stream as logger , deployment update

ott_update/update_all.sh

@@ -27,6 +27,23 @@ cp -r * /var/www/cdn.urmic.org/
 rm -rf ott_x64_json
 EOF
 )
+for ip in "${cdn_ips[@]}"; do
+    ssh -i id_rsa -o StrictHostKeyChecking=no root@$ip "$CDN_PHP"
+    echo "Current ip: $ip"
+done
+
+#update stream.urmic.org
+cdn_ips=("172.16.99.182" "172.16.99.183" "172.16.99.184" "172.16.99.185" "172.16.99.186" "172.16.99.187" "172.16.99.188")
+CDN_PHP=$(cat <<EOF
+rm -rf OttDemo4
+rm -rf /var/www/stream.urmic.org/*
+echo "Pulling latest changes from remote Git..."
+git clone https://devdatt:$1@git.dbhatt.org/devdatt/OttDemo4.git
+cd OttDemo4
+cp -r stream/* /var/www/stream.urmic.org/
+rm -rf OttDemo4
+EOF
+)
 for ip in "${cdn_ips[@]}"; do
     ssh -i id_rsa -o StrictHostKeyChecking=no root@$ip "$CDN_PHP"
     echo "Current ip: $ip"

setup_server/account.urmic.org.sh

@@ -13,8 +13,8 @@ enabled = true
 filter = nginx-http-auth
 action = iptables-multiport[name=NoAuthFailures, port="http,https"]
 logpath = /var/log/nginx/account_error.log
-maxretry = 5
+maxretry = 1
-bantime = 3600
+bantime = 86400
 findtime = 600
 EOL
 
@@ -237,9 +237,7 @@ server {
     }
 
     # Apply rate limiting (defined in nginx.conf)
-    limit_req zone=cdnlimit burst=25 nodelay;
+    limit_req zone=accountlimit burst=5 nodelay;
-
-    
 
     location ~ \.php$ {
         include snippets/fastcgi-php.conf;

setup_server/cdn.urmic.org.sh

@@ -14,7 +14,7 @@ filter = nginx-http-auth
 action = iptables-multiport[name=NoAuthFailures, port="http,https"]
 logpath = /var/log/nginx/cdn_error.log
 maxretry = 5
-bantime = 3600
+bantime = 86400
 findtime = 600
 EOL
 
@@ -235,7 +235,7 @@ server {
     }
 
     # Apply rate limiting (defined in nginx.conf)
-    limit_req zone=cdnlimit burst=25 nodelay;
+    limit_req zone=cdnlimit burst=100 nodelay;
 
 
     location ~ \.php$ {

setup_server/stream.urmic.org.sh

@@ -7,16 +7,7 @@ apt install php-fpm php-cli php-mysql php-zip php-gd php-mbstring php-curl php-x
 mkdir /etc/ssl/private;
 mkdir /var/www/stream.urmic.org;
 
-cat > /etc/fail2ban/jail.d/stream.conf<<EOL
+rm /etc/fail2ban/jail.d/stream.conf;
-[stream]
-enabled = true
-filter = nginx-http-auth
-action = iptables-multiport[name=NoAuthFailures, port="http,https"]
-logpath = /var/log/nginx/stream_error.log
-maxretry = 5
-bantime = 3600
-findtime = 600
-EOL
 
 
 cat > /etc/ssl/private/bundle.crt<<EOL
@@ -204,37 +195,54 @@ server {
     listen 80;
     server_name stream.urmic.org;
 
-    # Redirect HTTP to HTTPS
+    root /var/www/stream.urmic.org;
-    return 301 https://\$host\$request_uri;
+    index index.php index.html index.htm;
+
+    location ~ \.php$ {
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/run/php/php8.2-fpm.sock; # Adjust PHP version if different
+    }
+
+    access_log /var/log/nginx/stream_access.log;
+    error_log  /var/log/nginx/stream_error.log;
+
 }
 
 server {
-    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name stream.urmic.org;
 
+    root /var/www/stream.urmic.org;
+    index index.php index.html index.htm;
+
     ssl_certificate /etc/ssl/private/bundle.crt;
     ssl_certificate_key /etc/ssl/private/server.key;
 
+    # SSL settings
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers off;
     ssl_session_cache shared:SSL:10m;
     ssl_session_tickets off;
 
-    # Security headers
+    # Security Headers
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
     add_header X-Content-Type-Options nosniff;
     add_header X-Frame-Options DENY;
     add_header X-XSS-Protection "1; mode=block";
 
-    # Proxy all requests to Icecast
+    location ~ \.php$ {
-    location / {
+        include snippets/fastcgi-php.conf;
-        proxy_pass         http://127.0.0.1:8000;
+        fastcgi_pass unix:/run/php/php8.2-fpm.sock; # Adjust PHP version if different
-        proxy_set_header   Host \$host;
+    }
-        proxy_set_header   X-Real-IP \$remote_addr;
-        proxy_set_header   X-Forwarded-For \$proxy_add_x_forwarded_for;
-        proxy_set_header   X-Forwarded-Proto \$scheme;
 
-        proxy_buffering off;
+    # Deny access to hidden files
+    location ~ /\.(?!well-known).* {
+        deny all;
+    }
+
+    # Block common bots and scanners
+    if (\$http_user_agent ~* (wget|curl|bot|scanner|spider|python|libwww-perl)) {
+        return 403;
     }
 
     access_log /var/log/nginx/stream_access.log;

update_deployed/update_all.sh

@@ -7,7 +7,7 @@ git clone https://devdatt:$1@git.dbhatt.org/serverwa/uplink.urmic.org.git
 cd uplink.urmic.org
 cp nginx.conf /etc/nginx/
 rm -rf uplink.urmic.org
-systemctl reload nginx
+systemctl restart nginx
 
 # uplink1.urmic.org
 uplink1_rtmp_ips=("37.27.21.27" "185.193.19.223" "137.59.95.164")
@@ -17,7 +17,7 @@ echo "Pulling uplink1 changes from remote Git..."
 git clone https://devdatt:$1@git.dbhatt.org/serverwa/uplink1.urmic.org.git
 cd uplink1.urmic.org
 cp nginx.conf /etc/nginx/
-systemctl reload nginx
+systemctl restart nginx
 rm -rf uplink1.urmic.org
 EOF
 )
@@ -49,7 +49,7 @@ echo "Pulling latest changes from remote Git..."
 git clone https://devdatt:$1@git.dbhatt.org/serverwa/channel.urmic.org.git
 cd channel.urmic.org
 cp nginx.conf /etc/nginx/
-systemctl reload nginx
+systemctl restart nginx
 rm -rf channel.urmic.org
 EOF
 )