Basic HTTPS implementation

Dockerfile

@@ -145,6 +145,7 @@ RUN cd /restreamer && \
     apt autoremove -y
 
 EXPOSE 8080
+EXPOSE 8181
 VOLUME ["/restreamer/db"]
 
 CMD ["./run.sh"]

conf/live.json

@@ -113,6 +113,10 @@
             "-c",
             "/restreamer/conf/nginx.conf"
         ],
+        "args_ssl": [
+            "-c",
+            "/restreamer/conf/nginx_ssl.conf"
+        ],
         "streaming": {
             "ip": "127.0.0.1",
             "rtmp_port": "1935",
@@ -226,6 +230,14 @@
             "defaultValue": "auto",
             "required": false,
             "description": "Audio track handling: auto, none (remove audio), silence (force silence), aac (force AAC), mp3 (force MP3)."
+        },
+        {
+            "name": "RS_HTTPS",
+            "alias": [],
+            "type": "bool",
+            "defaultValue": "false",
+            "required": false,
+            "description": "Enables HTTPS support for admin interface and embeddable player."
         }
     ]
 }

conf/nginx_ssl.conf

@@ -0,0 +1,103 @@
+daemon off;
+
+error_log stderr notice;
+
+worker_processes 1;
+events {
+    worker_connections 1024;
+}
+
+rtmp {
+    server {
+        listen 1935;
+        chunk_size 4000;
+
+        application live {
+            live on;
+            idle_streams off;
+            on_publish http://127.0.0.1:3000/token;
+            notify_method get;
+        }
+
+        application hls {
+            live on;
+            hls on;
+            hls_type live;
+            hls_playlist_length 60s;
+            hls_fragment 2s;
+            hls_sync 1ms;
+            hls_path /tmp/hls;
+            idle_streams off;
+            on_publish http://127.0.0.1:3000/token;
+            notify_method get;
+        }
+    }
+}
+
+http {
+    sendfile off;
+    tcp_nopush on;
+    access_log off;
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1000;
+    gzip_types text/css application/javascript;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+    ssl_session_cache shared:SSL:2m;
+    ssl_session_timeout 10m;
+    ssl_session_tickets off;
+    ssl_ecdh_curve secp384r1;
+
+    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+    ssl_prefer_server_ciphers on;
+
+    # openssl dhparam -out dhparam.pem 2048
+    #ssl_dhparam ../certs/dhparam2048.pem;
+
+    #ssl_stapling on;
+    #ssl_stapling_verify on;
+    #resolver 8.8.4.4 8.8.8.8 valid=300s;
+    #resolver_timeout 3s;
+
+    ssl_certificate ../db/restreamer_sslcert.pem;
+    ssl_certificate_key ../db/restreamer_sslkey.pem;
+
+    server {
+        listen 8080;
+        listen 8181 ssl;
+        root /restreamer/src/webserver/public;
+        include /usr/local/nginx/conf/mime.types;
+        location / {
+            try_files $uri @node;
+            add_header Access-Control-Allow-Origin *;
+            add_header Cache-Control no-cache;
+        }
+        location @node {
+            add_header Access-Control-Allow-Origin *;
+            add_header Cache-Control no-cache;
+            proxy_pass http://127.0.0.1:3000;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+        }
+        location /hls {
+            types {
+                application/vnd.apple.mpegurl m3u8;
+                video/mp2t ts;
+            }
+            root /tmp;
+            add_header Cache-Control no-cache;
+            add_header Access-Control-Allow-Origin *;
+        }
+        location /debug {
+            autoindex on;
+        }
+        location = /ping {
+            add_header Content-Type text/plain;
+            return 200 "pong";
+        }
+    }
+}

src/classes/Nginxrtmp.js

@@ -34,12 +34,18 @@ class Nginxrtmp {
      * Start the NGINX server
      * @returns {Promise.<boolean>}
      */
-    async start() {
+    async start(useSSL) {
         this.logger.info('Starting ...');
         let timeout = 250;
         let abort = false;
 
-        this.process = spawn(this.config.nginx.command, this.config.nginx.args);
+        if(useSSL == false) {
+            this.process = spawn(this.config.nginx.command, this.config.nginx.args);
+        }
+        else {
+            this.logger.info('Enabling HTTPS');
+            this.process = spawn(this.config.nginx.command, this.config.nginx.args_ssl);
+        }
 
         this.process.stdout.on('data', (data) => {
             let lines = data.toString().split(/[\r\n]+/);

src/start.js

@@ -51,7 +51,7 @@ if(env.hasErrors()) {
 }
 
 // start the app
-nginxrtmp.start()
+nginxrtmp.start(process.env.RS_HTTPS == "true")
     .then(() => {
         return RestreamerData.checkJSONDb();
     })