-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SSL to streams #3789
base: develop
Are you sure you want to change the base?
Add SSL to streams #3789
Conversation
I tested this using my custom SSL certificate running RTMPS from OBS and Zoom to RTMP for Owncast and it worked great! Zoom showed enhanced security because of RTMPS and SSL. Edit: Resolved in 207dbb2 |
@jbowring Do you have plans to update this PR with future releases? |
@RobertPosluszny thanks for testing this PR and your feedback. I think I've found the issue you described and fixed it, please check and let me know! I'll do some more testing myself and then update this PR with a pull from the |
@jc21 what else needs to be done before this PR can be merged? Thanks. |
@jbowring looks like the issue of editing stream settings after creation was resolved! Thanks! |
When testing the linked CI image the following error is shown in the browser console when trying to create a stream
|
@jbowring any way to update this PR to keep in line with the latest updates? Is there a way I can help keep that in line until this PR gets merged into develop or latest? |
This would be such a useful feature for anyone trying to secure their MQTT servers to the outside world, thanks for doing it, would be amazing to see this eventually merged to main. |
@RobertPosluszny sorry I've been unable to maintain this for a while. I've added you as a collaborator to my repository; feel free to keep it up to date and update this pull request. |
Hello, like a lot of people I'd really like to get SSL for MQTT working within NPM. The dock image mentioned above at jc21/nginx-proxy-manager:github-pr-3789, it no longer there. I a way I can get this docker image? Thanks in advance! |
The image built above (build 7) doesn’t actually work, there’s an issue with the schema somewhere. I’ll update it when I’ve fixed the problem. Please don’t use it in the meantime. |
@jbowring - thanks for your effort on integrating SSL for streams, its really appreciated. This will be a great feature for NPM. Given the number of open pull requests, looks like being the NPM maintainer might be a full time job! |
Docker Image for build 13 is available on Note: ensure you backup your NPM instance before testing this image! Especially if there are database changes |
I am new in Nginx stream. I want get something like that: |
I use this for securing MQTT streams, along side a bunch of other web services, but I believe, what your asking for will work. The sstp. sub-domain can proxy to something different than www. I really wish the excellent addition would be merged into the main branch! |
@oblom86 streams is just forwarding traffic from one port to another, and with this PR if gives you the ability to wrap that traffic in an SSL certificate for encryption. So in your config you're forwarding any traffic that comes in on port 5000 (incoming port) of the public IP to the internal destination of 192.168.0.60:443 (destination). So if you wanted to access whatever service you have on 192.168.0.60:443, you'd need to go to sstp.example.com:5000 because that's the port you specified to proxy. Note: you can't use sstp.example.com:443 because port 443 is already reserved as the public HTTPS port. Also a note: if sstp.example.com and example.com are both pointing to the public IP of the host nginx proxy manager is running on, then both sstp.example.com:5000 and example.com:5000 would work. Here's an example of what my streams config looks like for owncast (rtmps://owncast.example.com:1936/live) and minecraft (minecraft.example.com:19132 or minecraft.example.com:19133): |
Support for SSL for streams with TCP forwarding enabled. Uses the same web interface as creating a new Proxy Host for adding SSL.
Details
An Nginx stream config created with this SSL feature looks like this:
Nginx doesn't allow
stream
andhttp
blocks to share an SSL cache, so all streams have a separate SSL cache defined inssl-cache-stream.conf
:ssl_session_cache shared:SSL_stream:50m;
Use a DNS Challenge is forced as streams cannot perform HTTP authentication for issuing certificates.
Streams do not have domain names associated with them in the database or displayed in the UI, as streams are not proxied by hostname but exclusively by port.