Add a bunch of config info to README
This commit is contained in:
parent
96904eca5c
commit
8b8385afaf
1 changed files with 22 additions and 5 deletions
27
README.md
27
README.md
|
|
@ -19,13 +19,13 @@ Archlinux packages for the above should get you rolling immediately. Otherwise s
|
|||
|
||||
This is a thousand mile up view to get you running quickly. You should review the rest of the README (including the security considerations below) before actually putting anything here to use.
|
||||
|
||||
1. Install and configure Ovenmediaengine. The following components are required:
|
||||
1. Install and configure Ovenmediaengine. Check the `example/` dir for a Server.xml to start with. The following components are required:
|
||||
1. WebRTC publishing
|
||||
2. The API enabled with a user/password set
|
||||
3. Some number of applications
|
||||
4. Applications configured with a producer webhook of `http://localhost:8080/admission`
|
||||
2. Extract or clone this repository somewhere
|
||||
3. Configure your HTTP daemon/proxy/etc to proxy HTTPS to `http://localhost:8080`
|
||||
3. Configure your HTTP daemon/proxy/etc to proxy HTTPS to `http://localhost:8080`; check the Security section below for further guidance
|
||||
4. Set up environment variables to your liking. The OvenMediaEngine API key and password are mandatory; see Configuration below
|
||||
5. Start the management engine with either `python3 main.py` or a systemd unit as noted in `examples/`
|
||||
|
||||
|
|
@ -36,7 +36,18 @@ By default this provides a few things:
|
|||
|
||||
- `https://<domain>/<appname>` will provide a "Discord like" interface to every stream live in the current app
|
||||
- `https://<domain>/<appname>/<streamname>` will display only that stream
|
||||
- `https://<domain>/<appname>/<management>` will, if configured, display a management interface to allow basic stream management
|
||||
- `https://<domain>/<management>` will, if configured, display a management interface to allow basic stream management
|
||||
|
||||
Any stream is valid, but you must have a proper application configured in OvenMediaEngine to both receive streams and present them. As configured in the examples, the video server will push source videos back out, without re-encoding. This means it's extremely light, but your video pushing software must be configured a certain way. OvenMediaEngine recommends...
|
||||
|
||||
- 0 bframes (or your video will slideshow)
|
||||
- 1s keyframe interval
|
||||
- zerolatency profile
|
||||
|
||||
You can use either RTMP or WHIP to push video from OBS Studio, or any other streaming software. Ingest URLs should be...
|
||||
|
||||
- `https://<domain>/<appname>/<streamname>?direction=whip` for WHIP
|
||||
- `rtmp://<domain>:1935/<appname>/<streamname>` for RTMP
|
||||
|
||||
|
||||
# Configuration
|
||||
|
|
@ -45,6 +56,10 @@ All configuration is done with environment variables. If using systemd you can c
|
|||
|
||||
Check out the config files in the `examples/` dir to see available configuration arguments.
|
||||
|
||||
The one configuration that is mandatory is the population of the `OVENMONITOR_API_USER` and `OVENMONITOR_API_PASSWORD` variables. These must match an API user configured in OvenMediaEngine's `Server.xml`.
|
||||
|
||||
The `OVENMONITOR_WEBHOOK_*` variables are optional and setting them all enables OvenEmprex's Discord webhook functionality, which will inform the given Discord Webhook (or possibly any webhook if the format matches) when someone is live on the server or not.
|
||||
|
||||
|
||||
# Customization
|
||||
|
||||
|
|
@ -57,7 +72,7 @@ There's only a couple supported methods of customization at this time:
|
|||
|
||||
# Security
|
||||
|
||||
For the moment, security is the responsibility of the HTTP proxy. The CherryPy app does not do any kind of authentication (and you want to do authentication). You *should not* simply proxy all HTTPS traffic to the app. You should add basic authentication for your `/management*` endpoints, and also add authentication to the endpoint named after your OvenMediaEngine apps if you want to secure them. You also need `/assets*` proxied without auth to the app.
|
||||
For the moment, security is the responsibility of the HTTP proxy. The CherryPy app does not do any kind of authentication (and you want to do authentication). You *should not* simply proxy all HTTPS traffic to the app and call it a day. You should add basic authentication for your `/management*` endpoints, and also add authentication to the endpoint named after your OvenMediaEngine applications if you want to secure them. You also need `/assets*` proxied without auth to the CherryPy app.
|
||||
|
||||
Even still, someone who knows an exact stream key can currently get the Websocket for your WebRTC sessions and the RTMP URL to push. This is an inherited weakness from OvenMediaEngine and would be a 2.0 goal to add viewer authentication and passphrases to the Admission Webhook.
|
||||
|
||||
|
|
@ -72,4 +87,6 @@ In addition, OvenMediaEngine has been known to have a recurring bug where its AP
|
|||
- HTTP proxy also listening on :3334 and proxying all HTTP traffic to localhost:3333
|
||||
- HTTP proxy applying basic auth of some form to `/management*`
|
||||
|
||||
tl;dr: This is no more or less secure than an RTMP server sitting on the open internet if you firewall stuff.
|
||||
tl;dr: This is no more or less secure than an RTMP server sitting on the open internet if you firewall stuff but OvenMediaEngine has some quirks to be aware of and CherryPy assumes security is being performed by the proxy.
|
||||
|
||||
This all fits *my* use-case but is a 2.0 item to fix.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue