Jump to content
  • M1GC

How to Secure NGINX/RTMP stream to Facebook using Stunnel


M1GC
 Share

Recommended Posts

Unfortunately, The NGINX module nginx-rtmp-module doesn’t support RTMPS “out-of-the-box”.
The nginx-rtmp-module also doesn't support pushing to an rtmps:// address...
and i don't think the feature will be added in any recent releases as it is simple to achieve this and the module hasn't been updated in years...

A easy way to incorporate RTMPS into this module is by using 
stunnel, a popular “application used to provide a universal TLS/SSL tunneling service”.

How to Secure rtmps push / rtmps stream to Facebook
I'll assume you have some pre-installed version of Nginx installed with the RTMP-Module & ffmpeg (optional)

Using NGINX on Windows 
For this setup, I’m using nginx 1.17.0.1 Crow (download here) on Windows 10.
The subscription version for windows contains the RTMP-Module

(Read here to view free / commercial Nginx modules installed)
Purchase your subscription 
hereNOTE: (Purchase at own risk as M1GC are not affiliated with this website)

or try to find a nginx for windows version that is available for free. 

PLEASE NOTE: NGINX AND THE RTMP STREAMING SERVER MODULE  MUST BE CONFIGURED FOR WINDOWS STREAMING BEFORE USING STUNNEL

Stunnel for Windows (Download)
After you installed stunnel, you need to edit stunnel.conf which is located in 
C:\\Users\YourUsername\AppData\Local\stunnel\config\stunnel.conf

Stunnel uses SSL certificates to secure its connections, which you can easily create using the OpenSSL package, Certbot, or by using the Stunnels SSL Cert:

On Windows

On windows, during stunnels install / start up,
you will create a default certificate for your server which can be used to secure your server from man in the middle attacks...

Your code will look like so, to use a secure certificate during your live streams.

[fb-live]
client = yes
accept = 127.0.0.1:19350
connect = live-api-s.facebook.com:443
verifyChain = yes
CAfile =  C:\Program Files (x86)\stunnel\config\ca-certs.pem
checkHost = live-api-s.facebook.com
OCSPaia = yes

This creates a session that allows NGINX to send the stream via RTMP and stunnel will then send the stream to Facebook via RTMPS.

 ____________        ____________        ____________        ____________  
| Streaming  |      |            |      |            |      |  Facebook  | 
|   Source   | ---> |   NGINX    | ---> |   stunnel  | ---> |    Live    | 
|____________|      |____________|      |____________|      |____________|
Now modify nginx.conf and replace the old Facebook push instruction (If you had it there before) with the following line:
push rtmp://127.0.0.1:19350/rtmp/<your_facebook_stream_key>;

Save those two files and start stunnel via command-line or with the GUI application and then start nginx. 
Test your live stream with OBS or ffmpeg. 


That’s all there is to it!

On LINUX

Create LetsEncrypt Signed Certificate

Install Certbot
Run this command on the command line on the machine to install Certbot.

snap install --classic certbot

Create a Standalone Certificate Authority

Prepare the Certbot command
Execute the following instruction on the command line on the machine to ensure that the certbot command can be run.

ln -s /snap/bin/certbot /usr/bin/certbot

Choose how you'd like to run Certbot (Standalone / Domain or DNS)

Creating a Standalone Domain Certificate

certbot certonly -d yourdomains.com  -d www.yourdomain.com --standalone

For DNS / Wildcard Certificate, Click here.

DOWNLOAD The Mozilla CA Certificate Store Certificate::

wget https://curl.se/ca/cacert.pem

(M1GC's Mozilla CA certificate Store Certificate) (MIRROR)

wget https://m1-gamingz.com/stunnel/cacert.pem

Make a directory for your certs, just in case you create more configs (recommended)

mkdir /etc/stunnel/certs/

COPY the cert to your new Directory

cp cacerts.pem /etc/stunnel/certs/ca-certs.pem

Update the fb.conf (/etc/stunnel/conf.d/fb.conf) to the new certificate location if you choose to save your cert in a new directory.

nano /etc/stunnel/conf.d/fb.conf

EXAMPLE OF fb.conf with LetsEncrypt Signed Certificate:

[fb-live]
client = yes
accept = 127.0.0.1:19350
connect = live-api-s.facebook.com:443
cert = /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem
key = /etc/letsencrypt/live/YOURDOMAIN/privkey.pem
verifyChain = yes
CAfile = /etc/stunnel/certs/ca-certs.pem
checkHost = live-api-s.facebook.com
OCSPaia = yes
sslVersion = TLSv1.3
options = NO_SSLv2
options = NO_SSLv3

You can use the full chain.pem in your fb.conf which is a combination of your private key (privkey) and your (cert).

Basically, the full chain.pem above is a combining of the the two private key, cert, and ca authority into one file name.

BELOW ARE MORE EXAMPLES OF USING DIFFERENT CERTIFICATES WITH STUNNEL.
Create a Self Signed Certificate for Stunnel (OpenSSL)
Stunnel uses SSL certificate to secure its connections, which you can easily create using the OpenSSL package:

Using stunnel in client mode (i.e., stunnel is not acting as an SSL server) means you (the client) probably don't need to present a valid certificate (to the server).

SINCE WERE CONNECTING REMOTELY IN CLIENT MODE, 
WE CAN USE THE MOZILLAS CA AUTHORITY STORE CERT AS A CA AUTHORITY.
The cacerts file is a collection of trusted certificate authority (CA) certificates.

Make a directory for your certs, just in case you create more configs (recommended)

mkdir /etc/stunnel/certs/

Now lets create a self signed certificate and a private key

openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
at key.pem cert.pem >> /etc/stunnel/certs/combined-cert.pem
  • Basically, the commands above is for creating a Private Key,
  • Creating a x509 Certificate using that Private Key with 1095 days before expiration.
  • and combining the two of them into one files named “cert.pem” to use with Stunnel.

Note: When creating the certificate, you will be asked for some information such as country and state,
which you can enter whatever you like but when asked for “Common Name” you must enter the correct host name, dns name, or IP address of your server

Copy the certs to your new Directory

cp key.pem combined-cert.pem /etc/stunnel/certs/

DOWNLOAD The Mozilla CA certificate store certificate::

wget https://curl.se/ca/cacert.pem

(M1GC Mozilla CA certificate store certificate MIRROR)

wget https://m1-gamingz.com/stunnel/cacert.pem

COPY the cert to your new Directory

cp cacerts.pem /etc/stunnel/certs/ca-certs.pem

Make sure to update the fb.conf (/etc/stunnel/conf.d/fb.conf) to the new certificate location if you choose to save your cert in a new directory.

nano /etc/stunnel/conf.d/fb.conf

EXAMPLE OF fb.conf with Self Signed Certificate:

[fb-live]
client = yes
accept = 127.0.0.1:19350
connect = live-api-s.facebook.com:443
cert = /etc/stunnel/certs/combined-cert.pem
key = /etc/stunnel/certs/key.pem
verifyChain = yes
CAfile = /etc/stunnel/certs/ca-certs.pem
checkHost = live-api-s.facebook.com
OCSPaia = yes
sslVersion = TLSv1.3
options = NO_SSLv2
options = NO_SSLv3

USING MOZILLAS CA AUTHORITY CERTIFICATE ONLY IN STUNNEL (STUNNEL CLIENT MODE ONLY)
CERTIFICATE AUTHORITY FOR STUNNEL (Mozilla CA Authority Certificate)

Stunnel uses SSL certificate to secure its connections, which you can easily create using the certificate provided by Mozilla and CACERT:

Using stunnel in client mode (i.e., stunnel is not acting as an SSL server) means you (the client) probably don't need to present a valid certificate (to the server).

SINCE WERE CONNECTING REMOTELY IN CLIENT MODE, 
WE CAN USE THE MOZILLAS CA AUTHORITY STORE CERT AS A CA AUTHORITY.
The cacerts file is a collection of trusted certificate authority (CA) certificates.

You can also make a directory for your certs, just in case you create more configs (recommended)

mkdir /etc/stunnel/certs/

DOWNLOAD The Mozilla CA certificate store certificate:

wget https://curl.se/ca/cacert.pem

(M1GC Mozilla CA certificate store certificate MIRROR)

wget https://m1-gamingz.com/stunnel/cacert.pem

COPY the cert to your new Directory

cp cacerts.pem /etc/stunnel/certs/ca-certs.pem

Make sure to update the fb.conf (/etc/stunnel/conf.d/fb.conf) to the new certificate location if you choose to save your cert in a new directory.

nano /etc/stunnel/conf.d/fb.conf

EXAMPLE OF fb.conf with Mozilla's CA Certificate:

[fb-live]
client = yes
accept = 127.0.0.1:19350
connect = live-api-s.facebook.com:443
verifyChain = yes
CAfile = /etc/stunnel/certs/ca-certs.pem
checkHost = live-api-s.facebook.com
OCSPaia = yes
sslVersion = TLSv1.3
options = NO_SSLv2
options = NO_SSLv3

THATS IT. 

NOW LETS RUN / START STUNNEL...

Start Stunnel

systemctl restart stunnel4 && systemctl status stunnel4
or
Service stunnel4 restart && service stunnel4 status

OUTPUT

● stunnel4.service - LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons)
     Loaded: loaded (/etc/init.d/stunnel4; generated)
     Active: active (running) since Thu 2021-07-01 13:54:20 UTC; 29ms ago
       Docs: man:systemd-sysv-generator(8)
    Process: 1270 ExecStart=/etc/init.d/stunnel4 start (code=exited, status=0/SUCCESS)
      Tasks: 2 (limit: 4615)
     Memory: 7.0M
     CGroup: /system.slice/stunnel4.service
             └─1299 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf

Jul 01 13:54:20 stunnel stunnel[1295]: LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf
Jul 01 13:54:20 stunnel stunnel[1295]: LOG5[ui]: UTF-8 byte order mark not detected
Jul 01 13:54:20 stunnel stunnel[1295]: LOG5[ui]: Reading configuration from file /etc/stunnel/conf.d/fb.conf
Jul 01 13:54:20 stunnel stunnel[1295]: LOG5[ui]: UTF-8 byte order mark not detected
Jul 01 13:54:20 stunnel stunnel[1295]: LOG5[ui]: FIPS mode disabled
Jul 01 13:54:20 stunnel stunnel[1295]: LOG5[ui]: Configuration successful
Jul 01 13:54:20 stunnel stunnel4[1270]: Starting TLS tunnels: /etc/stunnel/stunnel.conf: started
Jul 01 13:54:20 stunnel systemd[1]: Started LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons).

STUNNEL IS NOW UP AND RUNNING

Assuming FFMPEG is installed,

We can run a ffmpeg command to test pushing a stream, target to local stunnel port :19350
ffmpeg -re -i rtmp://127.0.0.1/live/yourstreamkeyinobs -c:v libx264 -c:a aac -f flv rtmp://127.0.0.1:19350/rtmp/<facebook-live-stream-key>

If your stream goes live on Facebook, The Stunnel is Now ready to work! 

Now we just need to Replace the URL to the local stunnel port within the NGINX RTMP config.

Change this line in your nginx config 
(Streaming to Facebook Un-Securely)
push rtmp://live-api-s.facebook.com:80/rtmp/<facebook-live-stream-key>;
To (Streaming to Facebook Securely)
push rtmp://127.0.0.1:19350/rtmp/<facebook-live-stream-key>;

All done!

Again, From a high level
  • Your Streaming Source (OBS/XSplit/Wirecast/etc)
  • NGINX
  • Stunnel
  • Facebook

Your stream should now operate like so:
 ____________        ____________        ____________        ____________  
| Streaming  |      |            |      |            |      |  Facebook  | 
|   Source   | ---> |   NGINX    | ---> |   stunnel  | ---> |    Live    | 
|____________|      |____________|      |____________|      |____________|
That's all there is to it.
Hope this helps out on pushing your streams securely to rtmps servers.
  • Thanks 2
Link to comment
Share on other sites

  • M1GC changed the title to How to Secure / Prevent Man-In-The-Middle-Attacks on your NGINX/RTMP stream to Facebook using Stunnel
  • M1GC pinned and featured this topic
  • M1GC locked this topic
Guest
This topic is now closed to further replies.
 Share

  • M1GC

  • Welcome to M1GC

    tenor.gif

    We accept players of all skill levels and help members grow at their own pace.

    We are respectful, determined, and proud to be M1GC members..

  • twitch-logo.gif.6e366685b5d45bf948dad544bc71f521.gif

    Check out M1GC on Twitch

  • Sign up to Restream.io

    M1-Gaming Is Inviting you to Join Restream. The best way to stream video live to 30+ platforms simultaneously for free.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.