Skip to content

Commit

Permalink
Nginx Basic Auth for web,server and addons
Browse files Browse the repository at this point in the history 
- Added some possible solutions one might use to secure stremio server, stremio web and addons with a basic auth
  • Loading branch information
@Zaarrg
Zaarrg committed Aug 26, 2024
1 parent 4bc1190 commit 39cf5b5
Show file tree
Hide file tree
Showing 4 changed files with 254 additions and 211 deletions.
266 changes: 55 additions & 211 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,241 +4,85 @@
- This is a fork of the original [stremio-docker rep](https://github.com/tsaridas/stremio-docker)
- This fork modifes the server.js and adds the ability to define a prefix
- This Prefix can be added with the env URL_PREFIX
- This solution will probably not work.
- Recommended is trying [nginx conf](https://github.com/Zaarrg/stremio-docker-prefix#nginx-setup) first.

| Env | Default | Example | Description |
| - | - |-------------------|----------------------------------|
| `URL_PREFIX` | - | `/stremio-server` | Sets a url prefix for the server |


## Introduction
## Nginx Setup

There are two ways to setup nginx. Everything here was setup using the [stremio-docker](https://github.com/tsaridas/stremio-docker) image.

[Stremio](https://www.stremio.com/) is a free application which lets you stream your favorite shows and movies.

The Docker images in this repository bundle stremio-server, ffmpeg and web player for you, ready to use in a small Alpine image.
#### 1. Using a prefix

My motivation for doing this is having it running on my RPi5 and couldn't find something that has both player and server but also the official image seemed too big but also lacks the Web Player and doesn't work out of the box if no HTTPS is configured.
```nginx configuration
# Stremio-specific route
location /stremio-server/ {
# Strip stremio-server
rewrite ^/stremio-server/(.*) /$1 break;
## Features
Idea here is to have both Stremio web player and server run on the same container and if IPADDRESS env variable is setup generate a certificate and use it for both.

The Web player runs on port 8080 and server runs on both ports 11470 ( plain http ) and 12470 (https).

-----

1) If you exposed the ports 8080, 11470 for HTTP just point your streaming server (http://{LAN IP}:8080/) in settings to the lan ip address and set the server to be http://{LAN IP}:11470/ and enjoy. Make sure you set NO_CORS=1 with this option.

This is the easy option since there is **no need to setup dns or have an external ip. Do not set the IPADDRESS env variable** if you just want HTTP. You do not need to expose port 12470 with this option but you will only be able to use the webplayer with HTTP.

-----

2) If you set your public IP address for the `IPADDRESS` environment variable, then the Stremio server should automatically set the certificate to the wildcard `*.519b6502d940.stremio.rocks` and should generate an A record for your public IP address. You should then expose ports 8080 and 12470 to your servers and then setup port forwarding to your router to point these two ports to your server. Once this is done you can point the WebPlayer to your streaming server on port 12470.

To find the FQDN that the certificate is pointing to, look at the folder you mounted for a file with a `.pem` extension. The filename is the domain you need to add your your hosts in case of local ip address.

-----

3) If you set IPADDRESS to your private ip address then the server should still set the certificate to the wildcard *.519b6502d940.stremio.rocks and have the subdomain set as 192-168-1-10 assuming your private is 192.168.1.10. Full domain should look like 192-168-1-10.519b6502d940.stremio.rocks. You can then setup your /etc/hosts in Linux or c:\Windows\System32\Drivers\etc\hosts in windows to point that host to your lan address like :

```bash
192.168.1.10 192-168-1-10.519b6502d940.stremio.rocks # this is an example. set your own ip and fqnd here.
proxy_pass http://stremio-container:11470;
}
```
- The **Streaming Server URL** would be https://stremio.mydomain.com/stremio-server/
- If this does not work and videos for example dont play then you can try by explicitly allowing all routes the server might call.
- You can also find all routes in [server-routes.md](https://github.com/Zaarrg/stremio-docker-prefix/blob/main/server-routes.md)
- You can find a example.conf [here](https://github.com/Zaarrg/stremio-docker-prefix/blob/main/nginx-prefix.conf)

Then you can point your browser to https://192-168-1-10.519b6502d940.stremio.rocks:8080 and setup Streaming server to https://192-168-1-10.519b6502d940.stremio.rocks:12470 .
#### 2. Explicitly allowing (Recommended)

```nginx configuration
# Stremio-specific routes
location ~ ^/(hlsv2|casting|local-addon|proxy|rar|zip|settings|create|removeAll|samples|probe|subtitlesTracks|opensubHash|subtitles|network-info|device-info|get-https|hwaccel-profiler|status|exec|stream) {
proxy_pass http://stremio-container:11470;
}
To find the FQDN that the certificate is pointing to, look at the folder you mounted for a file with a `.pem` extension. The filename is the domain you need to add your your hosts in case of local ip address.
location ~ ^/([^/]+)/(stats\.json|create|remove|destroy) {
proxy_pass http://stremio-container:11470;
}
-----
location ~ ^/([^/]+)/([^/]+)/(stats\.json|hls\.m3u8|master\.m3u8|stream\.m3u8|dlna|thumb\.jpg) {
proxy_pass http://stremio-container:11470;
}
## Thoughts
location ~ ^/([^/]+)/([^/]+)/(stream-q-[^/]+\.m3u8|stream-[^/]+\.m3u8|subs-[^/]+\.m3u8) {
proxy_pass http://stremio-container:11470;
}
You don't need to have both Stremio Server and Web Player running. One could use the Stremio web player ([https://app.strem.io/#/](https://app.strem.io/#/)). Stremio's web player should also work for options 2 and 3 above because the web player requires that the server's URL is in HTTPS.
location ~ ^/([^/]+)/([^/]+)/(stream-q-[^/]+|stream-[^/]+)/[^/]+\.(ts|mp4) {
proxy_pass http://stremio-container:11470;
}
You can also use the native clients for options 2-3 since they use https but those clients also run a server so there is no point doing this.
location ~ ^/yt/([^/]+)(\.json)? {
proxy_pass http://stremio-container:11470;
}
Another option is to use an External Media player like VLC or any other supported by stremio to avoid transcoding on the docker container. This would help if you don't have GPU transcoding or some other good CPU.

## Shell

I added stremio shell html files under http(s)://{Your stremio url}:{port}/shell/ . One should be able to get the old online stremio version of the files that are in app.stremio.io. Defaults to the normal webplayer on the root "/". I have had issues playing youtube videos with these files though and I assume so will you.

## Requirements

* A host with Docker installed.

## Installation

### 1. Install Docker

If you haven't installed Docker yet, install it by running:

```bash
$ curl -sSL https://get.docker.com | sh
$ sudo usermod -aG docker $(whoami)
$ exit
location = /(thumb\.jpg|stats\.json) {
proxy_pass http://stremio-container:11470;
}
```
- The **Streaming Server URL** would be https://stremio.mydomain.com/
- This solution should always work.
- You can find a example.conf [here](https://github.com/Zaarrg/stremio-docker-prefix/blob/main/nginx-example.conf)
- This also allows for the **Stremio Web URL** and **Streaming Server URL** to be the same:
- **Stremio Web URL** accessible at: https://stremio.mydomain.com/
- **Streaming Server URL**: https://stremio.mydomain.com/

And log in again.

### 2. Run Stremio Web + Server

To automatically run stremio web player and server in http, simply run:

<pre>
$ docker run -d \
--name=stremio-docker \
-e NO_CORS=1 \
-v ~/.stremio-server:/root/.stremio-server \
-p 8080:8080/tcp \
-p 11470:11470/tcp \
--restart unless-stopped \
tsaridas/stremio-docker:latest
</pre>
## Basic Auth
- With those solutions basic auth is as easy as adding it for the base domain https://stremio.mydomain.com/
- Stremio Web, Stremio Server and any addons are on the same base url and will be therefor protected!
- With basic auth simply visit Stremio Web login with basic auth and you are good to go!


The Web UI will now be available on `http://`YOUR_SERVER_IP`:8080`. Set streaming server to `http://`YOUR_SERVER_IP`:11470` add your add ons and start watching your favourite movie.

> 💡 Your configuration files and cache will be saved in `~/.stremio-server`
## Options

These options can be configured by setting environment variables using `-e KEY="VALUE"` in the `docker run` command.

| Env | Default | Example | Description |
| - | - | - | - |
| `IPADDRESS` | - | `192.168.1.10` | Set this to enable https |
| `NO_CORS` | - | `1` | Set to disable server's cors |
| `CASTING_DISABLED` | - | `1` | Set to disable casting |
| `WEBUI_LOCATION` | - | `http://192.168.1.10:8080` | Sets the redirect page for web player and automatically sets up streaming server for you when one tries to access server at port 11470 or 12470. Default is https://app.strem.io/shell-v4.4/ |
| `FFMPEG_BIN` | - | `/usr/bin/` | Set for custom ffmpeg bin path |
| `FFPROBE_BIN` | - | `/usr/bin/` | Set for custom ffprobe bin path |
| `APP_PATH` | - | `/srv/stremio-path/` | Set for custom path for stremio server. Server will always save cache to /root/.stremio-server though so its only for its config files. |


There are multiple other options defined but probably best not settings any.

## Updating

To update to the latest version, simply run:

```bash
docker stop stremio-docker
docker rm stremio-docker
docker pull tsaridas/stremio-docker:latest
```

And then run the `docker run -d \ ...` command above again.

## FFMPEG

We build our own ffmpeg from jellyfin repo with version 4.4.1-4 This plays well and its what stremio officially supports.

### FFMPEG add configure options
You could build your own image with extra ffmpeg configure options. Your new option will probably require that you have the -dev libraries installed for alpine.

If you cannot find the -dev libraries in the alpine repo then you might need to compile them as well.

```bash
xvidcore-dev \
fdk-aac-dev \
libva-dev \
git \
x264 `ADD-DEV-PACKAGE-HERE` && \
```

Add your extra options at the end line before the && :

```bash
--prefix=/usr/lib/jellyfin-ffmpeg --extra-version=Jellyfin --disable-doc --disable-ffplay --disable-shared --disable-libxcb --disable-sdl2 --disable-xlib --enable-lto --enable-gpl --enable-version3 --enable-gmp --enable-gnutls --enable-libdrm --enable-libass --enable-libfreetype --enable-libfribidi --enable-libfontconfig --enable-libbluray --enable-libmp3lame --enable-libopus --enable-libtheora --enable-libvorbis --enable-libdav1d --enable-libwebp --enable-libvpx --enable-libx264 --enable-libx265 --enable-libzimg --enable-small --enable-nonfree --enable-libxvid --enable-libaom --enable-libfdk_aac --enable-vaapi --enable-hwaccel=h264_vaapi --toolchain=hardened `ADD-OPTION-HERE` &&
```

You also add the dev libraries to the above line from configure where you see lots of -dev packages installed. Those packages are purged later so you will also need to install the normal library (not the headers) in the end.

```bash
apk add --no-cache libwebp libvorbis x265-libs x264-libs libass opus libgmpxx lame-libs gnutls libvpx libtheora libdrm libbluray zimg libdav1d aom-libs xvidcore fdk-aac curl libva `ADD-NON-DEV-PACKAGE-HERE` && \
```

The lines shown above might have changed so just try to use common sense on where to add your package. If you want hardware acceleration you might need to compile it with the driver for your hardware. The version of ffmpeg that we compile comes with (VA-API)[https://en.wikipedia.org/wiki/Video_Acceleration_API]. You will probably need to expose your hardware device inside the container in order to make it work. Server tries to see if it can use any devices on first start. You can see those log messages to see if it worked for you.

### Add support for Intel CPU Transcoding
If you have an Intel CPU and you are running Linux you can expose the devices :

```
/dev/dri/card0
/dev/dri/renderD128
```
Make sure the drivers are added to the docker image

```
apk add --no-cache intel-media-driver
```
**Releases later than 1.1.9 should have the drivers installed and one just needs to expose the devices mentioned.**

docker compose :

```
devices:
- "/dev/dri/card0:/dev/dri/card0"
- "/dev/dri/renderD128:/dev/dri/renderD128"
```

cli :

```
--device /dev/dri/renderD128:/dev/dri/renderD12 --device /dev/dri/card0:/dev/dri/card0
```

## Builds

Builds are setup to make images for the below archs :

* linux/arm/v6
* linux/amd64
* linux/arm64/v8
* linux/arm/v7

I can add more build archs if you require them and you can ask but I doubt anybody ever will need to install these containers in anything else.

### Build tags

* latest -> Builds automatically when new version of server or WebPlayer is released. Builds WebPlayer only from release tags.
* nightly -> Builds automatically daily from development branch of web player and gets latest version of server.
* release version (example v1.0.0) -> to have old releases available in case there is something wrong with new release.

Images saved in [Docker Hub](https://hub.docker.com/r/tsaridas/stremio-docker)

### Build your own

You can build your own image by running the below command. By default it will build from development branch of web player and latest version of the server. If you want to build from latest release of web please you can add --build-arg BRANCH=release or the branch that you want.

```bash
docker build -t stremio:myserver .
```

## Common Use Cases

* [Using HTTP](https://github.com/tsaridas/stremio-docker/wiki/Using-Stremio-Server-HTTP)
* [Using HTTPS Local IP](https://github.com/tsaridas/stremio-docker/wiki/Using-Stremio-Server-with-Private-IP)
* [Using HTTPS Public IP](https://github.com/tsaridas/stremio-docker/wiki/Using-Stremio-Server-with-Public-IP)

## Useful links

[Stremio addons](https://stremio-addons.netlify.app/)

## Suggestions

I recommend setting up dnsmasq or similar to cache your dns queries since Stremio seems to be spamming with requests to trackers.

The config option you need with dnsmasq is :

```bash
cache-size=10000
```
## Thoughts

then you set your dns server to the ip address of your dns caching server and you are set.
As of my knowledge for now these are the best solutions to achive basic auth by having Stremio Web, Stremio Server and any addons on one url.

## Last words
I personally recommend the second nginx setup as this allows for the server url to be the same as the web url and therefor begin a quite smooth solution. Even tho this might have the drawback when the Stremio Server gets updated it might block new endpoints.

I don't intend to spend much time on this and tried to automate as much as I had time to.
PRs and Issues are welcome.
You can also fork and do as you like with the code but if you find some issue please do let me know.
Thank you for reading and have a wonderful time <3
77 changes: 77 additions & 0 deletions nginx-example.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# stremio.mydomain.com
# ------------------------------------------------------------
map $scheme $hsts_header {
https "max-age=63072000; preload";
}

server {
set $forward_scheme http;
set $server "stremio-container";
set $port 8080;

listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;

server_name stremio.mydomain.com;

# Let's Encrypt SSL
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /etc/letsencrypt/live/npm-4/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/npm-4/privkey.pem;

access_log /data/logs/proxy-host-11_access.log proxy;
error_log /data/logs/proxy-host-11_error.log warn;

# Common proxy headers
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;

# Stremio-specific routes
location ~ ^/(hlsv2|casting|local-addon|proxy|rar|zip|settings|create|removeAll|samples|probe|subtitlesTracks|opensubHash|subtitles|network-info|device-info|get-https|hwaccel-profiler|status|exec|stream) {
proxy_pass http://stremio-container:11470;
}

location ~ ^/([^/]+)/(stats\.json|create|remove|destroy) {
proxy_pass http://stremio-container:11470;
}

location ~ ^/([^/]+)/([^/]+)/(stats\.json|hls\.m3u8|master\.m3u8|stream\.m3u8|dlna|thumb\.jpg) {
proxy_pass http://stremio-container:11470;
}

location ~ ^/([^/]+)/([^/]+)/(stream-q-[^/]+\.m3u8|stream-[^/]+\.m3u8|subs-[^/]+\.m3u8) {
proxy_pass http://stremio-container:11470;
}

location ~ ^/([^/]+)/([^/]+)/(stream-q-[^/]+|stream-[^/]+)/[^/]+\.(ts|mp4) {
proxy_pass http://stremio-container:11470;
}

location ~ ^/yt/([^/]+)(\.json)? {
proxy_pass http://stremio-container:11470;
}

location = /(thumb\.jpg|stats\.json) {
proxy_pass http://stremio-container:11470;
}

# Self hosted addons, in this case comet. Depends on the plugin if it supports a url prefix
location /comet {
proxy_pass http://stremio-comet:8111;
}

# Stremio web ui
location / {
# Proxy!
include conf.d/include/proxy.conf;
}

# Custom
include /data/nginx/custom/server_proxy[.]conf;
}
Loading

0 comments on commit 39cf5b5

Please sign in to comment.