Skip to content

Commit

Permalink
Update nginx to protect the live, and also this #9538
Browse files Browse the repository at this point in the history
  • Loading branch information
Daniel Neto committed Oct 25, 2024
1 parent 7f5f4e2 commit 91bd907
Show file tree
Hide file tree
Showing 7 changed files with 266 additions and 150 deletions.
2 changes: 1 addition & 1 deletion Dockerfile.live
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ RUN mkdir ~/build && \
git clone https://github.com/arut/nginx-rtmp-module.git && \
git clone https://github.com/nginx/nginx.git && \
cd nginx && \
./auto/configure --with-http_ssl_module --with-http_stub_status_module --add-module=../nginx-rtmp-module --with-cc-opt="-Wimplicit-fallthrough=0" && \
./auto/configure --with-http_ssl_module --with-http_stub_status_module --with-http_auth_request_module --add-module=../nginx-rtmp-module --with-cc-opt="-Wimplicit-fallthrough=0" && \
make && \
make install

Expand Down
50 changes: 42 additions & 8 deletions deploy/nginx/nginx.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,15 +24,17 @@ rtmp {
hls_fragment 4s;
drop_idle_publisher 30s;
sync 500ms;


hls_keys on;
hls_fragments_per_key 20;

#Experimental. Force dropped stream, or ended stream from being watched. (idle_streams)
#idle_streams off;
on_publish http://avideo/plugin/Live/on_publish.php;
on_publish_done http://avideo/plugin/Live/on_publish_done.php;
on_play http://avideo/plugin/Live/on_play.php;
on_record_done http://avideo/plugin/Live/on_record_done.php;

#exec ffmpeg -re -i rtmp://localhost/live/$name -c:v libx264 -preset veryfast -c:a copy -f hls -hls_time 5 -hls_list_size 0 -f flv rtmp://localhost/adaptive/$name_hi;
#exec ffmpeg -re -i rtmp://localhost/live/$name
# -c:v libx264 -vf scale=-2:240 -r 20 -g 40 -keyint_min 40 -sc_threshold 0 -bf 3 -b_strategy 2 -b:v 400k -maxrate 700k -bufsize 1400k -c:a aac -strict -2 -b:a 96k -f flv rtmp://localhost/adaptive/$name_low
# -c:v libx264 -vf scale=-2:480 -r 30 -g 60 -keyint_min 48 -sc_threshold 0 -bf 3 -b_strategy 2 -b:v 1200k -maxrate 2100k -bufsize 4200k -c:a aac -strict -2 -b:a 128k -f flv rtmp://localhost/adaptive/$name_mid
Expand All @@ -58,14 +60,16 @@ rtmp {
#application adaptive {
# live on;
# hls on;

# hls_path /HLS/live;
# hls_nested on;
# hls_playlist_length 10m;
# hls_playlist_length 60m;
# hls_fragment 4s;
# allow play all;
# allow publish 127.0.0.1;
# deny publish all;
# hls_variant _hi BANDWIDTH=264000,RESOLUTION=1280x720; # this is for line 34 only, do not uncomment it

# hls_keys on;
# hls_fragments_per_key 20;
# hls_variant _low BANDWIDTH=900000;
# hls_variant _mid BANDWIDTH=2400000;
# hls_variant _hi BANDWIDTH=3500000;
Expand All @@ -82,6 +86,9 @@ http {
location /live {
expires 60;
add_header 'Cache-Control' 'public';

root /HLS; # Use root instead of alias

location ~ \.m3u8$ {
expires -1;
# Disable cache
Expand All @@ -91,6 +98,19 @@ http {
add_header 'Access-Control-Expose-Headers' 'Content-Length';
}

location ~ \.key$ {
# Call an external authorization service
auth_request /auth_key_check;

# Only serve the key if the authorization service returns 200
add_header 'Content-Type' 'application/octet-stream';
# Disable cache
add_header 'Cache-Control' 'no-cache';
# CORS setup
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length';
}

# CORS setup
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length';
Expand All @@ -106,8 +126,22 @@ http {
types {
application/vnd.apple.mpegurl m3u8;
}
alias /HLS/live;
}


# Authorization endpoint
location = /auth_key_check {
internal; # Make this location internal so it cannot be accessed directly
proxy_pass http://avideo/plugin/Live/authorizeKeyAccess.php;
proxy_pass_request_body off; # Do not send the client request body to the auth service
proxy_set_header Content-Length "";

# Set headers to pass information to the PHP script
proxy_set_header X-Original-URI $request_uri; # Pass the original request URI
proxy_set_header X-Forwarded-For $remote_addr; # Pass the client IP address
proxy_set_header User-Agent $http_user_agent; # Pass the client User-Agent
}

#allows us to see how stats on viewers on our Nginx site using a URL like: "http://my-ip/stats"
#location /stats {
# stub_status;
Expand Down Expand Up @@ -143,8 +177,8 @@ http {
# fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
#}
listen 8443 ssl;
ssl_certificate /etc/apache2/ssl/localhost.crt;
ssl_certificate_key /etc/apache2/ssl/localhost.key;
ssl_certificate /etc/apache2/ssl/localhost.crt;
ssl_certificate_key /etc/apache2/ssl/localhost.key;

}
}
3 changes: 2 additions & 1 deletion objects/Object.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -315,7 +315,8 @@ public function save()
if (
!empty($this->created) && (User::isAdmin() ||
isCommandLineInterface() ||
(class_exists('API') && API::isAPISecretValid())
(class_exists('API') && API::isAPISecretValid()) ||
!empty($global['allowModifyCreated'])
)
) {
$this->created = preg_replace('/[^0-9: \/-]/', '', $this->created);
Expand Down
1 change: 1 addition & 0 deletions plugin/BulkEmbed/save.json.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ function ISO8601ToDuration($ISO8601)

// Set the original video date if available in the form data
if (!empty($value['date']) && $objo->useOriginalYoutubeDate) {
$global['allowModifyCreated'] = 1;
$videos->setCreated($value['date']); // Set the original creation date of the video
}

Expand Down
50 changes: 50 additions & 0 deletions plugin/Live/authorizeKeyAccess.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
<?php
$doNotConnectDatabaseIncludeConfig = 1;
$doNotStartSessionIncludeConfig = 1;
require_once dirname(__FILE__) . '/../../videos/configuration.php';
AVideoPlugin::loadPluginIfEnabled('VideoHLS');
if(class_exists('VideoHLS')){
// Get client information and the requested key file
$client_ip = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? 'unknown';
$user_agent = $_SERVER['HTTP_USER_AGENT'] ?? 'unknown';
$requested_key = $_GET['key'] ?? '';

// Implement your authorization logic
$authorized = false; // Set this based on your logic

$uri = $_SERVER["HTTP_X_ORIGINAL_URI"];

// Define a regular expression to capture the key and token parts
$pattern = '#/live/([^/]+)/[0-9]+\.key\?token=([^&]+)#i';

// Match the pattern with the URI
if (preg_match($pattern, $uri, $matches)) {
// $matches[1] contains the key
$key = $matches[1];
// $matches[2] contains the token
$token = $matches[2];
}
if(!empty($token)){
// Example logic: verify based on IP, user agent, or requested key
if (VideoHLS::verifyToken($token)) {
$authorized = true;
}
}
error_log('authorizeKeyAccess: '.json_encode(array($key,$array, $user_agent)));
if (!$authorized) {
http_response_code(403);
$msg = 'authorizeKeyAccess: Access denied ';
error_log($msg.json_encode(array($_SERVER, $matches)));
echo $msg;
}else{
$msg = 'authorizeKeyAccess: Authorized key='.$key;
error_log($msg);
echo $msg;
}
}else{
$msg = 'authorizeKeyAccess: VideoHLS is not present ';
error_log($msg);
echo $msg;
}

?>
Loading

0 comments on commit 91bd907

Please sign in to comment.