ovenemprex

OvenMediaEngine management middleware

Requirements

This project tries to be pretty lean. Requirements should be roughly...

• OvenMediaEngine 0.10.30 or greater
• Python 3.8 or greater
• python-cherrypy
• python-requests

Archlinux packages for the above should get you rolling immediately. Otherwise setting up a virtualenv is recommended.

Setup

This is a thousand mile up view to get you running quickly. You should review the rest of the README (including the security considerations below) before actually putting anything here to use.

1. Install and configure Ovenmediaengine. The following components are required:
   1. WebRTC publishing
   2. The API enabled with a user/password set
   3. Some number of applications
   4. Applications configured with a producer webhook of http://localhost:8080/admission
2. Extract or clone this repository somewhere
3. Configure your HTTP daemon/proxy/etc to proxy HTTPS to http://localhost:8080
4. Set up environment variables to your liking. The OvenMediaEngine API key and password are mandatory; see Configuration below
5. Start the management engine with either python3 main.py or a systemd unit as noted in examples/

Usage

By default this provides a few things:

• https://<domain>/<appname> will provide a "Discord like" interface to every stream live in the current app
• https://<domain>/<appname>/<streamname> will display only that stream
• https://<domain>/<appname>/<management> will, if configured, display a management interface to allow basic stream management

Configuration

All configuration is done with environment variables. If using systemd you can configure systemd unit overrides. If you're using your own management script you can set your environment variables any way you wish.

Check out the config files in the examples/ dir to see available configuration arguments.

Customization

There's only a couple supported methods of customization at this time:

1. assets/webhook_avatars can provide for a way to assign stream keys an avatar that the webhook will use when announcing that key has gone live
2. assets/errorlogo.gif can be replaced to replace the throbber on any interface waiting for a stream to start
3. Anything in templates/ can be edited as desired but will likely be reverted in a future update

Security

For the moment, security is the responsibility of the HTTP proxy. The CherryPy app does not do any kind of authentication (and you want to do authentication). You should not simply proxy all HTTPS traffic to the app. You should add basic authentication for your /management* endpoints, and also add authentication to the endpoint named after your OvenMediaEngine apps if you want to secure them. You also need /assets* proxied without auth to the app.

Even still, someone who knows an exact stream key can currently get the Websocket for your WebRTC sessions and the RTMP URL to push. This is an inherited weakness from OvenMediaEngine and would be a 2.0 goal to add viewer authentication and passphrases to the Admission Webhook.

In addition, OvenMediaEngine has been known to have a recurring bug where its API endpoint will listen on all IP addresses even if configured not to do so. It is recommended you use a firewall to block all ports except the video ingest ports and use your HTTP proxy for most traffic. The recommended setup:

• OvenMediaEngine API port on localhost:8081 and firewalled
• OvenMediaEngine TCP Relay at :3478 and open
• ICE Candidates set to UDP 10000-10004 and open
• WHIP Signaling at :3333 and firewalled
• OvenEmprex at :8080 and firewalled
• HTTP proxy set to listen on :443 and proxy all HTTP traffic to localhost:8080
• HTTP proxy also listening on :3334 and proxying all HTTP traffic to localhost:3333
• HTTP proxy applying basic auth of some form to /management*

tl;dr: This is no more or less secure than an RTMP server sitting on the open internet if you firewall stuff.