Video Streaming Server With Multi-Protocol,Robust And Rich API
Location:Index Page  >  Document  >  SSL support

Ti Top Streamer did not implement SSL services on its own, but it indirectly implemented SSL services through Nginx.

Here's a brief explanation. The reason for doing this is that Nginx is already a widely recognized front-end network proxy tool in the IT technology field. It has mature and comprehensive support for SSL, and its performance is also excellent. So, there's no need for us to implement SSL services on TiTopStreamer ourselves. Just install and use Nginx directly.

In this article, we will introduce how to generate or obtain SSL certificates, how to install and configure Nginx to support SSL and enable reverse proxy to TiTopStreamer.

1. Generate or obtain SSL certificate:

How to obtain an SSL certificate? Before answering this question, you need to first clarify the scenario of using SSL certificates:

1)In a public network environment, it is used on the browser to provide services to public users.

2)Used in an internal network environment or within a system for encrypted communication between servers.

These are two completely different scenes:

For the first scenario, you must purchase a commercial SSL certificate, after all, you need to make users on the public network trust your organization and the services you provide. You must provide a trustworthy SSL certificate. This type of certificate will bind to the domain name you provide. Nowadays, it is very convenient to purchase a commercial SSL certificate, which can be purchased on Alibaba Cloud and Tencent Cloud. Prices range from one or two thousand to tens of thousands. We suggest you purchase a certificate that binds wildcard domain names, For example *.ttstream.com

These certificate service providers usually provide you with SSL certificates in several formats, and in the Nginx environment, PEM format certificate files are required. Therefore, please prepare PEM format certificate files. If it is in other formats, please consult the provider to convert it to PEM format. Of course, there are also many online articles that explain how to convert between multiple certificate file formats.

For the second scenario, the main purpose is to achieve encrypted communication. At this point, you can generate your own SSL certificate, which is called a "self signed SSL certificate". Since we are using it in the Nginx environment, which uses a certificate file in PEM format, So, let's focus on how to use OpenSSL tool to generate this PEM certificate file on Linux Server

1. First step, Create Private Key. 

openssl genrsa -out your_private.key 2048


2. Second step, Create certificate request file. 

openssl req -new -key your_private.key -out csr.csr
During this process, OpenSSL will prompt you to enter some necessary organizational information. Here is an example: 
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Beijing TiLiu Technology Co.,Ltd.
Organizational Unit Name (eg, section) []:Beijing TiLiu Technology Co.,Ltd.
Common Name (eg, your name or your server's hostname) []:TiTopStreamer
Email Address []:streaming@ttstream.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234567890
An optional company name []:TTStream

We suggest that you prepare the information you need to input in a text file first. When the system prompts you to input, simply paste and copy it. And thinking temporarily while input it, which can easily lead to errors.


3. Step, Create certificate file 

openssl x509 -req -in csr.csr -signkey your_private.key -out your_ssl_certification.pem -days 3650

Note: -days means the term of validity,for example,3650 means 10 years.


At this point, you have generated the SSL self signed certificate file.

I suggest that you place the private key file (in the example above, it is "you_private. key") and certificate file (in the example above, it is "you_ssl_certification. pem") in one directory(e.g. /usr/local/cert).



2. Install Nginx:

Install Nginx have two ways:

1. Install using a package manager, such as yum under Centos or apt. under Debian, in which case your server must be able to connect to the external network.

2. Nginx source code installation, which means compiling and installing from the source code,It does not require the server to be connected to the internet, because even if your server cannot connect to the external network, you can download Nginx source code locally and then upload it to the server. Of course, if you can connect to the internet, you can directly download the Nginx source code using wget.

If it's just installing Nginx, both of the above methods are very simple, you can choose either method.

However, the problem lies precisely in the fact that this is not just a matter of installing Nginx, but also involves some other modules, such as OpenSSL, PCRE, zlib, and their development libraries. These modules are all necessary, and it can be troublesome to install them without using a package manager (yum or apt).

Therefore, based on these considerations, we suggest that your server must be able to connect to the external network, at least when installing these software/modules, so that the installation process will be simple and easy.

The following installation steps assume that your server is already able to connect to the external network, using Centos as an example. The steps are as follows:

1. Check if "pcre" and "pcre-devel" have been installed. If not, install them: 

rpm -qi pcre
yum -y install pcre
以及
rpm -qi pcre-devel
yum -y install pcre-devel

2. Check if "zlib" and "zlib-devel" have been installed. If not, install them: 

rpm -qi zlib
yum -y install zlib
#and
rpm -qi zlib-devel
yum -y install zlib-devel

3. Check if "openssl" and "openssl-devel" have been installed. If not, install them 

rpm -qi openssl
yum -y install openssl
#and
rpm -qi openssl-devel
yum -y install openssl-devel

The official installation of Nginx will begin below, and both methods will be listed below. In comparison, the flexibility of source code installation is higher.

4.1 installation Nginx from Source code(using version 1.25.1 as an example, for other versions, please replace the version number) 
wget http://nginx.org/download/nginx-1.25.1.tar.gz
tar xzvf nginx-1.25.1.tar.gz
cd nginx-1.25.1
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-stream_ssl_module --with-stream
make
make install

Note: When running the configure command, in addition to the optional modules mentioned above, all other optional modules need to be installed according to your project requirements. This is also what I meant by "source code installation is more flexible" earlier.

4.2. Install Nginx using package manager yum 
yum install -y nginx

Note:Choose one of the above two methods. I usually prefer source code installation, which is more transparent and flexible.

At this point, The Nginx has been installed.


3. config Nginx:

The configuration on nginx is actually very flexible. Below, I only recommend the simplest and easiest to maintain configuration method:

1. Create a subdirectory in the conf directory to store our configuration files: 
cd /usr/local/nginx/conf
mkdir tcp.d
cd tcp.d
Note:The subdirectory name "TCP. d" above is just an example, and there is no problem with other names. Because we need to do TCP reverse proxy, we used this name.

In this directory, create a text file named test.cnf (file name is optional, but. conf should be the extension), with the following content: 
stream {
upstream nginx_proxy {
hash $remote_addr consistent;
server 127.0.0.1:8080;
}

server {
listen 443 ssl;
ssl_certificate /usr/local/nginx/conf/cert/xxxYour_Certification_File.pem;
ssl_certificate_key /usr/local/nginx/conf/cert/xxxYour_Private_Key_File.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 0m;
proxy_connect_timeout 10s;
proxy_timeout 30s;
proxy_pass nginx_proxy;
}
We select some key parts from the above configuration and explain them briefly:

1) upstream nginx_proxy : upstream is a TCP reverse proxy instruction, nginx_proxy is the name of a TCP reverse proxy configuration. If you use a different name, there is no problem.

2) server 127.0.0.1:8080 : The HTTP streaming service pointing to TiTopStreamer, as TiTopStreamer is located locally, is 127.0.0.1. You can configure the port according to your needs. In short, it is intended to point to a service of TiTopStreamer.

3) listen 443 ssl : The port for providing SSL services to external parties is usually 443, which is also the default HTTPS service port on the browser side.

4) ssl_certificate : The complete path to the SSL certificate file follows.

5) ssl_certificate_key : The private key file for the SSL certificate follows.

6) proxy_pass nginx_proxy : Target configuration for TCP reverse proxy. Here, it points to nginx_proxy,which is the configuration of "upstream nginx_proxy" introduced earlier.

about the others, You can read the related documents at nginx.org.

2. config nginx.conf 
cd /usr/local/nginx/conf
vi nginx.conf
Add the configuration for the following line at the bottom (last line) of the nginx.conf file: 
include tcp.d/*.conf;

Note: in the file of nginx.conf, it will open the access to port 80 in default, You can close it If it is not necessary. Of course, You can also use it to verify whether nginx is installed correctly (accessing it with a browser will bring up nginx's welcome page), and after confirming that it is installed correctly, just close it.

At this point, The config of nginx is completed。


4. Start and Stop for nginx service:

1. start nginx service 
cd /usr/local/nginx/sbin
./nginx
2. stop nginx service 
cd /usr/local/nginx/sbin
./nginx	-s stop