YukiRTMP nginx.conf

1. user root;
2. worker_processes 1; # DON'T ENABLE MULTITHREADING YOU IDIOT!
3. pid /var/run/nginx.pid;
4.  
5. events {
6. worker_connections 4096;
7. multi_accept on;
8. }
9.  
10. # Disabled, as it doesn't work with latest module/nginx
11. #rtmp_auto_push on;
12.  
13. http {
14. sendfile on;
15. tcp_nopush on;
16. keepalive_timeout 20s;
17. types_hash_max_size 2048;
18. server_tokens off;
19. etag on;
20.  
21. default_type application/octet-stream;
22.  
23. error_log logs/error.log info;
24.  
25. gzip on;
26. gzip_comp_level 5;
27. gzip_min_length 256;
28. gzip_proxied any;
29. gzip_vary on;
30.  
31. gzip_types
32. application/atom+xml
33. application/javascript
34. application/json
35. application/ld+json
36. application/manifest+json
37. application/rss+xml
38. application/vnd.geo+json
39. application/vnd.ms-fontobject
40. application/x-font-ttf
41. application/x-web-app-manifest+json
42. application/xhtml+xml
43. application/xml
44. font/opentype
45. image/bmp
46. image/svg+xml
47. image/x-icon
48. text/cache-manifest
49. text/css
50. text/plain
51. text/vcard
52. text/vnd.rim.location.xloc
53. text/vtt
54. text/x-component
55. text/x-cross-domain-policy;
56.  
57. server {
58. listen 80 default_server;
59. listen [::]:80 default_server;
60.  
61. # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
62. return 301 https://$host$request_uri;
63. }
64.  
65. server {
66. listen 443 ssl;
67. listen [::]:443 ssl;
68. server_name localhost rtmp.yukitheater.org rtmp-hls.yukitheater.org;
69.  
70. # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
71. ssl_certificate /etc/letsencrypt/live/yukitheater.org/fullchain.pem;
72. ssl_certificate_key /etc/letsencrypt/live/yukitheater.org/privkey.pem;
73. ssl_session_timeout 1d;
74. ssl_session_cache shared:SSL:50m;
75. ssl_session_tickets off;
76.  
77. # Diffie-Hellman parameter for DHE ciphersuites, we're using 4096 bits despite Mozilla recommending 2048
78. ssl_dhparam /etc/ssl/certs/dhparam.pem;
79.  
80. # SSL Settings according to Mozilla's "Intermediate" Configuration
81. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
82. ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
83. ssl_prefer_server_ciphers on;
84.  
85. # OCSP Stapling ---
86. # fetch OCSP records from URL in ssl_certificate and cache them
87. ssl_stapling on;
88. ssl_stapling_verify on;
89.  
90. ## verify chain of trust of OCSP response using Root CA and Intermediate certs
91. ssl_trusted_certificate /etc/letsencrypt/live/yukitheater.org/fullchain.pem;
92.  
93. resolver 8.8.8.8 valid=360s ipv6=off;
94.  
95. # Security Headers
96. add_header Strict-Transport-Security max-age=15768000; # 6 months
97. add_header X-Content-Type-Options "nosniff" always;
98. add_header X-Frame-Options "SAMEORIGIN" always;
99. add_header X-Xss-Protection "1; mode=block" always;
100.  
101. location /hls {
102. # Disable cache
103. add_header Cache-Control no-cache;
104.  
105. # CORS setup
106. add_header "Access-Control-Allow-Origin" "*" always;
107. add_header "Access-Control-Expose-Headers" "Content-Length";
108.  
109. # allow CORS preflight requests
110. if ($request_method = "OPTIONS") {
111. add_header "Access-Control-Allow-Origin" "*";
112. add_header "Access-Control-Max-Age" 1728000;
113. add_header "Content-Type" "text/plain charset=UTF-8";
114. add_header "Content-Length" 0;
115. return 204;
116. }
117.  
118. types {
119. application/vnd.apple.mpegurl m3u8;
120. video/mp2t ts;
121. }
122.  
123. root /tmp/;
124. }
125. }
126. }
127.  
128. rtmp {
129. server {
130. ping 30s;
131. ping_timeout 15s;
132. listen 1935;
133. chunk_size 8192;
134. buflen 10s;
135. interleave on;
136. wait_video on;
137.  
138. application show {
139. live on;
140.  
141. hls on;
142. hls_path /tmp/hls/;
143. hls_fragment 1s;
144. hls_playlist_length 5s;
145. hls_nested on;
146.  
147. # Instruct clients to adjust resolution according to bandwidth
148. hls_variant _480 BANDWIDTH=448000; # Medium bitrate, SD resolution
149. hls_variant _720 BANDWIDTH=2048000; # High bitrate, HD 720p resolution
150. hls_variant _src BANDWIDTH=4096000; # Source bitrate, source resolution
151. }
152.  
153. application live/winter {
154. allow publish IP.IP.IP.IP;
155. deny publish all;
156. allow play all;
157.  
158. live on;
159. record off;
160.  
161. exec ffmpeg -i rtmp://127.0.0.1/live/winter/ -async 1 -vsync -1
162. -c:v libx264 -c:a aac -b:v 768k -b:a 96k -vf "scale=720:trunc(ow/a/2)*2" -force_key_frames "expr:gte(t,n_forced*1)" -tune zerolatency -preset veryfast -crf 23 -f flv rtmp://127.0.0.1/show/winter_480
163. #-c:v libx264 -c:a aac -b:v 1920k -b:a 128k -vf "scale=1280:trunc(ow/a/2)*2" -force_key_frames "expr:gte(t,n_forced*1)" -tune zerolatency -preset veryfast -crf 23 -f flv rtmp://127.0.0.1/show/winter_720
164. -c copy -force_key_frames "expr:gte(t,n_forced*1)" -f flv rtmp://127.0.0.1/show/winter_src;
165. }
166. }
167. }