sendnrw/nginx-stream-server
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

staging
Some checks failed
release-tag / release-image (push) Failing after 1m2s
Details

Browse Source
This commit is contained in:
jbergner
2025-09-21 14:58:13 +02:00
parent 536dd3d416
commit 42e484c47c
12 changed files with 566 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
.gitea/workflows/registry.yml Normal file
View File

@@ -0,0 +1,51 @@
name: release-tag
on:
push:
branches:
- 'main'
jobs:
release-image:
runs-on: ubuntu-fast
env:
DOCKER_ORG: ${{ vars.DOCKER_ORG }}
DOCKER_LATEST: latest
RUNNER_TOOL_CACHE: /toolcache
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker BuildX
uses: docker/setup-buildx-action@v2
with: # replace it with your local IP
config-inline: |
[registry."${{ vars.DOCKER_REGISTRY }}"]
http = true
insecure = true
- name: Login to DockerHub
uses: docker/login-action@v2
with:
registry: ${{ vars.DOCKER_REGISTRY }} # replace it with your local IP
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Get Meta
id: meta
run: |
echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}') >> $GITHUB_OUTPUT
echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
- name: Build and push
uses: docker/build-push-action@v4
with:
context: .
file: ./Dockerfile
platforms: |
linux/amd64
push: true
tags: | # replace it with your local IP and tags
${{ vars.DOCKER_REGISTRY }}/${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}
${{ vars.DOCKER_REGISTRY }}/${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}

34
Dockerfile Normal file
View File

@@ -0,0 +1,34 @@
# ---------- Build Stage ----------
FROM golang:1.22-alpine AS build
WORKDIR /src
# SystemDeps nur für Build
RUN apk add --no-cache git ca-certificates tzdata && update-ca-certificates
# Module separat cachen
COPY go.mod go.sum ./
RUN go mod download
# Quellcode
COPY . .
# statisch bauen (kein CGO), mit kleinen Binaries
ENV CGO_ENABLED=0
RUN --mount=type=cache,target=/root/.cache/go-build \
go build -trimpath -ldflags="-s -w" -o /out/dashboard ./cmd/dashboard
# ---------- Runtime Stage ----------
# Distroless ist sehr klein/sicher; enthält CAZertifikate für HTTPSCalls
FROM gcr.io/distroless/base-debian12:nonroot
WORKDIR /app
# Expose Port
EXPOSE 8080
# Copy Binary + benötigte Zeitzonen/Certs sind in Distroless bereits enthalten
COPY --from=build /out/dashboard /app/dashboard
# Security: läuft als nonroot User (Distroless nonroot UID 65532)
USER nonroot:nonroot
# Healthcheck via Startkommando ist nicht möglich in Distroless per Compose lösen
ENTRYPOINT ["/app/dashboard"]

1
README.md
View File

@@ -1,2 +1 @@
# nginx-stream-server # nginx-stream-server

174
cmd/dashboard/main.go Normal file
View File

@@ -0,0 +1,174 @@
package main
import (
"context"
"fmt"
"html/template"
"log"
"net/http"
"net/http/httputil"
"net/url"
"os"
"strings"
"time"
"github.com/go-chi/chi/v5"
"github.com/go-chi/httprate"
"github.com/goccy/go-json"
"git.send.nrw/sendnrw/nginx-stream-server/internal/mtx"
"git.send.nrw/sendnrw/nginx-stream-server/internal/ui"
)
var (
listen = env("LISTEN", ":8080")
mtxAPI = env("MTX_API", "http://127.0.0.1:9997")
mtxHLS = env("MTX_HLS", "http://127.0.0.1:8888")
streamsCSV = os.Getenv("STREAMS")
basicUser = os.Getenv("BASIC_AUTH_USER")
basicPass = os.Getenv("BASIC_AUTH_PASS")
)
func env(k, def string) string {
if v := os.Getenv(k); v != "" {
return v
}
return def
}
func main() {
log.SetFlags(log.LstdFlags | log.Lshortfile)
r := chi.NewRouter()
r.Use(func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("X-Frame-Options", "SAMEORIGIN")
w.Header().Set("Referrer-Policy", "no-referrer")
w.Header().Set("Content-Security-Policy", "default-src 'self'; img-src 'self' data:; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; font-src https://fonts.gstatic.com; script-src 'self' https://cdn.jsdelivr.net")
next.ServeHTTP(w, req)
})
})
r.Group(func(r chi.Router) {
r.Use(httprate.LimitByIP(30, time.Minute))
r.Get("/api/streams", apiStreams)
})
if basicUser != "" {
creds := basicUser + ":" + basicPass
r.Group(func(p chi.Router) {
p.Use(func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
a := strings.SplitN(r.Header.Get("Authorization"), " ", 2)
if len(a) == 2 && a[0] == "Basic" && a[1] == basic(creds) {
next.ServeHTTP(w, r)
return
}
w.Header().Set("WWW-Authenticate", "Basic realm=Restricted")
http.Error(w, "auth required", http.StatusUnauthorized)
})
})
p.Get("/", pageIndex)
p.Get("/{name}", pageStream)
})
} else {
r.Get("/", pageIndex)
r.Get("/{name}", pageStream)
}
up, _ := url.Parse(mtxHLS)
proxy := httputil.NewSingleHostReverseProxy(up)
proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, e error) {
http.Error(w, "upstream error", http.StatusBadGateway)
}
r.Handle("/hls/*", http.StripPrefix("/hls", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if strings.Contains(r.URL.Path, "..") {
http.NotFound(w, r)
return
}
proxy.ServeHTTP(w, r)
})))
r.Get("/health", func(w http.ResponseWriter, r *http.Request) { w.Write([]byte("ok")) })
log.Printf("Dashboard listening on %s (API=%s HLS=%s)\n", listen, mtxAPI, mtxHLS)
if err := http.ListenAndServe(listen, r); err != nil {
log.Fatal(err)
}
}
func apiStreams(w http.ResponseWriter, r *http.Request) {
ctx, cancel := context.WithTimeout(r.Context(), 3*time.Second)
defer cancel()
c := &mtx.Client{BaseURL: mtxAPI, User: os.Getenv("MTX_API_USER"), Pass: os.Getenv("MTX_API_PASS")}
pl, err := c.Paths(ctx)
if err != nil {
http.Error(w, err.Error(), http.StatusBadGateway)
return
}
allowed := map[string]bool{}
if streamsCSV != "" {
for _, s := range strings.Split(streamsCSV, ",") {
allowed[strings.TrimSpace(s)] = true
}
}
type item struct {
Name string `json:"name"`
Live bool `json:"live"`
Viewers int `json:"viewers"`
}
out := struct {
Items []item `json:"items"`
}{}
for _, p := range pl.Items {
if len(allowed) > 0 && !allowed[p.Name] {
continue
}
out.Items = append(out.Items, item{Name: p.Name, Live: p.Live(), Viewers: p.Viewers()})
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(out)
}
func pageIndex(w http.ResponseWriter, r *http.Request) {
b, _ := ui.FS.ReadFile("index.html")
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.Write(b)
}
func pageStream(w http.ResponseWriter, r *http.Request) {
name := chi.URLParam(r, "name")
tpl, err := template.ParseFS(ui.FS, "stream.html")
if err != nil {
http.Error(w, err.Error(), 500)
return
}
w.Header().Set("Content-Type", "text/html; charset=utf-8")
tpl.Execute(w, map[string]any{"Name": name, "JSONName": fmt.Sprintf("%q", name)})
}
func basic(creds string) string {
const tbl = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
b := []byte(creds)
var out []byte
for i := 0; i < len(b); i += 3 {
var v uint32
n := 0
for j := 0; j < 3; j++ {
v <<= 8
if i+j < len(b) {
v |= uint32(b[i+j])
n++
}
}
for j := 0; j < 4; j++ {
if j <= n {
out = append(out, tbl[(v>>(18-6*uint(j)))&0x3f])
} else {
out = append(out, '=')
}
}
}
return string(out)
}

45
compose.yml Normal file
View File

@@ -0,0 +1,45 @@
version: "3.9"
services:
mediamtx:
image: bluenviron/mediamtx:1.9.2
container_name: mediamtx
restart: unless-stopped
ports:
- "1935:1935" # RTMP ingest
- "8888:8888" # HLS/HTTP (optional extern, Dashboard proxyt ohnehin)
volumes:
- ./mediamtx.yml:/mediamtx.yml:ro
command: ["/mediamtx", "/mediamtx.yml"]
dashboard:
build:
context: .
dockerfile: Dockerfile
container_name: go-stream-dashboard
restart: unless-stopped
environment:
# Dashboard
- LISTEN=:8080
- BASIC_AUTH_USER=${BASIC_AUTH_USER:-}
- BASIC_AUTH_PASS=${BASIC_AUTH_PASS:-}
- STREAMS=${STREAMS:-}
# MediaMTX Endpunkte (im ComposeNetzwerk erreichbar)
- MTX_API=http://mediamtx:9997
- MTX_HLS=http://mediamtx:8888
- MTX_API_USER=${MTX_API_USER:-admin}
- MTX_API_PASS=${MTX_API_PASS:-starkes-passwort}
ports:
- "8080:8080"
depends_on:
- mediamtx
healthcheck:
test: ["CMD", "/app/dashboard", "-healthcheck"] # optionaler Schalter, siehe unten
interval: 15s
timeout: 3s
retries: 5
security_opt:
- no-new-privileges:true
read_only: true
tmpfs:
- /tmp

15
go.mod Normal file
View File

@@ -0,0 +1,15 @@
module git.send.nrw/sendnrw/nginx-stream-server
go 1.24.4
require (
github.com/go-chi/chi/v5 v5.2.3
github.com/go-chi/httprate v0.15.0
github.com/goccy/go-json v0.10.5
)
require (
github.com/klauspost/cpuid/v2 v2.2.10 // indirect
github.com/zeebo/xxh3 v1.0.2 // indirect
golang.org/x/sys v0.30.0 // indirect
)

12
go.sum Normal file
View File

@@ -0,0 +1,12 @@
github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
github.com/go-chi/httprate v0.15.0 h1:j54xcWV9KGmPf/X4H32/aTH+wBlrvxL7P+SdnRqxh5g=
github.com/go-chi/httprate v0.15.0/go.mod h1:rzGHhVrsBn3IMLYDOZQsSU4fJNWcjui4fWKJcCId1R4=
github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

81
internal/mtx/mtx.go Normal file
View File

@@ -0,0 +1,81 @@
package mtx
import (
"context"
"fmt"
"io"
"net/http"
"time"
"github.com/goccy/go-json"
)
// Minimaler Client für MediaMTX Control API v3
// Standard-Ports: API :9997, HLS :8888, RTMP :1935
type Client struct {
BaseURL string // z.B. http://127.0.0.1:9997
HTTP *http.Client
User string
Pass string
}
type PathsList struct {
Items []PathItem `json:"items"`
}
type PathItem struct {
Name string `json:"name"`
// publisher kann nil sein, wenn keiner sendet
Publisher *SessionRef `json:"publisher"`
// readSessions sind aktive Zuschauer
ReadSessions []SessionRef `json:"readSessions"`
// BytesIn/Out können je nach Version fehlen deshalb optional halten
BytesReceived *int64 `json:"bytesReceived,omitempty"`
BytesSent *int64 `json:"bytesSent,omitempty"`
}
type SessionRef struct {
ID string `json:"id"`
// Bitrate und weitere Felder variieren je nach Version, wir zeigen defensiv nur das Nötigste an
}
func (c *Client) do(ctx context.Context, method, path string, out any) error {
if c.HTTP == nil {
c.HTTP = &http.Client{Timeout: 5 * time.Second}
}
req, err := http.NewRequestWithContext(ctx, method, c.BaseURL+path, nil)
if err != nil {
return err
}
if c.User != "" || c.Pass != "" {
req.SetBasicAuth(c.User, c.Pass)
}
resp, err := c.HTTP.Do(req)
if err != nil {
return err
}
defer resp.Body.Close()
if resp.StatusCode != 200 {
b, _ := io.ReadAll(resp.Body)
return fmt.Errorf("mtx api %s: %s", resp.Status, string(b))
}
return json.NewDecoder(resp.Body).Decode(out)
}
func (c *Client) Paths(ctx context.Context) (*PathsList, error) {
var out PathsList
err := c.do(ctx, http.MethodGet, "/v3/paths/list", &out)
if err != nil {
return nil, err
}
return &out, nil
}
func (p PathItem) Live() bool { return p.Publisher != nil }
func (p PathItem) Viewers() int { return len(p.ReadSessions) }
// HLS-URL Form: http://<host>:8888/<path> (Playlist wird automatisch geliefert)
func HLSURL(publicHost, path string) string {
return fmt.Sprintf("%s/%s", publicHost, path)
}

63
internal/ui/index.html Normal file
View File

@@ -0,0 +1,63 @@
<!doctype html>
<html lang="de">
<head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>Streams</title>
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;600;800&display=swap" rel="stylesheet">
<style>
:root { --bg:#0b1020; --card:#121a33; --muted:#9fb0d8; --ok:#22c55e; --danger:#ef4444; }
*{box-sizing:border-box} body{margin:0;font-family:Inter,system-ui,sans-serif;background:var(--bg);color:#e6eaf2}
.wrap{max-width:1100px;margin:0 auto;padding:24px}
.grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(260px,1fr));gap:16px}
.card{background:var(--card);border-radius:18px;padding:16px;box-shadow:0 10px 30px rgba(0,0,0,.25)}
.row{display:flex;align-items:center;gap:8px}
a{color:#90cdf4;text-decoration:none}
.pill{font-size:.85rem;border-radius:999px;padding:4px 10px;background:#0f1530;border:1px solid #36446c}
.live{background:#142e1e;border-color:#1f6e42;color:#96f7b2}
.off{background:#2a1420;border-color:#6b1f3a;color:#f7a6be}
input{width:220px;padding:8px 10px;border-radius:10px;border:1px solid #36446c;background:#0f1530;color:#e6eaf2}
.title{display:flex;align-items:center;justify-content:space-between}
</style>
</head>
<body>
<div class="wrap">
<div class="title">
<h1 style="margin:0">🎬 Streams</h1>
<div class="row">
<input id="filter" placeholder="Filter (z.B. stream1)">
<a href="/refresh" class="pill">Neu laden</a>
</div>
</div>
<p style="opacity:.8">RTMP Ingest: <code>rtmp://HOST/&lt;name&gt;</code> · HLS: <code>http(s)://HOST/hls/&lt;name&gt;</code></p>
<div id="list" class="grid"></div>
</div>
<script>
async function load(){
const res = await fetch('/api/streams');
const data = await res.json();
const q = (document.getElementById('filter').value||'').toLowerCase();
const list = document.getElementById('list');
list.innerHTML = '';
data.items.filter(it => !q || it.name.toLowerCase().includes(q)).forEach(it => {
const a = document.createElement('a');
a.href = '/' + encodeURIComponent(it.name);
a.className = 'card';
a.innerHTML = `
<div class="row" style="justify-content:space-between">
<div>
<div style="font-weight:800;font-size:1.1rem">${it.name}</div>
<div style="opacity:.8;font-size:.9rem">Zuschauer: ${it.viewers}</div>
</div>
<div class="pill ${it.live ? 'live':'off'}">${it.live ? 'LIVE' : 'Offline'}</div>
</div>`;
list.appendChild(a);
})
}
document.getElementById('filter').addEventListener('input', load);
load(); setInterval(load, 3000);
</script>
</body>
</html>

56
internal/ui/stream.html Normal file
View File

@@ -0,0 +1,56 @@
<!doctype html>
<html lang="de">
<head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>{{.Name}}</title>
<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;600;800&display=swap" rel="stylesheet">
<style>
:root { --bg:#0b1020; --card:#121a33; --muted:#9fb0d8; --ok:#22c55e; --danger:#ef4444; }
*{box-sizing:border-box} body{margin:0;font-family:Inter,system-ui,sans-serif;background:var(--bg);color:#e6eaf2}
.wrap{max-width:1000px;margin:0 auto;padding:24px}
.card{background:var(--card);border-radius:18px;padding:16px;box-shadow:0 10px 30px rgba(0,0,0,.25)}
a{color:#90cdf4;text-decoration:none}
.pill{font-size:.85rem;border-radius:999px;padding:4px 10px;background:#0f1530;border:1px solid #36446c}
.live{background:#142e1e;border-color:#1f6e42;color:#96f7b2}
.off{background:#2a1420;border-color:#6b1f3a;color:#f7a6be}
video{width:100%;border-radius:12px;background:#000}
</style>
</head>
<body>
<div class="wrap">
<a href="/">← Zurück</a>
<h1 style="margin:8px 0">{{.Name}} <span id="live" class="pill off">Offline</span></h1>
<div class="card">
<video id="v" controls playsinline></video>
<div style="margin-top:10px;display:flex;gap:10px;align-items:center">
<code id="hlssrc"></code>
<span id="viewers" class="pill">Zuschauer: 0</span>
</div>
</div>
</div>
<script src="https://cdn.jsdelivr.net/npm/hls.js@1"></script>
<script>
const name = {{.JSONName}};
async function refresh(){
const r = await fetch('/api/streams');
const d = await r.json();
const it = d.items.find(x=>x.name===name);
const live = !!(it && it.live);
document.getElementById('live').className = 'pill ' + (live ? 'live' : 'off');
document.getElementById('live').textContent = live ? 'LIVE' : 'Offline';
document.getElementById('viewers').textContent = 'Zuschauer: ' + (it? it.viewers:0);
if(live){
const src = '/hls/'+encodeURIComponent(name);
document.getElementById('hlssrc').textContent = src;
const v = document.getElementById('v');
if(Hls.isSupported()){
if(!window._hls){ window._hls = new Hls(); window._hls.attachMedia(v); }
window._hls.loadSource(src);
} else if(v.canPlayType('application/vnd.apple.mpegurl')){ v.src = src; }
}
}
refresh(); setInterval(refresh, 2500);
</script>
</body>
</html>

6
internal/ui/templates.go Normal file
View File

@@ -0,0 +1,6 @@
package ui
import "embed"
//go:embed *.html
var FS embed.FS

29
mediamtx.yml Normal file
View File

@@ -0,0 +1,29 @@
# lauscht auf den Standard-Ports
rtmp: yes
hls: yes
# optional: enable ll-hls: yes
httpAddress: :8888
rtmpAddress: :1935
# Control API (für DashboardStatus)
api: yes
apiAddress: :9997
# Auth für API empfehlenswert
apiUser: admin
apiPass: starkes-passwort
# Metriken (optional)
metrics: yes
metricsAddress: :9998
# Allgemeine Pfadeinstellungen (alle Streams)
paths:
stream1:
publishUser: ingest1
publishPass: supersecret1
stream2:
publishUser: ingest2
publishPass: supersecret2