diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/nginx/modules-available/rtmp.conf | 2 | ||||
| -rw-r--r-- | etc/nginx/nginx.conf | 10 | ||||
| -rw-r--r-- | etc/nginx/sites-available/yummers.dev | 35 |
3 files changed, 27 insertions, 20 deletions
diff --git a/etc/nginx/modules-available/rtmp.conf b/etc/nginx/modules-available/rtmp.conf index 2e852a1..e1fad29 100644 --- a/etc/nginx/modules-available/rtmp.conf +++ b/etc/nginx/modules-available/rtmp.conf @@ -35,7 +35,7 @@ stream { listen 1935 ssl; proxy_pass rtmp_backend; access_log /var/log/nginx/rtmp_stream_access.log stream_basic; - error_log /var/log/nginx/rtmp_stream_error.log debug; + error_log /var/log/nginx/rtmp_stream_error.log error; ssl_certificate /etc/letsencrypt/live/yummers.dev/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yummers.dev/privkey.pem; diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index 8830be7..763c968 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -18,7 +18,15 @@ http { sendfile on; tcp_nopush on; types_hash_max_size 2048; - # server_tokens off; + server_tokens off; + + ## + # Rate Limiting + ## + + # Define rate limit zones + limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s; + limit_req_zone $binary_remote_addr zone=hls_limit:10m rate=100r/s; # server_names_hash_bucket_size 64; # server_name_in_redirect off; diff --git a/etc/nginx/sites-available/yummers.dev b/etc/nginx/sites-available/yummers.dev index 5a40c66..bb5bbc5 100644 --- a/etc/nginx/sites-available/yummers.dev +++ b/etc/nginx/sites-available/yummers.dev @@ -6,6 +6,12 @@ server { server_name yummers.dev www.yummers.dev; + # Security headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. @@ -18,10 +24,7 @@ server { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + include snippets/proxy-headers.conf; proxy_read_timeout 300s; proxy_send_timeout 300s; proxy_buffering off; @@ -29,15 +32,16 @@ server { # OBS Proxy API endpoints location /api/ { + limit_req zone=api_limit burst=20 nodelay; + proxy_pass http://127.0.0.1:5000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + include snippets/proxy-headers.conf; } # OBS Proxy HLS playlist + segments location /hls/ { + limit_req zone=hls_limit burst=200 nodelay; + alias /var/www/streams/live/; add_header Cache-Control "no-cache" always; @@ -50,18 +54,13 @@ server { } } - # OBS Proxy health check - location /health { - proxy_pass http://127.0.0.1:5000/health; - proxy_set_header Host $host; - } - - # Add RTMP callbacks route + # Add RTMP callbacks route (internal only) location /rtmp_callbacks/ { + allow 127.0.0.1; + deny all; + proxy_pass http://127.0.0.1:5000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + include snippets/proxy-headers.conf; } listen [::]:443 ssl ipv6only=on; # managed by Certbot |