-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathhdw.conf
103 lines (84 loc) · 2.99 KB
/
hdw.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$http_host$request_uri;
}
# SSL configuration
server {
listen 443 ssl default deferred http2;
server_name _;
ssl_certificate /usr/local/nginx/conf/ssl/fullchain.pem;
ssl_certificate_key /usr/local/nginx/conf/ssl/privkey.pem;
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# Enable server-side protection against BEAST attacks
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# 1.3 not supported yet, hoping of future
ssl_protocols TLSv1.2 TLSv1.3;
# Diffie-Hellman parameter for DHE ciphersuites
# $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
# Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
# Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/fullchain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Required for LE certificate enrollment using certbot
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/html;
}
location / {
auth_basic "closed site stream";
auth_basic_user_file .htpasswd_stream;
root /srv/www/;
index dynamic.html dynamic.htm;
}
location /hdw {
auth_basic "closed site stream";
auth_basic_user_file .htpasswd_stream;
root /srv/www/;
}
location /dash {
add_header Cache-Control no-cache;
add_header Access-Control-Allow-Origin *;
auth_basic "closed site stream";
auth_basic_user_file .htpasswd_stream;
types {
application/dash+xml mpd;
video/mp4 mp4;
video/MP2T ts;
}
root /srv/www/streams;
}
location /stats {
rtmp_stat all;
rtmp_stat_stylesheet stat.xsl;
auth_basic "closed site stats";
auth_basic_user_file .htpasswd_stats;
}
location /control {
rtmp_control all;
}
location /stat.xsl {
root /tmp;
}
location /hls {
# Disable cache
add_header Cache-Control no-cache;
add_header Access-Control-Allow-Origin *;
auth_basic "closed site stream";
auth_basic_user_file .htpasswd_stream;
types {
application/vnd.apple.mpegurl m3u8;
video/mp2t ts;
}
root /srv/www/streams;
}
}