.
+	gzip_static on;
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+#
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}
diff --git a/etc/systemd/system/obsproxy.service b/etc/systemd/system/obsproxy.service
index f60177d..b145a17 100644
--- a/etc/systemd/system/obsproxy.service
+++ b/etc/systemd/system/obsproxy.service
@@ -21,6 +21,8 @@ Environment=STREAM_DIR=/var/www/streams
 Environment=PORT=5000
 Environment=STREAM_PSK=your_pre_shared_key
 Environment=LOG_LEVEL=INFO
+Environment=INGEST_RTMP_HOST=127.0.0.1
+Environment=INGEST_RTMP_PORT=1936
 
 # Security settings
 NoNewPrivileges=true