Setup of AWS RTMP Server with EFS

#Install amazon-efs-utils and mount EFS
#https://docs.aws.amazon.com/efs/latest/ug/installing-other-distro.html
sudo apt-get -y install binutils
git clone https://github.com/aws/efs-utils
cd efs-utils
./build-deb.sh
sudo apt-get -y install ./build/amazon-efs-utils*deb
cd /
sudo mkdir /efs
sudo mount -t efs <UNIQUEIDHERE>:/ efs
sudo chown www-data:www-data /efs/recordings/
#verify with df

sudo nano /etc/fstab
#Add this line
<UNIQUEIDHERE>:/ /efs efs defaults,_netdev 0 0

#Install amazon-efs-utils and mount EFS

#https://docs.aws.amazon.com/efs/latest/ug/installing-other-distro.html

sudo apt-get -y install binutils

git clone https://github.com/aws/efs-utils

cd efs-utils

./build-deb.sh

sudo apt-get -y install ./build/amazon-efs-utils*deb

cd /

sudo mkdir /efs

sudo mount -t efs <UNIQUEIDHERE>:/ efs

sudo chown www-data:www-data /efs/recordings/

#verify with df

sudo nano /etc/fstab

#Add this line

<UNIQUEIDHERE>:/ /efs efs defaults,_netdev 0 0

#Setup Server
#I chose to keep local version of boot/men
sudo apt update && sudo apt upgrade -y
sudo apt install build-essential libpcre3 libpcre3-dev libssl-dev nginx libnginx-mod-rtmp ffmpeg -y
sudo nano /etc/nginx/nginx.conf

rtmp {
    server {
        listen 1935;
        chunk_size 4096;
        notify_method get;
        drop_idle_publisher 10s;
        application live {
            on_publish http://localhost/auth;
            live on;
            record all;
            record_path /efs/recordings;
            record_unique on;
            hls on;
            hls_path /hls/live;
            hls_fragment 2s;
            hls_playlist_length 4s;
push rtmp://localhost/facebook;
push rtmp://localhost/youtube;
        }
# Facebook Stream Application  
application facebook {
  live on;
  record off;

  #Only allow localhost to publish
  allow publish 127.0.0.1;
  deny publish all;

  # Push URL with the Facebook stream key
  push rtmp://127.0.0.1:19350/rtmp/<streamkey>;
}
# YouTube Application  
application youtube {
  live on;
  record off;

  #Only allow localhost to publish
  allow publish 127.0.0.1;
  deny publish all;

  # Push URL with the Facebook stream key
  push rtmp://a.rtmp.youtube.com/live2/<streamkey>
}
    }
}

sudo mkdir -p /hls/live
sudo chown -R $USER:$USER /hls/live
sudo nano /etc/nginx/sites-enabled/default
location /auth {
    if ($arg_pwd = '<uniquepassword>') {
        return 200;
    }
    return 401;
}

sudo systemctl restart nginx.service

#Setup Server

#I chose to keep local version of boot/men

sudo apt update && sudo apt upgrade -y

sudo apt install build-essential libpcre3 libpcre3-dev libssl-dev nginx libnginx-mod-rtmp ffmpeg -y

sudo nano /etc/nginx/nginx.conf

rtmp {

server {

listen 1935;

chunk_size 4096;

notify_method get;

drop_idle_publisher 10s;

application live {

on_publish http://localhost/auth;

live on;

record all;

record_path /efs/recordings;

record_unique on;

hls on;

hls_path /hls/live;

hls_fragment 2s;

hls_playlist_length 4s;

push rtmp://localhost/facebook;

push rtmp://localhost/youtube;

}

# Facebook Stream Application

application facebook {

live on;

record off;

#Only allow localhost to publish

allow publish 127.0.0.1;

deny publish all;

# Push URL with the Facebook stream key

push rtmp://127.0.0.1:19350/rtmp/<streamkey>;

}

# YouTube Application

application youtube {

live on;

record off;

#Only allow localhost to publish

allow publish 127.0.0.1;

deny publish all;

# Push URL with the Facebook stream key

push rtmp://a.rtmp.youtube.com/live2/<streamkey>

}

sudo mkdir -p /hls/live

sudo chown -R $USER:$USER /hls/live

sudo nano /etc/nginx/sites-enabled/default

location /auth {

if ($arg_pwd = '<uniquepassword>') {

return 200;

}

return 401;

}

sudo systemctl restart nginx.service

sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/example.net
sudo nano /etc/nginx/sites-available/example.net
server {
        listen 80;      # HTTP IPv4
        listen [::]:80; # HTTP IPv6
        listen 443 ssl;      # HTTPS IPv4; force SSL
        listen [::]:443 ssl; # HTTPS IPv6; force SSL
        server_name example.net;

        location / {
        # Disable cache
        add_header Cache-Control no-cache;

            # Enable CORS
            add_header 'Access-Control-Allow-Origin' '*' always;
            add_header 'Access-Control-Expose-Headers' 'Content-Length';

            # Allow CORS preflight requests
            if ($request_method = 'OPTIONS') {
                add_header 'Access-Control-Allow-Origin' '*';
                add_header 'Access-Control-Max-Age' 1728000;
                add_header 'Content-Type' 'text/plain charset=UTF-8';
                add_header 'Content-Length' 0;
                return 204;
            }

            # Specify file type to be served (.m3u8)
            types {
            application/vnd.apple.mpegurl m3u8;
                video/mp2t;
            }

            # File location
            # Set to the same hls_path specified in the rtmp application
            root /hls;
    }
}

sudo ln -s /etc/nginx/sites-available/example.net /etc/nginx/sites-enabled/
sudo systemctl restart nginx.service

sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/example.net

sudo nano /etc/nginx/sites-available/example.net

server {

listen 80; # HTTP IPv4

listen [::]:80; # HTTP IPv6

listen 443 ssl; # HTTPS IPv4; force SSL

listen [::]:443 ssl; # HTTPS IPv6; force SSL

server_name example.net;

location / {

# Disable cache

add_header Cache-Control no-cache;

# Enable CORS

add_header 'Access-Control-Allow-Origin' '*' always;

add_header 'Access-Control-Expose-Headers' 'Content-Length';

# Allow CORS preflight requests

if ($request_method = 'OPTIONS') {

add_header 'Access-Control-Allow-Origin' '*';

add_header 'Access-Control-Max-Age' 1728000;

add_header 'Content-Type' 'text/plain charset=UTF-8';

add_header 'Content-Length' 0;

return 204;

}

# Specify file type to be served (.m3u8)

types {

application/vnd.apple.mpegurl m3u8;

video/mp2t;

}

# File location

# Set to the same hls_path specified in the rtmp application

root /hls;

}

sudo ln -s /etc/nginx/sites-available/example.net /etc/nginx/sites-enabled/

sudo systemctl restart nginx.service

sudo curl -o stunnel-5.56.tar.gz https://www.stunnel.org/downloads/stunnel-5.56.tar.gz
sudo tar xvfz stunnel-5.56.tar.gz
cd stunnel-5.56
sudo ./configure
sudo make
sudo make install
sudo ln -s /usr/local/bin/stunnel /bin/stunnel
sudo nano /etc/stunnel/stunnel.conf
; Sample stunnel configuration file for Unix by Michal Trojnara 1998-2019
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; It is recommended to drop root privileges if stunnel is started by root
;setuid = nobody
;setgid = nogroup

; PID file is created inside the chroot jail (if enabled)
;pid = /usr/local/var/run/stunnel.pid

; Debugging stuff (may be useful for troubleshooting)
;foreground = yes
;debug = info
;output = /usr/local/var/log/stunnel.log

; Enable FIPS 140-2 mode if needed for compliance
;fips = yes

; The pkcs11 engine allows for authentication with cryptographic
; keys isolated in a hardware or software token
; MODULE_PATH specifies the path to the pkcs11 module shared library,
; e.g. softhsm2.dll or opensc-pkcs11.so
; Each section using this feature also needs the "engineId = pkcs11" option
;engine = pkcs11
;engineCtrl = MODULE_PATH:/usr/lib/softhsm/libsofthsm2.so
;engineCtrl = PIN:1234

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Include all configuration file fragments from the specified folder     *
; **************************************************************************

;include = /usr/local/etc/stunnel/conf.d

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

; ***************************************** Example TLS client mode services

; The following examples use /etc/ssl/certs, which is the common location
; of a hashed directory containing trusted CA certificates.  This is not
; a hardcoded path of the stunnel package, as it is not related to the
; stunnel configuration in /usr/local/etc/stunnel/.

[gmail-pop3]
client = yes
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = pop.gmail.com
OCSPaia = yes

[gmail-imap]
client = yes
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = imap.gmail.com
OCSPaia = yes

[gmail-smtp]
client = yes
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = smtp.gmail.com
OCSPaia = yes

; Encrypted HTTP proxy authenticated with a client certificate
; located in a cryptographic token
;[example-pkcs11]
;client = yes
;accept = 127.0.0.1:8080
;connect = example.com:8443
;engineId = pkcs11
;cert = pkcs11:token=MyToken;object=MyCert
;key = pkcs11:token=MyToken;object=MyKey

; ***************************************** Example TLS server mode services

;[pop3s]
;accept  = 995
;connect = 110
;cert = /usr/local/etc/stunnel/stunnel.pem

;[imaps]
;accept  = 993
;connect = 143
;cert = /usr/local/etc/stunnel/stunnel.pem

; Either only expose this service to trusted networks, or require
; authentication when relaying emails originated from loopback.
; Otherwise the following configuration creates an open relay.
;[ssmtp]
;accept  = 465
;connect = 25
;cert = /usr/local/etc/stunnel/stunnel.pem

; TLS front-end to a web server
;[https]
;accept  = 443
;connect = 80
;cert = /usr/local/etc/stunnel/stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
;TIMEOUTclose = 0

; Remote shell protected with PSK-authenticated TLS
; Create "/usr/local/etc/stunnel/secrets.txt" containing IDENTITY:KEY pairs
;[shell]
;accept = 1337
;exec = /bin/sh
;execArgs = sh -i
;PSKsecrets = /usr/local/etc/stunnel/secrets.txt

; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket
;[mysql]
;cert = /usr/local/etc/stunnel/stunnel.pem
;accept = 3307
;connect = /run/mysqld/mysqld.sock

; vim:ft=dosini



# Stunnel basic config
# /etc/stunnel/stunnel.conf 
setuid = stunnel4
setgid = stunnel4
pid=/tmp/stunnel.pid
output = /var/log/stunnel4/stunnel.log
include = /etc/stunnel/conf.d

#Set ENABLE=1 in /etc/default/stunnel4

# RTMP -> RTMPS tunnel
#/etc/stunnel/conf.d/fb.conf 
[fb-live]
client = yes
accept = 127.0.0.1:19350
connect = live-api-s.facebook.com:443
verifyChain = no

sudo systemctl restart stunnel4 && sudo systemctl status stunnel4

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

sudo curl -o stunnel-5.56.tar.gz https://www.stunnel.org/downloads/stunnel-5.56.tar.gz

sudo tar xvfz stunnel-5.56.tar.gz

cd stunnel-5.56

sudo ./configure

sudo make

sudo make install

sudo ln -s /usr/local/bin/stunnel /bin/stunnel

sudo nano /etc/stunnel/stunnel.conf

; Sample stunnel configuration file for Unix by Michal Trojnara 1998-2019

; Some options used here may be inadequate for your particular configuration

; This sample file does *not* represent stunnel.conf defaults

; Please consult the manual for detailed description of available options

; **************************************************************************

; * Global options *

; **************************************************************************

; It is recommended to drop root privileges if stunnel is started by root

;setuid = nobody

;setgid = nogroup

; PID file is created inside the chroot jail (if enabled)

;pid = /usr/local/var/run/stunnel.pid

; Debugging stuff (may be useful for troubleshooting)

;foreground = yes

;debug = info

;output = /usr/local/var/log/stunnel.log

; Enable FIPS 140-2 mode if needed for compliance

;fips = yes

; The pkcs11 engine allows for authentication with cryptographic

; keys isolated in a hardware or software token

; MODULE_PATH specifies the path to the pkcs11 module shared library,

; e.g. softhsm2.dll or opensc-pkcs11.so

; Each section using this feature also needs the "engineId = pkcs11" option

;engine = pkcs11

;engineCtrl = MODULE_PATH:/usr/lib/softhsm/libsofthsm2.so

;engineCtrl = PIN:1234

; **************************************************************************

; * Service defaults may also be specified in individual service sections *

; **************************************************************************

; Enable support for the insecure SSLv3 protocol

;options = -NO_SSLv3

; These options provide additional security at some performance degradation

;options = SINGLE_ECDH_USE

;options = SINGLE_DH_USE

; **************************************************************************

; * Include all configuration file fragments from the specified folder *

; **************************************************************************

;include = /usr/local/etc/stunnel/conf.d

; **************************************************************************

; * Service definitions (remove all services for inetd mode) *

; **************************************************************************

; ***************************************** Example TLS client mode services

; The following examples use /etc/ssl/certs, which is the common location

; of a hashed directory containing trusted CA certificates. This is not

; a hardcoded path of the stunnel package, as it is not related to the

; stunnel configuration in /usr/local/etc/stunnel/.

[gmail-pop3]

client = yes

accept = 127.0.0.1:110

connect = pop.gmail.com:995

verifyChain = yes

CApath = /etc/ssl/certs

checkHost = pop.gmail.com

OCSPaia = yes

[gmail-imap]

client = yes

accept = 127.0.0.1:143

connect = imap.gmail.com:993

verifyChain = yes

CApath = /etc/ssl/certs

checkHost = imap.gmail.com

OCSPaia = yes

[gmail-smtp]

client = yes

accept = 127.0.0.1:25

connect = smtp.gmail.com:465

verifyChain = yes

CApath = /etc/ssl/certs

checkHost = smtp.gmail.com

OCSPaia = yes

; Encrypted HTTP proxy authenticated with a client certificate

; located in a cryptographic token

;[example-pkcs11]

;client = yes

;accept = 127.0.0.1:8080

;connect = example.com:8443

;engineId = pkcs11

;cert = pkcs11:token=MyToken;object=MyCert

;key = pkcs11:token=MyToken;object=MyKey

; ***************************************** Example TLS server mode services

;[pop3s]

;accept = 995

;connect = 110

;cert = /usr/local/etc/stunnel/stunnel.pem

;[imaps]

;accept = 993

;connect = 143

;cert = /usr/local/etc/stunnel/stunnel.pem

; Either only expose this service to trusted networks, or require

; authentication when relaying emails originated from loopback.

; Otherwise the following configuration creates an open relay.

;[ssmtp]

;accept = 465

;connect = 25

;cert = /usr/local/etc/stunnel/stunnel.pem

; TLS front-end to a web server

;[https]

;accept = 443

;connect = 80

;cert = /usr/local/etc/stunnel/stunnel.pem

; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel

; Microsoft implementations do not use TLS close-notify alert and thus they

; are vulnerable to truncation attacks

;TIMEOUTclose = 0

; Remote shell protected with PSK-authenticated TLS

; Create "/usr/local/etc/stunnel/secrets.txt" containing IDENTITY:KEY pairs

;[shell]

;accept = 1337

;exec = /bin/sh

;execArgs = sh -i

;PSKsecrets = /usr/local/etc/stunnel/secrets.txt

; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket

;[mysql]

;cert = /usr/local/etc/stunnel/stunnel.pem

;accept = 3307

;connect = /run/mysqld/mysqld.sock

; vim:ft=dosini

# Stunnel basic config

# /etc/stunnel/stunnel.conf

setuid = stunnel4

setgid = stunnel4

pid=/tmp/stunnel.pid

output = /var/log/stunnel4/stunnel.log

include = /etc/stunnel/conf.d

#Set ENABLE=1 in /etc/default/stunnel4

# RTMP -> RTMPS tunnel

#/etc/stunnel/conf.d/fb.conf

[fb-live]

client = yes

accept = 127.0.0.1:19350

connect = live-api-s.facebook.com:443

verifyChain = no

sudo systemctl restart stunnel4 && sudo systemctl status stunnel4

#Install SSL
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
sudo certbot --nginx -d example.com
sudo certbot renew --dry-run

#systemd should take care of the auto renewal

#Install SSL

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update

sudo apt-get install python-certbot-nginx

sudo certbot --nginx -d example.com

sudo certbot renew --dry-run

#systemd should take care of the auto renewal

Leave a Reply

Categories

Recent Posts