10 ownCast, nginx and TLS
Luka Prinčič edited this page 1 month ago

ownCast, Nginx and TLS/SSL

https://owncast.online/
https://en.wikipedia.org/wiki/Nginx
https://en.wikipedia.org/wiki/Transport_Layer_Security

assumptions

  • your DNS is configured so that your.domain.com points to the IP of your server
  • ownCast is already installed on your server and working at http://your.domain.com:PORT
  • you are running Ubuntu/Debian

install nginx

$ sudo apt install nginx

install certbot and nginx module for it

$ sudo apt install certbot python3-certbot-nginx

configure and run nginx

$ sudo touch /var/www/html/index.html
$ sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/your.domain.com.conf

edit /etc/nginx/sites-available/your.domain.com.conf into something like:

server {
	listen 80;
	listen [::]:80;

	server_name your.domain.com;

	root /var/www/;
	index index.html;

	location / {
		try_files $uri $uri/ =404;
	}
}

disable default page and enable your virtual domain

$ sudo ln -s /etc/nginx/sites-available/your.domain.com.conf /etc/nginx/sites-enabled/your.domain.com.conf
$ sudo rm /etc/nginx/sites-enabled/default
$ sudo systemctl restart nginx

Test your webserver by going with a browser to http://your.domain.com.

install certificates from Let's Encrypt

$ sudo certbot -d your.domain.com

(it's better not to enable automatic forward to SSL-enabled site e.g. http->https)

certbot should reload your server but if it doesn't just

$ sudo  systemctl restart nginx.service

Test it by opening https://your.domain.com in your browser.

reconfigure nginx to proxy to ownCast with SSL included.

edit /etc/nginx/sites-available/your.domain.com.conf into something like this:

server {
	server_name your.domain.com;
	location / {
        	proxy_set_header Host $host;
        	proxy_set_header X-Forwarded-Host $host;
        	proxy_set_header X-Forwarded-Server $host;
        	proxy_set_header X-Forwarded-Proto $scheme;
	        proxy_set_header X-Real-IP $remote_addr;
	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	        proxy_http_version 1.1;
	        proxy_set_header Upgrade $http_upgrade;
	        proxy_set_header Connection $connection_upgrade;
	        proxy_pass http://127.0.0.1:8080;        
	}
	listen [::]:443 ssl ipv6only=on; # managed by Certbot
	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

(change your.domain.com to your own domain, and port in the proxy_pass setting to whatever you are using)

Edit /etc/nginx/nginx.conf and add anywhere into html{} stanza:

map $http_upgrade $connection_upgrade {
	default upgrade;
	''      close;
}

Finally restart the server:

$ sudo systemctl restart nginx.service

https://your.domain.com should now show owncast server.