Reverse Proxy SSL on Owncast Container

How do you like that topic title? Are you scared yet, cause I am.

I have been playing around with streaming options other than Ant Media, and I installed a container in Reclaim Cloud running Owncast using the DockerHub repository, which is pretty slick. The one I installed seems to be the official container Owncast recommends:

That worked swimmingly, and Owncast was up and running at in seconds. Yeah!

After some minor tweaks, the next step was getting the SSL certificate to work so that I could embed the stream in another webpage, and that is where I have lost several hours now. Booh!

Here is the relevant page at Owncast that recommends several SSL Proxy options:

I played with two of them, Caddy and Nginx, and the larger issue here, most certainly, is I’m out of my depth, but the more focused issue is the Owncast container is an Alpine Linux distro so I’m having difficulties running some of the basic Caddy commands I need to get the reserve proxy setup. For example, when I follow this guide for running Caddy with Owncast, I cannot run the following command because reverse-proxy is not recognized:

caddy reverse-proxy --from --to

I am also not confident managing permissions and installing various dependencies given the commands for Alpine Linux are a whole different animal. Same thing goes for Docker commands within Linux Alpine:

So, I am throwing up a bit of a Hail Mary here to see if anyone has some advice. I toyed with trying this plugin for a Docker container Caddy proxy which seems that it will automatically configure things based on tags, but after reading through the doc I knew I was out of my depth.

I almost ran the following Docker command successfully (found here) in the container, which was a huge win for me, but not sure it worked, and it gets me no closer to a reverse Proxy :slight_smile:

 docker run -d -p 80:80 -p 443:443 \
    -v /site:/srv \
    -v caddy_data:/data \
    -v caddy_config:/config \
    caddy caddy file-server --domain

Folks say Caddy is the quickest and simplest way, and they may be right given I got even a bit more confused when trying Nginx.

I figured I would install a Nginx load balancer on top of the OwnCast container in Reclaim Cloud. I gave both public IP address and ran the A record to the Nginx load balancer IP. After following this guide for getting let’s encrypt to work with Nginx I was successful at getting a SSL cert for, but it would not forward to the container with Owncast, it just threw a 403 error, I figured there might be a way to pass that through, but the Nginx syntax intimidates me, andI found myself going in circles. I may have even been closer with Nginx, but I came up against some hard limits with my understanding of how the conf files work.

Owncast looks pretty sweet! As a test I did the following which seemed to work:

  1. Setup the docker environment, didn’t do any configuration but just installed it by searching the owncast container.
  2. Added Nginx load balancer to environment.
  3. Added public IP and pointed my own domain to the load balancer
  4. Enabled Lets Encrypt on the load balancer pointing to my domain

Then I loaded my domain over https and it seemed to just work. I didn’t have to configure the load balancer at all or touch anything with ports or config files. I wonder if the issue is your IP being assigned to the Docker container and not the load balancer? I definitely don’t think you should need to touch the nginx config at all since Reclaim Cloud has the Let’s Encrypt addon that does all that work for you.

1 Like

Easy and amazing, why didn’t I think of that. I spent hours running myself in circles when our infrastructure made it as easy as 1,2,3. Thanks man, you rule, I drool.


1 Like

Ok, the last question on this is it looks like RTMP may not be connecting in OBS, and I think that might be because the shared load balancer is not rerouting the 1935 port? Does that make sense? I tried allowing 1935 TCP/UDP on the inbound firewall in settings, but did not work, but I think I may be doing something right. Streaming works when I point the domain directly to the Owncast environment public IP, but fails when pointed at the Nginx shared load balancer public IP, any ideas? Is this an endpoint thing?

Yeah I wondered if that might happen and you’re absolutely right about endpoints. When you have a dedicated IP you have access to all ports on the container. Without one everything is routed through the shared load balancer. The SLB does expose some ports by default including port 8080 which is why the web interface works automatically. For other ports like that you’d want to setup an endpoint to that port and use the URL they provide to stream to and I think it should work.

Yeah, Endpoints have me turned around a bit cause Jelastic automatically creates the port and URL once I add my “private port” which I am not sure is the whole RMPT URL from Owncast? Seems I would really just need Nginx to redirect the request to port 1935 on the docker container, but not sure if that means linking the container? I tried exposing port 1935 by adding the port to Variables hoping that would work, but no go:

Seems like the load balancer should be smart enough to pass along 1935 traffic to the container, but I guess I am out of my depth. I saw a post about the error I am getting in OBS where they mention port forwarding as the solutoon:

Just not sure how it works with load balancers

Also, i just tested port forwarding on the load balancer IP and it is showing 1935 port as closed despite fact I have it opening in the firewall:

What gives hippies?

I tested on mine without doing anything to the load balancer (I agree theoretically the load balancer should be able to communicate internally over 1935 but not sure what it would take to configure that piece). When you create the endpoint you have to make sure you’re routing an endpoint directly to the owncast node (the load balancer you really only care about for SSL for the web interface so for streaming you can hit the server directly).

Then you take the URL it gives you and put it in like this:

The URL and port will be different from what Owncast says to use but the connection will work.

1 Like