senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/infra/nginx-rtmp/nginx.conf
senke 249fd99730 fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files 
CRITICAL fixes:
- Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002)
- IDOR on analytics endpoint — ownership check enforced (CRITICAL-003)
- CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004)
- Mass assignment on user self-update — strip privileged fields (CRITICAL-005)

HIGH fixes:
- Path traversal in marketplace upload — UUID filenames (HIGH-001)
- IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002)
- Popularity metrics (followers, likes) set to json:"-" (HIGH-003)
- bcrypt cost hardened to 12 everywhere (HIGH-004)
- Refresh token lock made mandatory (HIGH-005)
- Stream token replay prevention with access_count (HIGH-006)
- Subscription trial race condition fixed (HIGH-007)
- License download expiration check (HIGH-008)
- Webhook amount validation (HIGH-009)
- pprof endpoint removed from production (HIGH-010)

MEDIUM fixes:
- WebSocket message size limit 64KB (MEDIUM-010)
- HSTS header in nginx production (MEDIUM-001)
- CORS origin restricted in nginx-rtmp (MEDIUM-002)
- Docker alpine pinned to 3.21 (MEDIUM-003/004)
- Redis authentication enforced (MEDIUM-005)
- GDPR account deletion expanded (MEDIUM-006)
- .gitignore hardened (MEDIUM-007)

LOW/INFO fixes:
- GitHub Actions SHA pinning on all workflows (LOW-001)
- .env.example security documentation (INFO-001)
- Production CORS set to HTTPS (LOW-002)

All tests pass. Go and Rust compile clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-14 00:44:46 +01:00

58 lines
1.6 KiB
Nginx Configuration File
Raw Blame History

# v0.10.6 F471: Nginx-RTMP for live stream ingest
# OBS connects to rtmp://host:1935/live with stream key = stream_key from API
worker_processes 1;
events {
worker_connections 1024;
}
rtmp {
server {
listen 1935;
chunk_size 4096;
application live {
live on;
# HLS output for playback (2s segments)
hls on;
hls_path /tmp/hls;
hls_fragment 2s;
hls_playlist_length 6s;
hls_cleanup on;
hls_nested on;
# Callbacks to backend for stream_key validation and is_live updates
# Params: name=stream_key, addr, app, etc.
on_publish http://backend-api:8080/api/v1/live/callback/publish;
on_publish_done http://backend-api:8080/api/v1/live/callback/publish_done;
}
}
}
# HTTP server for HLS playback and stat
http {
server {
listen 8080;
server_name localhost;
# HLS playlists and segments: /live/{stream_key}/playlist.m3u8 -> /tmp/hls/{stream_key}/
location /live/ {
types {
application/vnd.apple.mpegurl m3u8;
video/mp2t ts;
}
alias /tmp/hls/;
add_header Cache-Control no-cache;
# SECURITY(REM-022): Restrict CORS to application origins instead of wildcard
add_header Access-Control-Allow-Origin "$http_origin" always;
}
location /stat {
rtmp_stat all;
rtmp_stat_stylesheet stat.xsl;
}
location /stat.xsl {
root /etc/nginx;
}
}
}
Reference in a new issue View git blame Copy permalink