From e6e9e6cc7db7fe0a498ddc73eaa59cf41012dcf1 Mon Sep 17 00:00:00 2001 From: Alf Date: Tue, 20 Nov 2018 17:10:34 -0800 Subject: [PATCH] Add nginx ssl support with self-signed cert examples. Updated readme with ssl note. --- .travis.yml | 2 +- Dockerfile | 1 + README.md | 5 +++++ certs/example.com.crt | 31 ++++++++++++++++++++++++++ certs/example.com.key | 52 +++++++++++++++++++++++++++++++++++++++++++ docker-compose.yml | 5 ++++- nginx.conf | 12 +++++++++- 7 files changed, 105 insertions(+), 3 deletions(-) create mode 100644 certs/example.com.crt create mode 100644 certs/example.com.key diff --git a/.travis.yml b/.travis.yml index 08acd21..e5d9d85 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ language: bash services: docker env: - - DOCKER_IMAGE=nginx-rtmp + - DOCKER_IMAGE=nginx-rtmp script: - docker build -t ${DOCKER_IMAGE} . diff --git a/Dockerfile b/Dockerfile index b5d7a7c..e77ebd1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -47,6 +47,7 @@ RUN cd /tmp/nginx-${NGINX_VERSION} && \ --conf-path=/opt/nginx/nginx.conf \ --with-threads \ --with-file-aio \ + --with-http_ssl_module \ --error-log-path=/opt/nginx/logs/error.log \ --http-log-path=/opt/nginx/logs/access.log \ --with-debug && \ diff --git a/README.md b/README.md index 85e7842..a4fbee1 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,11 @@ docker run -it -p 1935:1935 -p 8080:80 --rm nginx-rtmp rtmp://:1935/stream/$STREAM_NAME ``` +### SSL +The `nginx.conf` is configured for both HTTP and HTTPS using a self-signed certificate supplied in [/certs](/certs). If you wish to use HTTPS, it is **highly recommended** to obtain your own certificates and update the `ssl_certificate` and `ssl_certificate_key` paths in [nginx.conf](nginx.conf). + +I recommend using [Certbot](https://certbot.eff.org/docs/install.html) from [Let's Encrypt](https://letsencrypt.org). + ### OBS Configuration * Stream Type: `Custom Streaming Server` * URL: `rtmp://localhost:1935/stream` diff --git a/certs/example.com.crt b/certs/example.com.crt new file mode 100644 index 0000000..44693b1 --- /dev/null +++ b/certs/example.com.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFXTCCA0WgAwIBAgIJAMCQYDhYg4RNMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV +BAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQwHhcNMTgxMTIwMjA1ODM1WhcNMTkxMTIwMjA1ODM1WjBF +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 +ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC +CgKCAgEAv2Wzdiw3kgw8USDpXxUSVbv4fMoGmf2PtcjZn6nSdGndZBpt2ODxYRvz +TFrAuL944DCQY5MuDRC7z5siFHUe14ravRTavjs5+Kr5XelVN0wofgMp2Npg+6xX +lT4t/cb4T88hqm3UMn0AcoAD9L8oZCs+4aHIwNZT8tts5cbcenJxNrdFri28L+Q5 +sx5CrOeoQP8R1C01z3aXYzQXZ97w9hr35BBkzRVt4mvi9L5CLAzlVxn/4vGy/tV1 +PAbQaMFBWR2gjzNKx0+DKcsz1hKo7UXi3LVfJAn9xmcwfQcpWEH74EIkLpAyQ/oF +rhZS/I+OCCuh13bKEIfCY0ICN2u7agTBhzbnWXkF9CKb2ElKJd1C96myWmHmJT8G +d34l7/vKYXQUGnds+2yN2heZj3/0eCcq3Pv6DcgjoBkYEJ35Z2jVq/w38cJeAw2d +7CrGJlfBrmi3v2WSXHjRnvU9vVTgN/mFNdTQLKeMHHiZPiK91nj1UEEcXhAYL731 +HxJ+Xb/Wx5OO+Ki0vL3GdQJQr8BtW5tpSUYJgiLvp+dIUST8IBo1s6w5DtcqmpY1 +254AgGjNLXruq6juGbgVBRLhmoU0r8xsROproAvtd+bnej90hcHfqvgsg9+8Nttr +pigRPHHbY7iE5b9p24XbbHVhTJ7htQ4t9uJ/I979A1StLBnqfD8CAwEAAaNQME4w +HQYDVR0OBBYEFJNRWzeHz7m+VAfnu7Q9eU6L5EdWMB8GA1UdIwQYMBaAFJNRWzeH +z7m+VAfnu7Q9eU6L5EdWMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB +ADk8i3rp0LthFeR1FCjg5Q7wZfEk2uWyGEZYpWet4+ECB3ATWnVMUl8pqqb1zGVL +kG5/WYKIDP81VpxL5dK+EqnQCIV80b0lswxl9Qr6AKgg9FvbInKVfoRN3uRw1iHw ++URYi0nxzFncxdCvNWLL07Nxt7OmkxxBiDfMOBmmmz+CWqm3MeH+5fEak1AkIJFE +Kq54qD1F9UWBMG3OVxhSUML4b/QdcIQ6+gDa2LT97GFIK2RBHWtQARYSBTcMbxfm +XSWDuyibYhKh3L3G/NcG2LEWzBO7+VW06tP+B3Ki8dgyLZk1fq5k1stsv8m2z8mx +iOM4gIxZ5DgKBad/LthFGvxIKBn9znQ/SmkZjl8G6//lbCzlmLm4e4+75c5YTT3/ +ZrVDev30Ln8RveE+wBX6ZUHaSnGTWp08hry3JIE8YFCN4E+LXkyayq96ujVugCJC +wCE/aLT3sPgRxZcRNbB8lmur8BcEuoZphm4jLoctBhnM7NVcJHaTYWazNvpDKCaT +sAi5xNu+/NzrwNhYCWVNrWJjfwyLpOEaI60GDmR1iy/MWeikYw+C/YMKmFXmjuIw +1IX5a7+Yu5etGN+qvYdZOS3RpVxuT1OJk1haatXficL7FYU16XUm19ggN1W0uYb+ +CGbQoh//o8p01K+AmiO4P0NsTSoK/Ap2MjrNhAAq4HV0 +-----END CERTIFICATE----- diff --git a/certs/example.com.key b/certs/example.com.key new file mode 100644 index 0000000..a04d829 --- /dev/null +++ b/certs/example.com.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJRQIBADANBgkqhkiG9w0BAQEFAASCCS8wggkrAgEAAoICAQC/ZbN2LDeSDDxR +IOlfFRJVu/h8ygaZ/Y+1yNmfqdJ0ad1kGm3Y4PFhG/NMWsC4v3jgMJBjky4NELvP +myIUdR7Xitq9FNq+Ozn4qvld6VU3TCh+AynY2mD7rFeVPi39xvhPzyGqbdQyfQBy +gAP0vyhkKz7hocjA1lPy22zlxtx6cnE2t0WuLbwv5DmzHkKs56hA/xHULTXPdpdj +NBdn3vD2GvfkEGTNFW3ia+L0vkIsDOVXGf/i8bL+1XU8BtBowUFZHaCPM0rHT4Mp +yzPWEqjtReLctV8kCf3GZzB9BylYQfvgQiQukDJD+gWuFlL8j44IK6HXdsoQh8Jj +QgI3a7tqBMGHNudZeQX0IpvYSUol3UL3qbJaYeYlPwZ3fiXv+8phdBQad2z7bI3a +F5mPf/R4Jyrc+/oNyCOgGRgQnflnaNWr/Dfxwl4DDZ3sKsYmV8GuaLe/ZZJceNGe +9T29VOA3+YU11NAsp4wceJk+Ir3WePVQQRxeEBgvvfUfEn5dv9bHk474qLS8vcZ1 +AlCvwG1bm2lJRgmCIu+n50hRJPwgGjWzrDkO1yqaljXbngCAaM0teu6rqO4ZuBUF +EuGahTSvzGxE6mugC+135ud6P3SFwd+q+CyD37w222umKBE8cdtjuITlv2nbhdts +dWFMnuG1Di324n8j3v0DVK0sGep8PwIDAQABAoICAQCNPFYeyOhE7KSB1YCAuoLq +IyhtpYMTlUm8AjedG2sCnrBRUzNmDC/y0fZKjNmUOy7OeOfDovMjjwqYW0jdwcN9 +mKhrSP1VzUytFDWpuCo7AQcMXfc+X3+bmASVS+oSUAYilp2oLx2cGCQBWjgRHhKH +QGZJh+IlcsNF/eew83r1HIgwsTNJIdSxnn95jsXy44uEUvTsFmST8FYsTV9MNfao +FSSB9hr8P2jz4Vr78X3RFb8S9EugQ20roYa+QeT+uEUpprQ5l8cBpsoKSDm7Kc/g +L2cGKQzJAlpzUug0CtnWl/Ju/T/H4H5HLTON0Elyt9g+bTwjTDQ12Ih4SFhsXyJP +Bbhvv9lMB7Q2vvQz4VG3xwqB2IguT/tZeNYRyN3dFHq/Ib2Rt6jtyJ3qUNBXFdr/ +Q1KNsgWBvpMiB0OKpakDWQMUIsuRHL1EcWnBIOURl0Xj90wYgkIr0czH6KoxLzaO +qkSmIDN/tsoHfJ5LXsrVmAMS2OaGRK5rt0pfF6a2Tl0zaWSlwT0v/ymVjavmFxyl +oCDhaoQ9fh7OBjf6vX2AYtwr1Dbo/578t+/0eUZOlYMNnomi0FudEoVi7IMQv82f +OFnVTXjdHJHyvfBjhWqbjw1oQTBtrgMJSUMqaqvTgA0k/rppfMUuXS1B7Dl0c0LU +w1FHDk78I+IZBxIXSyVmQQKCAQEA5oVlwJxXLb9bNqbcKipKrQQAcPAgXt7ZOQOL +l28K74N+3IylQFH9HBIE6QLrjOZFTKh0kLcrYfGhz7RoATkBJkf3w6F9Ef3F6Epp +X7ygPFFggGdx5csQzOCrK4VQGMEM9T4Zn5FEbCKhrica6g/u2WaLbq7XzwYXCVjH +GKqSpTZXfecfcSQHkjoGGcQqnXMkOE+w/HF21Wn6BHxfBUYsrPsB54ZkITPkNdjX +xZq+t331pFH1P2X//ogBKXp/5ZYRd8pR0dysGo9e1U91OLgjcQXU9y2MzNajp6j/ +o9czZi3xc1P2j0/mJdoCebr9C7erZa2mmTnXITNIgEhpFwlYHwKCAQEA1I1LNehc +ClgZw9/sPP4cB7ONAyVRHgAzhM8/hfjN/NDAbMkYWYwGDPYOIuxf9Vo34XX1GhQo +4ctb/DZHGsVcBFIVD7fPj60D3yC2HvcGlZ2sgHBG0RwftYentQWvutxRGWcN9A1+ +Gcn379MWp3SsqjMN1JM1RzEPvr9SO3fQOPIAaMjpOwWxeopsVvVzEzhQ6IqsFUkA +UR1q0noKExb3Re1eSDzuuBo1ftWm9sXbH6eilvNvOD3MYApOJ2aJRPdRDPVCyHID +8rpJyngpKTIuUGax53pB2mJ4Af5aPNuwIC0JLxgFmYYNLvJ5o4FWWiFcjHYS7728 +UEjzETBm0A7X4QKCAQEAw29RBu0FFCnpoPnyKmVUjj6YSSerqgLw0t9ol2hzMwCe +q0kqSM+58PRt6UaqgPgwxH8E5DQGubDr6HYgvvifOt9E9TySFpC6GugLUjlO+BRd +5j7NV27DvY60T99kOrhgzgJqItg71BnATS+mJ85+Rx4jFCFzoXaeTTRRB16FmT/r +CTjLdVaAfL5osauYHYiiqoMVn9BqWSDR8L+op4YJFlZwFOPhPC0MS4Kd3FAHZPWL +Lla1v5wwXpDbu1i52eFSyeZjW7LkzlfCpMIKtZ2Xnpi9JxodBwTqFpi2sycd0oEc +9RO4M2Qf0PN1qdKX+jkrPLbuSXW6J9Gco/W/8uHfLQKCAQEAvRB9oRLxpAXfzTrG +US6bUkJlITI1aGE3cmBDGfFJkSNCtsFdlnGWBDtuMaReasj4QeWBwtPB1a7lQIAr +WWXKRtGYiGWxDBUTB4t6VCrZQYaCJbE5XNIOZpOnGr9XI/jLbrQbVkYWL+xWTY5P +bV68I5zMJZVX496BKePWyqz1m2Gv+YUU6PpUdzLf0a380VDbry2CimBoFr77AQOr +KHXaN+o/XjRNB5fQk+SJ4qH2Gr8rQeiBut5Fh/xCrotneOAgyUz0PYYleug3sRCX +VFydk8j1YHiAUTgblXJhZBbqIITO0YQlnvz9hxAKIOVwITXhs9NnXrc/5Y4uH9EU +8ubxIQKCAQEA5fWcnr3UM6hDH0ixPD+CMrCggvcK+/uOYLwsN8Lm6P9zNu2MxhYe +bwACFyfG+ArdFD9G72X0tf7DDiyGdlWR6AB5tzbP3d9UB14DW9s47YD1w5yqtAHI +pbFevd0O9PFYf0+290Gh0fKGW5GkfRj+1ZiOfqfGtscWufjpdYeCjs0WzZDy7jGm +SG6sgk8Mar65fYWOoo0o9jD+hLzAtf8O0KE+Ilevb4UgqBc1WzdTy21KW65r+Guv +7rJFrGuHERHFFR7mxgNyWFVRw2eysxhOQHe/2nnJSyDIjaKEiiaKJJ2FUqnRVr6Q +IW8oyQg/bNSFBykcUbWZVZhQGVT4RLB/mA== +-----END PRIVATE KEY----- diff --git a/docker-compose.yml b/docker-compose.yml index 65981e0..3c1ea67 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,4 +5,7 @@ services: build: . ports: - 1935:1935 - - 8080:80 \ No newline at end of file + - 8080:80 + - 8443:443 + volumes: + - ./certs:/opt/certs \ No newline at end of file diff --git a/nginx.conf b/nginx.conf index c9ebd0c..8985223 100644 --- a/nginx.conf +++ b/nginx.conf @@ -40,8 +40,18 @@ rtmp { } http { + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + server { - listen 80; + listen 80; # Remove this line if you want HTTPS only. + listen 443 ssl; + + # Update these paths with your own certificate and private key. + ssl_certificate /opt/certs/example.com.crt; + ssl_certificate_key /opt/certs/example.com.key; location /hls { types {