From afddf90fa0a06aefe3dc9e51e8deeba7744a3e0e Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sat, 14 Dec 2019 22:09:58 +0100
Subject: nginx_config: use separate server blocks for ingesting and serving
 media

---
 nginx_config | 59 +++++++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 39 insertions(+), 20 deletions(-)

(limited to 'nginx_config')

diff --git a/nginx_config b/nginx_config
index 8c1f13e..6e30ad4 100644
--- a/nginx_config
+++ b/nginx_config
@@ -5,30 +5,54 @@ upstream dash_server_py {
     server [::1]:8000;
 }
 
+# this server handles media ingest
+# authentication is handled throught TLS client certificates
+server {
+	# network config
+    listen [::]:8001 ssl default_server;
+    server_name <server name>;
+
+	# server's TLS cert+key
+    ssl_certificate <path to TLS cert>;
+    ssl_certificate_key <path to TLS key>;
+    #ssl_dhparam <path to DH params, optional>;
+
+    # source authentication with TLS client certificates
+    ssl_client_certificate <path to CA for client certs>;
+    ssl_verify_client on;
+
+	# only allow upload requests
+	# TODO: handle DELETE
+    if ($request_method !~ ^(POST|PUT)$) {
+        return 405; # Method Not Allowed
+    }
+
+    root <path to site root>;
+
+    # define parameters for communicating with dash_server.py
+    # enable chunked transfers
+    proxy_http_version        1.1;
+    proxy_buffering           off;
+    proxy_request_buffering   off;
+    # finish the upload even if the client does not bother waiting for our
+    # response
+    proxy_ignore_client_abort on;
+
+    location /live/ {
+        proxy_pass http://dash_server_py;
+    }
+}
+
 server {
     # network config
     listen [::]:80 default_server;
+    server_name <server name>;
 
     # tweak to your site and uncomment for TLS
     #listen [::]:443 ssl;
     #ssl_certificate <path to TLS cert>;
     #ssl_certificate_key <path to TLS key>;
-    #ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
     #ssl_dhparam <path to DH params, optional>;
-    # optional, verify the client certificate for authenticated uploading
-    #ssl_verify_client optional;
-    #ssl_client_certificate <path to CA for client certs>;
-    #if ($request_method ~ ^(POST|PUT)$) {
-    #   set $reject "1";
-    #}
-    #if ($ssl_client_verify = "SUCCESS") {
-    #    set $reject "0";
-    #}
-    #if ($reject = "1") {
-    #    return 403;
-    #}
-
-    server_name dash;
 
     root <path to site root>;
 
@@ -50,11 +74,6 @@ server {
     }
 
     location /live/ {
-
-        limit_except GET {
-            proxy_pass http://dash_server_py;
-        }
-
         try_files $uri @dash_server;
     }
 
-- 
cgit v1.2.3