From c358db55aad521c73b8dc7d090c6d71cb6b7dda5 Mon Sep 17 00:00:00 2001
From: doomtube <doomtube@realms.pub>
Date: Wed, 7 Jan 2026 03:29:05 -0500
Subject: [PATCH] fixes lol

---
 docker-compose.prod.yml                       |  5 +--
 docker-compose.yml                            |  6 +--
 frontend/src/routes/[realm]/live/+page.svelte |  7 +++-
 openresty/nginx.conf                          | 37 +++++++++++++++++++
 .../modules/app_server/cloud-init.yaml.tpl    |  6 +--
 terraform/modules/app_server/main.tf          | 16 +++-----
 6 files changed, 55 insertions(+), 22 deletions(-)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 29bb291..2ee5cb2 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -44,9 +44,8 @@ services:
     ports:
       - "1935:1935"           # RTMP
       - "9999:9999/udp"       # SRT
-      - "3333:3333"           # WebRTC Signaling
-      - "3334:3334"           # WebRTC Signaling TCP
-      - "3478:3478"           # STUN/TURN
+      # WebRTC Signaling (3333/3334) now proxied through nginx
+      - "3478:3478"           # STUN/TURN for NAT traversal
       - "10000-10009:10000-10009/udp" # WebRTC ICE Candidates
     volumes:
       - ./Server.xml:/opt/ovenmediaengine/bin/origin_conf/Server.xml
diff --git a/docker-compose.yml b/docker-compose.yml
index cd61e29..7dc4e93 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -37,9 +37,9 @@ services:
       - "9999:9999/udp"       # SRT
       # HLS/LLHLS now proxied through openresty (removed direct exposure)
       - "8081:8081"           # API (internal)
-      - "3333:3333"           # WebRTC Signaling
-      - "3478:3478"           # WebRTC ICE
-      - "10000-10009:10000-10009/udp" # WebRTC Candidates
+      # WebRTC Signaling (3333) now proxied through nginx
+      - "3478:3478"           # STUN/TURN for NAT traversal
+      - "10000-10009:10000-10009/udp" # WebRTC ICE Candidates
     volumes:
       - ./ovenmediaengine/Server.xml:/opt/ovenmediaengine/bin/origin_conf/Server.xml
       - ome_logs:/var/log/ovenmediaengine
diff --git a/frontend/src/routes/[realm]/live/+page.svelte b/frontend/src/routes/[realm]/live/+page.svelte
index aa197b1..0043b0b 100644
--- a/frontend/src/routes/[realm]/live/+page.svelte
+++ b/frontend/src/routes/[realm]/live/+page.svelte
@@ -29,7 +29,6 @@
     }
     
     const STREAM_PORT = import.meta.env.VITE_STREAM_PORT || '8088';
-    const WEBRTC_PORT = import.meta.env.VITE_WEBRTC_PORT || '3333';
 
     // Helper functions for dynamic host/protocol detection
     function getStreamHost() {
@@ -333,7 +332,7 @@
                 },
                 {
                     type: 'webrtc',
-                    file: `${wsProto}://${host}:${WEBRTC_PORT}/app/${streamKey}`,
+                    file: `${wsProto}://${host}/webrtc/app/${streamKey}`,
                     label: 'WebRTC (Ultra Low Latency)'
                 }
             );
@@ -1047,6 +1046,10 @@
         .chat-section {
             min-height: 400px;
         }
+
+        .stream-info-section {
+            display: none;
+        }
     }
 
     /* Stream grid layout for multiple streams - Resizable */
diff --git a/openresty/nginx.conf b/openresty/nginx.conf
index cbc2285..1a246d7 100644
--- a/openresty/nginx.conf
+++ b/openresty/nginx.conf
@@ -805,6 +805,27 @@ http {
             proxy_send_timeout 3600s;
         }
 
+        # WebRTC Signaling proxy for OvenMediaEngine
+        # Handles wss:// → ws:// translation so OME doesn't need TLS certificates
+        location /webrtc/ {
+            # Proxy to OvenMediaEngine WebRTC signaling port
+            proxy_pass http://ovenmediaengine:3333/;
+            proxy_http_version 1.1;
+            proxy_buffering off;
+
+            # WebSocket upgrade headers
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # WebRTC signaling needs long timeouts
+            proxy_read_timeout 3600s;
+            proxy_send_timeout 3600s;
+        }
+
         # Stream thumbnails - 3 second animated WebP generated on-demand via FFmpeg
         location ~ ^/thumb/([^/]+)\.webp$ {
             set $stream_key $1;
@@ -867,6 +888,22 @@ http {
 
         # Nakama Game Server WebSocket (nakama-js connects to /ws with query params)
         location = /ws {
+            # CORS headers for WebSocket upgrade request
+            add_header Access-Control-Allow-Origin $cors_origin always;
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+            add_header Access-Control-Allow-Headers "Content-Type, Authorization, Upgrade, Connection" always;
+            add_header Access-Control-Allow-Credentials "true" always;
+
+            if ($request_method = 'OPTIONS') {
+                add_header Access-Control-Allow-Origin $cors_origin always;
+                add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+                add_header Access-Control-Allow-Headers "Content-Type, Authorization, Upgrade, Connection" always;
+                add_header Access-Control-Allow-Credentials "true" always;
+                add_header Content-Length 0;
+                add_header Content-Type text/plain;
+                return 204;
+            }
+
             # Runtime DNS resolution
             set $nakama_backend nakama:7350;
             # Must include $is_args$args when using variables - nginx won't auto-append query string
diff --git a/terraform/modules/app_server/cloud-init.yaml.tpl b/terraform/modules/app_server/cloud-init.yaml.tpl
index f191e4d..e7612da 100644
--- a/terraform/modules/app_server/cloud-init.yaml.tpl
+++ b/terraform/modules/app_server/cloud-init.yaml.tpl
@@ -85,10 +85,10 @@ write_files:
       # Inbound: Streaming ports
       ufw allow in 1935/tcp comment 'RTMP'
       ufw allow in 9999/udp comment 'SRT'
-      ufw allow in 3333/tcp comment 'WebRTC TCP'
-      ufw allow in 3333/udp comment 'WebRTC UDP'
-      ufw allow in 3334/tcp comment 'WebRTC TCP fallback'
       ufw allow in 8088/tcp comment 'HLS/LLHLS streaming'
+      # WebRTC signaling now proxied through nginx (443), only need media ports
+      ufw allow in 3478/udp comment 'WebRTC STUN/TURN'
+      ufw allow in 10000:10009/udp comment 'WebRTC ICE candidates'
 
       # Inbound: VPC traffic (includes system SSH)
       ufw allow in from ${vpc_ip_range} comment 'VPC internal'
diff --git a/terraform/modules/app_server/main.tf b/terraform/modules/app_server/main.tf
index ef59728..58e0d60 100644
--- a/terraform/modules/app_server/main.tf
+++ b/terraform/modules/app_server/main.tf
@@ -71,23 +71,17 @@ resource "digitalocean_firewall" "app" {
     source_addresses = ["0.0.0.0/0", "::/0"]
   }
 
-  # WebRTC (ICE candidates)
-  inbound_rule {
-    protocol         = "tcp"
-    port_range       = "3333"
-    source_addresses = ["0.0.0.0/0", "::/0"]
-  }
-
+  # WebRTC STUN/TURN (NAT traversal)
   inbound_rule {
     protocol         = "udp"
-    port_range       = "3333"
+    port_range       = "3478"
     source_addresses = ["0.0.0.0/0", "::/0"]
   }
 
-  # WebRTC TCP (fallback)
+  # WebRTC ICE candidates (media transport)
   inbound_rule {
-    protocol         = "tcp"
-    port_range       = "3334"
+    protocol         = "udp"
+    port_range       = "10000-10009"
     source_addresses = ["0.0.0.0/0", "::/0"]
   }