doomtube/beeta
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Replace master branch with local files

Browse source
This commit is contained in:
doomtube 2025-08-03 21:53:15 -04:00
commit 875a53f499
60 changed files with 21637 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

28
openresty/Dockerfile Normal file
View file

@ -0,0 +1,28 @@
FROM openresty/openresty:alpine
# Install dependencies needed by opm
RUN apk add --no-cache curl perl
# Install lua-resty-http
RUN opm get ledgetech/lua-resty-http
# Copy configuration
COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
COPY lua /usr/local/openresty/nginx/lua
# Create uploads directory structure with proper permissions
RUN mkdir -p /app/uploads/avatars && \
chmod -R 755 /app/uploads
# Create nginx temp directories
RUN mkdir -p /var/cache/nginx/client_temp \
/var/cache/nginx/proxy_temp \
/var/cache/nginx/fastcgi_temp \
/var/cache/nginx/uwsgi_temp \
/var/cache/nginx/scgi_temp && \
chmod -R 755 /var/cache/nginx
EXPOSE 80 443
# Run as root but nginx will drop privileges after binding to ports
CMD ["/usr/local/openresty/bin/openresty", "-g", "daemon off;"]

67
openresty/lua/auth.lua Normal file
View file

@ -0,0 +1,67 @@
local redis_helper = require "redis_helper"
local cjson = require "cjson"
-- Read POST body for OME webhook
ngx.req.read_body()
local body = ngx.req.get_body_data()
if not body then
ngx.status = ngx.HTTP_BAD_REQUEST
ngx.say(cjson.encode({allowed = false, reason = "No body provided"}))
return ngx.exit(ngx.HTTP_BAD_REQUEST)
end
-- Parse JSON body
local ok, data = pcall(cjson.decode, body)
if not ok then
ngx.status = ngx.HTTP_BAD_REQUEST
ngx.say(cjson.encode({allowed = false, reason = "Invalid JSON"}))
return ngx.exit(ngx.HTTP_BAD_REQUEST)
end
-- Extract stream key from the request
local stream_key = nil
-- Check different possible locations for the stream key
if data.request and data.request.url then
-- Extract from URL path or query string
stream_key = data.request.url:match("/app/([^/?]+)")
if not stream_key and data.request.params then
stream_key = data.request.params.key or data.request.params.streamid
end
elseif data.stream and data.stream.name then
stream_key = data.stream.name
end
-- Handle SRT streamid format (app/KEY)
if stream_key then
local extracted = stream_key:match("app/(.+)")
if extracted then
stream_key = extracted
end
end
if not stream_key then
ngx.status = ngx.HTTP_OK
ngx.say(cjson.encode({allowed = false, reason = "No stream key provided"}))
return ngx.exit(ngx.HTTP_OK)
end
-- Validate key
local valid = redis_helper.validate_stream_key(stream_key)
-- OME webhook expects specific response format
local response = {
allowed = valid,
stream = {
name = stream_key
}
}
if not valid then
response.reason = "Invalid stream key"
end
ngx.status = ngx.HTTP_OK
ngx.header.content_type = "application/json"
ngx.say(cjson.encode(response))

126
openresty/lua/redis_helper.lua Normal file
View file

@ -0,0 +1,126 @@
local redis = require "resty.redis"
local _M = {}
local function get_redis_connection()
local red = redis:new()
red:set_timeouts(1000, 1000, 1000) -- connect, send, read timeout in ms
local host = "redis" -- Will be resolved by nginx resolver
local port = tonumber(os.getenv("REDIS_PORT")) or 6379
local ok, err = red:connect(host, port)
if not ok then
ngx.log(ngx.ERR, "Failed to connect to Redis: ", err)
return nil
end
return red
end
local function close_redis_connection(red)
-- Put connection into pool
local ok, err = red:set_keepalive(10000, 100)
if not ok then
ngx.log(ngx.ERR, "Failed to set keepalive: ", err)
end
end
function _M.validate_stream_key(key)
-- For now, skip Redis and go directly to backend
-- This fixes the immediate issue
local http = require "resty.http"
local httpc = http.new()
local backend_url = os.getenv("BACKEND_URL") or "http://drogon-backend:8080"
local res, err = httpc:request_uri(backend_url .. "/api/stream/validate/" .. key, {
method = "GET",
timeout = 1000
})
if res and res.status == 200 then
local cjson = require "cjson"
local ok, data = pcall(cjson.decode, res.body)
if ok and data.valid then
return true
end
end
return false
end
function _M.validate_viewer_token(token, expected_stream_key)
local red = get_redis_connection()
if not red then
ngx.log(ngx.ERR, "Failed to connect to Redis for token validation")
return false
end
-- Get the stream key associated with this token
local res, err = red:get("viewer_token:" .. token)
if not res or res == ngx.null then
ngx.log(ngx.WARN, "Token not found: ", token)
close_redis_connection(red)
return false
end
close_redis_connection(red)
-- Check if the token is for the expected stream
if res ~= expected_stream_key then
ngx.log(ngx.WARN, "Token stream mismatch. Expected: ", expected_stream_key, " Got: ", res)
return false
end
return true
end
function _M.refresh_viewer_token(token)
local red = get_redis_connection()
if not red then
return false
end
-- Refresh TTL to 30 seconds
local ok, err = red:expire("viewer_token:" .. token, 30)
if not ok then
ngx.log(ngx.ERR, "Failed to refresh token TTL: ", err)
end
close_redis_connection(red)
return ok
end
function _M.get_streams_to_disconnect()
local red = get_redis_connection()
if not red then
return {}
end
local res, err = red:smembers("streams_to_disconnect")
close_redis_connection(red)
if not res then
ngx.log(ngx.ERR, "Failed to get streams to disconnect: ", err)
return {}
end
return res
end
function _M.remove_stream_from_disconnect(key)
local red = get_redis_connection()
if not red then
return
end
local ok, err = red:srem("streams_to_disconnect", key)
if not ok then
ngx.log(ngx.ERR, "Failed to remove stream from disconnect set: ", err)
end
close_redis_connection(red)
end
return _M

84
openresty/lua/stream_monitor.lua Normal file
View file

@ -0,0 +1,84 @@
local redis_helper = require "redis_helper"
local cjson = require "cjson"
-- Safely load the http module
local has_http, http = pcall(require, "resty.http")
local function disconnect_stream(stream_key)
if not has_http then
ngx.log(ngx.WARN, "resty.http module not available, skipping stream disconnection")
return
end
local httpc = http.new()
local ome_url = os.getenv("OME_URL") or "http://ovenmediaengine:8081"
local ome_token = os.getenv("OME_API_TOKEN") or "your-api-token"
-- Get active streams from OME
local res, err = httpc:request_uri(ome_url .. "/v1/vhosts/default/apps/app/streams", {
method = "GET",
headers = {
["Authorization"] = "Bearer " .. ome_token,
["Content-Type"] = "application/json"
}
})
if not res then
ngx.log(ngx.ERR, "Failed to get streams: ", err)
return
end
local ok, data = pcall(cjson.decode, res.body)
if ok and data and data.response and data.response.streams then
for _, stream in ipairs(data.response.streams) do
if stream.name == stream_key then
-- Disconnect the stream
local del_res, del_err = httpc:request_uri(
ome_url .. "/v1/vhosts/default/apps/app/streams/" .. stream.name,
{
method = "DELETE",
headers = {
["Authorization"] = "Bearer " .. ome_token
}
}
)
if del_res and del_res.status == 200 then
ngx.log(ngx.INFO, "Disconnected stream: ", stream_key)
else
ngx.log(ngx.ERR, "Failed to disconnect stream: ", stream_key)
end
break
end
end
end
end
local function monitor_streams()
-- Check if Redis is available
local ok, keys = pcall(redis_helper.get_streams_to_disconnect)
if not ok then
ngx.log(ngx.WARN, "Redis not available yet")
return
end
for _, key in ipairs(keys or {}) do
disconnect_stream(key)
redis_helper.remove_stream_from_disconnect(key)
end
end
-- Start monitoring in a timer with error handling
local function start_monitoring()
local ok, err = ngx.timer.every(1, monitor_streams)
if not ok then
ngx.log(ngx.ERR, "Failed to create timer: ", err)
else
ngx.log(ngx.INFO, "Stream monitor started")
end
end
-- Delay start to ensure services are ready
ngx.timer.at(5, start_monitoring)

450
openresty/nginx.conf Normal file
View file

@ -0,0 +1,450 @@
worker_processes auto;
error_log stderr warn;
# Run worker processes as nobody user (master process remains root for port binding)
user nobody nogroup;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
# Temp directories
client_body_temp_path /var/cache/nginx/client_temp;
proxy_temp_path /var/cache/nginx/proxy_temp;
fastcgi_temp_path /var/cache/nginx/fastcgi_temp;
uwsgi_temp_path /var/cache/nginx/uwsgi_temp;
scgi_temp_path /var/cache/nginx/scgi_temp;
# Docker DNS resolver
resolver 127.0.0.11 valid=30s;
lua_package_path "/usr/local/openresty/nginx/lua/?.lua;;";
lua_shared_dict stream_keys 10m;
lua_shared_dict rate_limit 10m;
# Enable compression
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css text/xml text/javascript application/javascript application/json application/xml+rss image/svg+xml;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Map to handle CORS origin properly
map $http_origin $cors_origin {
default "";
"~^https?://localhost(:[0-9]+)?$" $http_origin;
"~^https?://127\.0\.0\.1(:[0-9]+)?$" $http_origin;
"~^https?://\[::1\](:[0-9]+)?$" $http_origin;
}
upstream backend {
server drogon-backend:8080;
}
upstream frontend {
server sveltekit:3000;
}
upstream ome {
server ovenmediaengine:8080;
}
# Rate limiting zones
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=3r/m;
limit_req_zone $binary_remote_addr zone=register_limit:10m rate=1r/m;
# Increase client max body size for avatar uploads
client_max_body_size 1m;
server {
listen 80;
server_name localhost;
# Security headers for the whole server
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Fixed: Serve uploaded files with correct configuration
location /uploads/ {
# Use root directive with absolute path to avoid alias+try_files bug
root /app;
# Security settings
autoindex off;
add_header X-Content-Type-Options "nosniff" always;
# Only serve files, not directories
try_files $uri =404;
# Cache static images
location ~* \.(jpg|jpeg|png|gif|webp|svg)$ {
expires 30d;
add_header Cache-Control "public, immutable" always;
add_header X-Content-Type-Options "nosniff" always;
}
}
# SvelteKit immutable assets (with content hashes)
location ~ ^/_app/immutable/ {
proxy_pass http://frontend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Long cache for immutable assets
proxy_cache_valid 200 1y;
expires 1y;
add_header Cache-Control "public, immutable" always;
access_log off;
}
# SvelteKit mutable assets
location ~ ^/_app/ {
proxy_pass http://frontend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Short cache for mutable assets
expires 1h;
add_header Cache-Control "public, max-age=3600" always;
}
# Authentication endpoints with strict rate limiting
location = /api/auth/register {
limit_req zone=register_limit burst=2 nodelay;
# CORS headers
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Methods "POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type" always;
add_header Access-Control-Allow-Credentials "true" always;
if ($request_method = 'OPTIONS') {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location = /api/auth/login {
limit_req zone=auth_limit burst=5 nodelay;
# CORS headers
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Methods "POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type" always;
add_header Access-Control-Allow-Credentials "true" always;
if ($request_method = 'OPTIONS') {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ ^/api/auth/(pgp-challenge|pgp-verify) {
limit_req zone=auth_limit burst=5 nodelay;
# CORS headers
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Methods "POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type" always;
add_header Access-Control-Allow-Credentials "true" always;
if ($request_method = 'OPTIONS') {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Public user profile endpoints - no authentication required
location ~ ^/api/users/[^/]+/?$ {
# CORS headers
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type" always;
add_header Access-Control-Allow-Credentials "true" always;
if ($request_method = 'OPTIONS') {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Cache public profiles for a short time
expires 1m;
add_header Cache-Control "public, max-age=60" always;
}
# Public user PGP keys endpoints - no authentication required
location ~ ^/api/users/[^/]+/pgp-keys$ {
# CORS headers
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type" always;
add_header Access-Control-Allow-Credentials "true" always;
if ($request_method = 'OPTIONS') {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Cache PGP keys for a bit longer as they change less frequently
expires 5m;
add_header Cache-Control "public, max-age=300" always;
}
# Public realm endpoints (with viewer token authentication for stream-key)
location ~ ^/api/realms/(by-name/[^/]+|live|[0-9]+/stats|[0-9]+/viewer-token|[0-9]+/stream-key)$ {
# CORS headers
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type" always;
add_header Access-Control-Allow-Credentials "true" always;
if ($request_method = 'OPTIONS') {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie $http_cookie;
# Short cache for live realm data
expires 10s;
add_header Cache-Control "public, max-age=10" always;
}
# Public stream endpoints (some require viewer tokens)
location ~ ^/api/stream/(heartbeat/[^/]+)$ {
# CORS headers
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Methods "POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type" always;
add_header Access-Control-Allow-Credentials "true" always;
if ($request_method = 'OPTIONS') {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie $http_cookie;
}
# Other API endpoints (authenticated)
location /api/ {
limit_req zone=api_limit burst=20 nodelay;
# CORS headers
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
add_header Access-Control-Allow-Credentials "true" always;
# Handle preflight
if ($request_method = 'OPTIONS') {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie $http_cookie;
# Don't cache API responses
expires -1;
add_header Cache-Control "no-store, no-cache, must-revalidate" always;
}
# WebSocket
location /ws/ {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Cookie $http_cookie;
# WebSocket timeouts
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
}
# Frontend (all other requests)
location / {
proxy_pass http://frontend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Enable HTTP/1.1 for keep-alive
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
# Separate server block for port 8088 (HLS/LLHLS)
server {
listen 8088;
server_name localhost;
# Security headers
add_header X-Content-Type-Options "nosniff" always;
# Token validation for HLS/LLHLS playlists and segments
location ~ ^/app/([^/]+)/(.*\.(m3u8|ts|m4s))$ {
set $stream_key $1;
set $file_path $2;
# CORS headers
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
add_header Access-Control-Allow-Headers "Range" always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Expose-Headers "Content-Length,Content-Range" always;
# Handle preflight
if ($request_method = 'OPTIONS') {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
# Access control via Lua
access_by_lua_block {
local redis_helper = require "redis_helper"
-- Get viewer token from cookie
local cookie_header = ngx.var.http_cookie
if not cookie_header then
ngx.status = ngx.HTTP_FORBIDDEN
ngx.say("No authentication token")
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
-- Extract viewer_token cookie
local token = nil
-- Handle URL-encoded cookies and spaces
cookie_header = ngx.unescape_uri(cookie_header)
for k, v in string.gmatch(cookie_header, "([^=]+)=([^;]+)") do
k = k:match("^%s*(.-)%s*$") -- trim whitespace
if k == "viewer_token" then
token = v:match("^%s*(.-)%s*$") -- trim whitespace
break
end
end
if not token then
ngx.status = ngx.HTTP_FORBIDDEN
ngx.say("Missing viewer token")
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
-- Validate token
local valid_stream = redis_helper.validate_viewer_token(token, ngx.var.stream_key)
if not valid_stream then
ngx.status = ngx.HTTP_FORBIDDEN
ngx.say("Invalid viewer token")
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
-- Optionally refresh token TTL on segment access
redis_helper.refresh_viewer_token(token)
}
# Cache settings for segments
location ~ \.ts$ {
expires 1h;
add_header Cache-Control "public, max-age=3600" always;
}
# Don't cache playlists
location ~ \.m3u8$ {
expires -1;
add_header Cache-Control "no-cache, no-store, must-revalidate" always;
}
# Proxy to OvenMediaEngine
proxy_pass http://ome/app/$stream_key/$file_path;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Public access for stream info
location / {
# CORS headers
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
add_header Access-Control-Allow-Credentials "true" always;
proxy_pass http://ome;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}