Tech Blog #2

Chapter 1: A benign installation that couldn’t have any issues.

This blog started with an attempt to install owncast, which I intended to do for group movie viewing with friends. Owncast has a docker build, which is where I decided to start. I modified the command to docker run -v ./data:/app/data --network owncast -p 127.0.0.1:8081:8080 -p 1935:1935 -it owncast/owncast:latest. The change from pwd to ./ is purely an aesthetic choice, --network owncast is for security and -p 127.0.0.1:8081:8080 makes the http interface only available on the loopback so that it can’t be accessed without the reverse proxy I would later set up. I had to create the owncast network manually with docker network create owncast, a step that I seemed to have forgotten when documenting my work with vaultwarden. Once that was done, creating an nginx config as described here worked fine (a surprise) for getting the web portal accessible.

Once I could see the site, I logged into the admin panel, changed the credentials from default, then tried to set up a test stream. Surprisingly, everything worked out of the box with obs on the first try, so no problem.

After that, I found a ffmpeg command that I could run from my seedbox to stream to owncast from here:
ffmpeg -i file.mp4 -c:v libx264 -c:a aac -b:v 512K -maxrate 512K -bufsize 1M -f flv 'rtmp://owncast.gooberweb.xyz:1935/live/zS$&rXoNjzaEEsjLg1w1Avx8LaAdac'

With that working, I decided to stress test the instance and quickly found that it would not scale on the shit ass vps that I use, which caused a dramatic shift to chapter two of this project: fixing jason’s hosting stuff so we can use his less underpowered server.

Chapter 2: fixing jason’s hosting stuff so we can use his less underpowered server.

The problem with jason’s server was, thankfully, not that bad. He had nginx working for static html mosting and an installation of nextcloud which was disabled because it would fight with nginx for ports. The nextcloud install was a whole set of docker containers setup by a script we had found quite some time ago, so we decided to attempt to migrate to an official docker container. We moved the netcloud datadir away from the existing install, purged it and all of the relevant docker containers, then began to setup nextcloud AIO using docker. The docker run command that we created was:
sudo docker run \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=127.0.0.1 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
--env NEXTCLOUD_DATADIR="/opt/nextcloud/datadir/" \
nextcloud/all-in-one:latest
The only changes from default are creating the NEXTCLOUD_DATADIR env so that we could move the existing data files into the new install and binding apache to the loopback address because we were using nginx as a reverse proxy.

Note: It might still be wise to change --publish 8080:8080 \ to --publish 127.0.0.1:8080:8080 \

The two major challenges we faced were:
The given nginx configuration for using a reverse proxy does not make the AIO interface accessible at the same time as the apache interface on port 11000 on the loopback network. This wouldn’t be a problem, except for the fact that the AIO interface on port 8080 wants to be https. The solution we found was to remove the existing proxy pass and replace it with this block:
#proxy_pass https://127.0.0.1:8080$request_uri; # uncomment for AIO
proxy_pass http://127.0.0.1:11000$request_uri; #uncomment for regular use
Where one of the two lines is uncommented at any given time. This is inconvenient during setup because it involves a lot or nginx restarts, but it works and becomes much less annoying during regular use.
From what I can tell, this issue doesn’t exist if you are using caddy as your reverse proxy, as there is a special step at the above link that has a configuration for enabling https for AIO on caddy.
The format for storing files in a user’s directory had changed between the latest version of docker AIO and the version which Jason had previously used, which made the process of migrating a headache. If you know the differences, it’s fairly easy, the contents of oldNextcloud/data/user/ get moved into newNextcloud/data/user/files, but that isn’t documented (probably because it’s only a problem when migrating mismatched versions). You need to get this bit right for everything to scan and get added to the database using the migration instructions, so it took us quite a while.
After all that was dealt with, we had a working nextcloud config. And then Jason broke it within a few hours, while I slept.

Luckily, I was able to identify the directory where all the uploads were, delete the videos, and then nextcloud proceed to operate as normal.

Chapter 3: Doing Chapter 1 again, but this time on Jason's server.

Installing owncast from here was fairly simple and just involved redoing the setup that I had done on my own server, although I took out the --network command, as I believe it might have been unnecessary and I added -d for detached running, for a final command docker run -v ./data:/app/data -p 127.0.0.1:8081:8080 -p 1935:1935 -it -d owncast/owncast:latest . The nginx config given worked out of the box (well, it took changing the port to 8081 from 8080) again too, so that was nice.

With owncast installed on my jason’s superior server, all that was left for me to do was uninstall it from mine. A few docker rm’s, one rm /etc/nginx/sites-enabled/owncast, and after making sure to remove the custom configuration that owncast’s nginx page calls for in /etc/nginx/nginx.conf, I was finished.

Addendums:

The docker container was not relaunching upon server reboot. docker update --restart=always [CONTAINER ID] should have fixed it but has not yet been tested.
We decided to password protect the main page, which is usually a pretty easy process in nginx, but caused problems when combined with the password protected admin page. I’ll skip the details and just post the nginx config that I cooked up to get things working.

server {
    server_name example.domain;
    listen 443 ssl;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_pass http://127.0.0.1:8081;
        auth_basic "Login Prompt";
        auth_basic_user_file /etc/nginx/conf.d/.owncast.htpasswd; #generated following https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
    }

    location /admin/ {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_pass http://127.0.0.1:8081/admin/;
        auth_basic off;
    }

    #ssl_certificate # managed by Certbot
    #ssl_certificate_key # managed by Certbot
}

7 Kudos

Comments

Displaying 6 of 6 comments ( View all | Add Comment )

iason	1709324041 i still need help attaching my extra volume to nextcloud i do not understand the syntac Report Comment x by iason; 1709324052; Report Jason you need to ask me to help you when we are both in near proximity and I am not on a substance. by Fawkes; 1709324291; Report i agree. i just need to remember to do that haha by iason*; 1709325808; Report
scientist_axolotl	1687877702 Tech blog Report Comment Mech frog by Fawkes; 1687877754; Report Deck dog by scientist_axolotl; 1687878000; Report Spec hog by Fawkes; 1687878152; Report updog by scientist_axolotl; 1688378486; Report What's updog? by Fawkes; 1688397615; Report nothing much whats up with u by scientist_axolotl; 1688428729; Report https://media.tenor.com/yPTb4CQcumsAAAAC/xd-meme.gif by scientist_axolotl; 1688429236; Report
charli	1687037233 did you go to school for this kinda stuff or did you figure this out yourself? either way it's hella impressive dude Report Comment I'm in school for CS, which helps, but I've mostly just picked stuff up over time by fucking about and learning from my mistakes. by Fawkes; 1687037298; Report lmao, truly the greatest way to learn!! by charli; 1687037413; Report
Slimey	1686855272 this is cool. this is just like in the movies where the hacker's screen is covered in lime green 1's and 0's. Report Comment I am neo the matrix by Fawkes; 1686867345; Report
lem.iso	1686771051 ah yes Report Comment
iason	1686764294 i am honestly impressed on how i have managed to break the thing TWICE in two nights. for the outsiders: this second time last night was because nextcloud has a widget for taking notes. clicking the "create new note" button just completely crashed the server, for some reason, and so i rebooted it. from there, nginx would fail starting up, so i had to "killall apache2" and then restart nginx, as apparently there was conflicting port fighting or something like that. the main static site and nextcloud now worked, but owncast was still down - giving a 502 bad gateway. i searched high and low for the log files and docker wasn't showing owncast. eventually i realized it is 5am again so i went to sleep. this morning i awoke to fawkes having noticed and gone in to fix it. apparently, when you ask docker to show you containers, you may want to add in "-a" so that it shows all of them, hence why i couldn't find them (yes i am oblivious). also, owncast wasn't set to autostart, hence why it wasn't doing the thing. all sorted now, thanks to the techman himself (at least i helped this second time!! haha) Report Comment