Nimble installation steps on CentOS
Prep the server
lock down SSH: https://www.liberiangeek.net/2014/07/enable-ssh-key-logon-disable-password-password-less-logon-centos/Maybe even install Port Knocking: https://www.cipherdyne.org/fwknop/
Remove unnecessary services
Update packages
vi /etc/ssh/sshd_config
yum install tcpdump lsof iftop
lsof -i -n
yum whatprovides /usr/libexec/postfix/master
yum remove postfix rpcbind
yum update
shutdown -r now; logout
Install Nginx
yum install epel-release
yum install nginx
systemctl start nginx
#How do you determine if you are running firewalld or iptables?
#Add nginx to firewalld
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload
#or add nginx to iptables
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/service iptables save
iptables -L -v
systemctl enable nginx
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig
vi /etc/nginx/nginx.conf
SSL Certs
vi /usr/share/nginx/html/sldp-embed.html
#if you want to create a free FQDN:
#1. register one with: https://www.dynu.com/en-US/
#2. install and use certbot: https://certbot.eff.org/lets-encrypt/centosrhel7-nginx
yum install certbot python2-certbot-nginx
certbot --nginx
#make a remind about SSL cert renewals#confirm the cert is correctly installed: https://www.ssllabs.com/ssltest/analyze.html?d=<FQDN>&hideResults=on
#change nginx.conf to remove port 80
#Otherwise, to manually create a cert and use the customer's FQDN:
#Have the customer create an DNS A record
#and create an SSL Certificate Signing Request (CSR)
cd /etc/pki/tls/certs
#Create the openssl conf file:
vi cert.conf
[ req ]
default_bits = 2048
default_keyfile = FQDN.key
encrypt_key = no
prompt = no
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
C = US
ST = New York
L = New York
O = Organization Name (eg, company)
OU = Dept
CN = FQDN
emailAddress = email@example.org
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = FQDN
openssl req -new -out FQDN.csr -config FQDN.conf
#Verify the CSR:
openssl req -noout -text -in sslcert.csr
openssl dhparam -out /etc/ssl/certs/ssl-dhparam.pem 4096
#Send the CSR.
#Once the signed certificate is received, install it on the Nimble server:
vi /etc/nginx/conf.d/ssl.conf
#Add:
server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name server_IP_address;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # drop SSLv3 (POODLE vulnerability)
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
}
#Check syntax errors:
nginx -t
#confirm the cert is correctly installed: https://www.ssllabs.com/ssltest/analyze.html?d=<FQDN>&hideResults=on
yum install nginx
systemctl start nginx
#How do you determine if you are running firewalld or iptables?
#Add nginx to firewalld
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload
#or add nginx to iptables
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/service iptables save
iptables -L -v
systemctl enable nginx
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig
vi /etc/nginx/nginx.conf
SSL Certs
vi /usr/share/nginx/html/sldp-embed.html
#if you want to create a free FQDN:
#1. register one with: https://www.dynu.com/en-US/
#2. install and use certbot: https://certbot.eff.org/lets-encrypt/centosrhel7-nginx
yum install certbot python2-certbot-nginx
certbot --nginx
#make a remind about SSL cert renewals#confirm the cert is correctly installed: https://www.ssllabs.com/ssltest/analyze.html?d=<FQDN>&hideResults=on
#change nginx.conf to remove port 80
#Otherwise, to manually create a cert and use the customer's FQDN:
#Have the customer create an DNS A record
#and create an SSL Certificate Signing Request (CSR)
cd /etc/pki/tls/certs
#Create the openssl conf file:
vi cert.conf
[ req ]
default_bits = 2048
default_keyfile = FQDN.key
encrypt_key = no
prompt = no
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
C = US
ST = New York
L = New York
O = Organization Name (eg, company)
OU = Dept
CN = FQDN
emailAddress = email@example.org
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = FQDN
openssl req -new -out FQDN.csr -config FQDN.conf
#Verify the CSR:
openssl req -noout -text -in sslcert.csr
openssl dhparam -out /etc/ssl/certs/ssl-dhparam.pem 4096
#Send the CSR.
#Once the signed certificate is received, install it on the Nimble server:
vi /etc/nginx/conf.d/ssl.conf
#Add:
server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name server_IP_address;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # drop SSLv3 (POODLE vulnerability)
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
}
#Check syntax errors:
nginx -t
#confirm the cert is correctly installed: https://www.ssllabs.com/ssltest/analyze.html?d=<FQDN>&hideResults=on
Install Nimble
vi /etc/yum.repos.d/nimble.repo
[nimble]
name=Nimble Streamer repository
baseurl=http://nimblestreamer.com/centos/7/$basearch
enabled=1
gpgcheck=1
gpgkey=http://nimblestreamer.com/gpg.key
yum makecache
yum install nimble nimble-srt
/usr/bin/nimble_regutil -u test@yourcompany.com -p mypassword --run-as-normal-user
#figure out why can’t run as normal user
vi /etc/nimble/nimble.conf
port = 0
ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
ssl_port = 41443
ssl_certificate = /conf/cert/default.crt
ssl_certificate_key = /conf/cert/default.key
service nimble start
#Get the latest version of the SLDP player: https://softvelum.com/player/web/
curl -o sldp-v2.13.3.min.js https://softvelum.com/player/releases/sldp-v2.13.3.min.js
vi /usr/share/nginx/sldp-embed.html
<!DOCTYPE html>
<html>
<head>
<script src="sldp-v2.13.3.min.js"></script>
</head>
<body style="margin: 0; padding: 0; height: 100%; position: absolute; width: 100%;">
<div id="player-wrp" style="width: 100%; height: 100%;"></div>
<script type="text/javascript">
var curURL = new URL(window.location.href);
var streamUrl = curURL.searchParams.get("stream") || '';
var sldpPlayer = SLDP.init({
container: 'player-wrp',
stream_url: streamUrl,
autoplay: true,
pause_timeout: 0,
buffering: 100,
width: 'parent',
height: 'parent'
});
</script>
</body> </html>
Configure Nimble via WMSPanel
https://wmspanel.com/ > Nimble Streamer > Live Stream Settings > GlobalDisable HLS and DASH
Only enable SLDP
Add MPEGTS In and out
Set SRT custom parameters
passphrase
pbkeylen
