1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
#Install amazon-efs-utils and mount EFS #https://docs.aws.amazon.com/efs/latest/ug/installing-other-distro.html sudo apt-get -y install binutils git clone https://github.com/aws/efs-utils cd efs-utils ./build-deb.sh sudo apt-get -y install ./build/amazon-efs-utils*deb cd / sudo mkdir /efs sudo mount -t efs <UNIQUEIDHERE>:/ efs sudo chown www-data:www-data /efs/recordings/ #verify with df sudo nano /etc/fstab #Add this line <UNIQUEIDHERE>:/ /efs efs defaults,_netdev 0 0 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
#Setup Server #I chose to keep local version of boot/men sudo apt update && sudo apt upgrade -y sudo apt install build-essential libpcre3 libpcre3-dev libssl-dev nginx libnginx-mod-rtmp ffmpeg -y sudo nano /etc/nginx/nginx.conf rtmp { server { listen 1935; chunk_size 4096; notify_method get; drop_idle_publisher 10s; application live { on_publish http://localhost/auth; live on; record all; record_path /efs/recordings; record_unique on; hls on; hls_path /hls/live; hls_fragment 2s; hls_playlist_length 4s; push rtmp://localhost/facebook; push rtmp://localhost/youtube; } # Facebook Stream Application application facebook { live on; record off; #Only allow localhost to publish allow publish 127.0.0.1; deny publish all; # Push URL with the Facebook stream key push rtmp://127.0.0.1:19350/rtmp/<streamkey>; } # YouTube Application application youtube { live on; record off; #Only allow localhost to publish allow publish 127.0.0.1; deny publish all; # Push URL with the Facebook stream key push rtmp://a.rtmp.youtube.com/live2/<streamkey> } } } sudo mkdir -p /hls/live sudo chown -R $USER:$USER /hls/live sudo nano /etc/nginx/sites-enabled/default location /auth { if ($arg_pwd = '<uniquepassword>') { return 200; } return 401; } sudo systemctl restart nginx.service |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/example.net sudo nano /etc/nginx/sites-available/example.net server { listen 80; # HTTP IPv4 listen [::]:80; # HTTP IPv6 listen 443 ssl; # HTTPS IPv4; force SSL listen [::]:443 ssl; # HTTPS IPv6; force SSL server_name example.net; location / { # Disable cache add_header Cache-Control no-cache; # Enable CORS add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Expose-Headers' 'Content-Length'; # Allow CORS preflight requests if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain charset=UTF-8'; add_header 'Content-Length' 0; return 204; } # Specify file type to be served (.m3u8) types { application/vnd.apple.mpegurl m3u8; video/mp2t; } # File location # Set to the same hls_path specified in the rtmp application root /hls; } } sudo ln -s /etc/nginx/sites-available/example.net /etc/nginx/sites-enabled/ sudo systemctl restart nginx.service |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 |
sudo curl -o stunnel-5.56.tar.gz https://www.stunnel.org/downloads/stunnel-5.56.tar.gz sudo tar xvfz stunnel-5.56.tar.gz cd stunnel-5.56 sudo ./configure sudo make sudo make install sudo ln -s /usr/local/bin/stunnel /bin/stunnel sudo nano /etc/stunnel/stunnel.conf ; Sample stunnel configuration file for Unix by Michal Trojnara 1998-2019 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options ; ************************************************************************** ; * Global options * ; ************************************************************************** ; It is recommended to drop root privileges if stunnel is started by root ;setuid = nobody ;setgid = nogroup ; PID file is created inside the chroot jail (if enabled) ;pid = /usr/local/var/run/stunnel.pid ; Debugging stuff (may be useful for troubleshooting) ;foreground = yes ;debug = info ;output = /usr/local/var/log/stunnel.log ; Enable FIPS 140-2 mode if needed for compliance ;fips = yes ; The pkcs11 engine allows for authentication with cryptographic ; keys isolated in a hardware or software token ; MODULE_PATH specifies the path to the pkcs11 module shared library, ; e.g. softhsm2.dll or opensc-pkcs11.so ; Each section using this feature also needs the "engineId = pkcs11" option ;engine = pkcs11 ;engineCtrl = MODULE_PATH:/usr/lib/softhsm/libsofthsm2.so ;engineCtrl = PIN:1234 ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Enable support for the insecure SSLv3 protocol ;options = -NO_SSLv3 ; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE ; ************************************************************************** ; * Include all configuration file fragments from the specified folder * ; ************************************************************************** ;include = /usr/local/etc/stunnel/conf.d ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** ; ***************************************** Example TLS client mode services ; The following examples use /etc/ssl/certs, which is the common location ; of a hashed directory containing trusted CA certificates. This is not ; a hardcoded path of the stunnel package, as it is not related to the ; stunnel configuration in /usr/local/etc/stunnel/. [gmail-pop3] client = yes accept = 127.0.0.1:110 connect = pop.gmail.com:995 verifyChain = yes CApath = /etc/ssl/certs checkHost = pop.gmail.com OCSPaia = yes [gmail-imap] client = yes accept = 127.0.0.1:143 connect = imap.gmail.com:993 verifyChain = yes CApath = /etc/ssl/certs checkHost = imap.gmail.com OCSPaia = yes [gmail-smtp] client = yes accept = 127.0.0.1:25 connect = smtp.gmail.com:465 verifyChain = yes CApath = /etc/ssl/certs checkHost = smtp.gmail.com OCSPaia = yes ; Encrypted HTTP proxy authenticated with a client certificate ; located in a cryptographic token ;[example-pkcs11] ;client = yes ;accept = 127.0.0.1:8080 ;connect = example.com:8443 ;engineId = pkcs11 ;cert = pkcs11:token=MyToken;object=MyCert ;key = pkcs11:token=MyToken;object=MyKey ; ***************************************** Example TLS server mode services ;[pop3s] ;accept = 995 ;connect = 110 ;cert = /usr/local/etc/stunnel/stunnel.pem ;[imaps] ;accept = 993 ;connect = 143 ;cert = /usr/local/etc/stunnel/stunnel.pem ; Either only expose this service to trusted networks, or require ; authentication when relaying emails originated from loopback. ; Otherwise the following configuration creates an open relay. ;[ssmtp] ;accept = 465 ;connect = 25 ;cert = /usr/local/etc/stunnel/stunnel.pem ; TLS front-end to a web server ;[https] ;accept = 443 ;connect = 80 ;cert = /usr/local/etc/stunnel/stunnel.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks ;TIMEOUTclose = 0 ; Remote shell protected with PSK-authenticated TLS ; Create "/usr/local/etc/stunnel/secrets.txt" containing IDENTITY:KEY pairs ;[shell] ;accept = 1337 ;exec = /bin/sh ;execArgs = sh -i ;PSKsecrets = /usr/local/etc/stunnel/secrets.txt ; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket ;[mysql] ;cert = /usr/local/etc/stunnel/stunnel.pem ;accept = 3307 ;connect = /run/mysqld/mysqld.sock ; vim:ft=dosini # Stunnel basic config # /etc/stunnel/stunnel.conf setuid = stunnel4 setgid = stunnel4 pid=/tmp/stunnel.pid output = /var/log/stunnel4/stunnel.log include = /etc/stunnel/conf.d #Set ENABLE=1 in /etc/default/stunnel4 # RTMP -> RTMPS tunnel #/etc/stunnel/conf.d/fb.conf [fb-live] client = yes accept = 127.0.0.1:19350 connect = live-api-s.facebook.com:443 verifyChain = no sudo systemctl restart stunnel4 && sudo systemctl status stunnel4 |
1 2 3 4 5 6 7 8 |
#Install SSL sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-nginx sudo certbot --nginx -d example.com sudo certbot renew --dry-run #systemd should take care of the auto renewal |