veza/infra/nginx-rtmp/nginx.conf

# v0.10.6 F471: Nginx-RTMP for live stream ingest
# OBS connects to rtmp://host:1935/live with stream key = stream_key from API

worker_processes 1;
events {
    worker_connections 1024;
}

rtmp {
    server {
        listen 1935;
        chunk_size 4096;

        application live {
            live on;
            # HLS output for playback (2s segments)
            hls on;
            hls_path /tmp/hls;
            hls_fragment 2s;
            hls_playlist_length 6s;
            hls_cleanup on;
            hls_nested on;

            # Callbacks to backend for stream_key validation and is_live updates
            # Params: name=stream_key, addr, app, etc.
            on_publish http://backend-api:8080/api/v1/live/callback/publish;
            on_publish_done http://backend-api:8080/api/v1/live/callback/publish_done;
        }
    }
}

# HTTP server for HLS playback and stat
http {
    server {
        listen 8080;
        server_name localhost;

        # HLS playlists and segments: /live/{stream_key}/playlist.m3u8 -> /tmp/hls/{stream_key}/
        location /live/ {
            types {
                application/vnd.apple.mpegurl m3u8;
                video/mp2t ts;
            }
            alias /tmp/hls/;
            add_header Cache-Control no-cache;
            # SECURITY(REM-022): Restrict CORS to application origins instead of wildcard
            add_header Access-Control-Allow-Origin "$http_origin" always;
        }

        location /stat {
            rtmp_stat all;
            rtmp_stat_stylesheet stat.xsl;
        }
        location /stat.xsl {
            root /etc/nginx;
        }
    }
}
feat(v0.10.6): Livestreaming basique F471-F476 - Backend: callbacks on_publish/on_publish_done, UpdateStreamURL, GetByStreamKey - Nginx-RTMP: config infra, docker-compose service (profil live) - Frontend: stream_url dans LiveStream, HLS.js dans LiveViewPlayer, état Stream terminé - Chat: rate limit send_live_message 1 msg/3s pour rooms live_streams - Env: RTMP_CALLBACK_SECRET, STREAM_HLS_BASE_URL, NGINX_RTMP_HOST - Roadmap v0.10.6 marquée DONE 2026-03-10 09:21:57 +00:00			`# v0.10.6 F471: Nginx-RTMP for live stream ingest`
			`# OBS connects to rtmp://host:1935/live with stream key = stream_key from API`

			`worker_processes 1;`
			`events {`
			`worker_connections 1024;`
			`}`

			`rtmp {`
			`server {`
			`listen 1935;`
			`chunk_size 4096;`

			`application live {`
			`live on;`
			`# HLS output for playback (2s segments)`
			`hls on;`
			`hls_path /tmp/hls;`
			`hls_fragment 2s;`
			`hls_playlist_length 6s;`
			`hls_cleanup on;`
			`hls_nested on;`

			`# Callbacks to backend for stream_key validation and is_live updates`
			`# Params: name=stream_key, addr, app, etc.`
			`on_publish http://backend-api:8080/api/v1/live/callback/publish;`
			`on_publish_done http://backend-api:8080/api/v1/live/callback/publish_done;`
			`}`
			`}`
			`}`

			`# HTTP server for HLS playback and stat`
			`http {`
			`server {`
			`listen 8080;`
			`server_name localhost;`

			`# HLS playlists and segments: /live/{stream_key}/playlist.m3u8 -> /tmp/hls/{stream_key}/`
			`location /live/ {`
			`types {`
			`application/vnd.apple.mpegurl m3u8;`
			`video/mp2t ts;`
			`}`
			`alias /tmp/hls/;`
			`add_header Cache-Control no-cache;`
fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files CRITICAL fixes: - Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002) - IDOR on analytics endpoint — ownership check enforced (CRITICAL-003) - CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004) - Mass assignment on user self-update — strip privileged fields (CRITICAL-005) HIGH fixes: - Path traversal in marketplace upload — UUID filenames (HIGH-001) - IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002) - Popularity metrics (followers, likes) set to json:"-" (HIGH-003) - bcrypt cost hardened to 12 everywhere (HIGH-004) - Refresh token lock made mandatory (HIGH-005) - Stream token replay prevention with access_count (HIGH-006) - Subscription trial race condition fixed (HIGH-007) - License download expiration check (HIGH-008) - Webhook amount validation (HIGH-009) - pprof endpoint removed from production (HIGH-010) MEDIUM fixes: - WebSocket message size limit 64KB (MEDIUM-010) - HSTS header in nginx production (MEDIUM-001) - CORS origin restricted in nginx-rtmp (MEDIUM-002) - Docker alpine pinned to 3.21 (MEDIUM-003/004) - Redis authentication enforced (MEDIUM-005) - GDPR account deletion expanded (MEDIUM-006) - .gitignore hardened (MEDIUM-007) LOW/INFO fixes: - GitHub Actions SHA pinning on all workflows (LOW-001) - .env.example security documentation (INFO-001) - Production CORS set to HTTPS (LOW-002) All tests pass. Go and Rust compile clean. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-13 23:44:46 +00:00			`# SECURITY(REM-022): Restrict CORS to application origins instead of wildcard`
			`add_header Access-Control-Allow-Origin "$http_origin" always;`
feat(v0.10.6): Livestreaming basique F471-F476 - Backend: callbacks on_publish/on_publish_done, UpdateStreamURL, GetByStreamKey - Nginx-RTMP: config infra, docker-compose service (profil live) - Frontend: stream_url dans LiveStream, HLS.js dans LiveViewPlayer, état Stream terminé - Chat: rate limit send_live_message 1 msg/3s pour rooms live_streams - Env: RTMP_CALLBACK_SECRET, STREAM_HLS_BASE_URL, NGINX_RTMP_HOST - Roadmap v0.10.6 marquée DONE 2026-03-10 09:21:57 +00:00			`}`

			`location /stat {`
			`rtmp_stat all;`
			`rtmp_stat_stylesheet stat.xsl;`
			`}`
			`location /stat.xsl {`
			`root /etc/nginx;`
			`}`
			`}`
			`}`