Owncast
In this section, we deploy the Owncast application server.
An application server is a different thing from the web server that we set up in the last section. Client users will not access the application server directly, but will instead access the web server which is acting as a proxy.
Prerequisites
First, install dependencies.
$ sudo apt install unzip ffmpeg
By default, Owncast listens on port 8080/tcp. Normally we would not allow traffic into this port, but we need to allow it temporarily so we can verify the application server is installed and running correctly.
$ sudo ufw allow from <your IP address> to any proto tcp port 8080
Installation
Create a system user with a home directory /opt/owncast to run the Owncast server. Switch to the new system user.
💡 Quiz: What does each option in this
addusercommand do?
$ sudo adduser --system --home /opt/owncast --shell /bin/bash --group --disabled-password owncast
$ sudo su -l owncast
Your working directory should now be the system user's home /opt/owncast. Download the latest release of the Owncast binary from the developer's GitHub repository. I usually unzip it into the directory /opt/owncast/bin, but you can choose another location if you like.
Releases: https://github.com/owncast/owncast/releases
$ wget https://github.com/owncast/owncast/releases/download/v<version>/owncast-<version>-linux-64bit.zip
$ unzip -d /opt/owncast/bin owncast-<version>-linux-64bit.zip
Run the Owncast binary. If the terminal shows you something like this, that means it's working:
$ /opt/owncast/bin/owncast
INFO[YYYY-MM-DDTHH:MM:SSZ] Owncast v0.2.4-linux-64bit (########################################)
INFO[YYYY-MM-DDTHH:MM:SSZ] Initializing ActivityPub outbound worker pool with 10 workers for 0 followers
INFO[YYYY-MM-DDTHH:MM:SSZ] Web server is listening on port 8080.
INFO[YYYY-MM-DDTHH:MM:SSZ] Configure this server by visiting /admin.
In your web browser, access http://your.domain.tld:8080 and verify that the Owncast application is being served. (As before, your browser might complain because we haven't set up TLS yet.)
Stop the owncast program that's running in the foreground of your terminal (usually Ctrl-C).
We're done with the owncast system user for now, so $ exit back to the admin user. Much later, you'll need to log back into the owncast system user when it's time to upgrade your Owncast version.
systemd Service
Instead of manually running the program /opt/owncast/bin/owncast in the foreground of a terminal, we can enable a system service that automatically starts, stops, and restarts the program in the background. Create a service configuration file and open it using nano or another text editor.
$ sudo nano /etc/systemd/system/owncast.service
The Owncast developers publish a sample service configuration file. Here's how I've adapted it for use on my server.
💡 Quiz: What does each setting in this service config file do?
[Unit]
Description=Owncast Service
[Service]
Type=simple
WorkingDirectory=/opt/owncast
ReadWritePaths=/opt/owncast
ExecStart=/opt/owncast/bin/owncast
Restart=always
RestartSec=5
User=owncast
Group=owncast
NoNewPrivileges=true
SecureBits=noroot
ProtectSystem=strict
ProtectHome=read-only
[Install]
WantedBy=multi-user.target
Reload systemd and start the service.
$ sudo systemctl daemon-reload
$ sudo systemctl start owncast
If all goes well, you should be able to access http://your.tld.here:8080 in your browser like you did before. Enable the system service so that the application server is kept alive automatically.
$ sudo systemctl enable owncast
Finally, close the port that was opened for testing.
$ sudo ufw delete allow from <your IP address> to any proto tcp port 8080
nginx Configuration
As an extra security precaution, before you make any nginx configuration changes, consider setting the firewall to allow web traffic only from your IP address. Later, once you're ready to open your server to the web, set the firewall back to allow all web traffic.
$ sudo ufw delete allow "Nginx Full"
$ sudo ufw allow from <your IP address> to any app "Nginx Full"
In order for Owncast to work, we need to configure nginx to proxy WebSockets, which it does not do by default. An explanation of this is beyond the scope of this document, but more information can be found elsewhere:
-
Owncast nginx documentation: https://owncast.online/docs/sslproxies/nginx/
-
nginx WebSocket proxying documentation: https://nginx.org/en/docs/http/websocket.html
Create an HTTP configuration file /etc/nginx/conf.d/owncast.conf where we will put the required map block to proxy WebSockets. By default, files like conf.d/*.conf are automatically included in the http block in the nginx.conf file.
# conf.d/owncast.conf
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
Edit the virtual host configuration file /etc/nginx/sites-available/your.domain.tld.conf that you created earlier. Inside the location / block, delete the return 204; and replace it with the proxy settings given in Owncast's documentation.
server {
server_name your.domain.tld;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
proxy_pass http://127.0.0.1:8080;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/your.domain.tld/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/your.domain.tld/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Check that the new configuration is valid. If it looks OK, reload nginx.
$ sudo nginx -t
$ sudo systemctl reload nginx
Finally, after all of this effort, your Owncast server should be available over HTTPS at https://your.domain.tld.
Security
Change the Owncast default admin password and stream key immediately. Access these settings in the Owncast admin panel at https://your.domain.tld/admin/config/server with the default login admin:abc123.
You will also need to set the firewall to allow an incoming RTMP stream on port 1935/tcp by default. If you only expect to stream from one location (i.e. your home), you can set the firewall to allow RTMP traffic only from your IP address.
$ sudo ufw allow from <your IP address> proto tcp to any port 1935
Owncast Settings
Personalizing your new Owncast server and making it work with your streaming client software (e.g. OBS Studio) is beyond the scope of this document.
See the Owncast documentation here: https://owncast.online/docs/configuration/
Backing Up Application Data
Owncast saves its application data in the directory /opt/owncast/data (or somewhere else similar, depending on where you set up your working directory). You will want to make backups of this data periodically. How you do it is up to you. Just remember to stop the Owncast service before you interact with the data directory.
Consider the following example shell script. If you run this with superuser privileges, it stops the Owncast service, saves an archive of the data directory in the admin user's home, and restarts the Owncast service. Then you can use SFTP to retrieve the archive from the admin user at your convenience.
💡 Quiz: What system utility would you use to automate running this script on a schedule with superuser privileges?
#!/bin/bash
# Get the current timestamp
TIMESTAMP=$(date -I'minutes')
# Set the archive path and filename
ARCHIVE_DIR=/home/myadmin
ARCHIVE_FILE=owncast.$TIMESTAMP.tar.gz
ARCHIVE_PATH=$ARCHIVE_DIR/$ARCHIVE_FILE
# Stop the Owncast service
systemctl stop owncast
# Take a snapshot of /opt/owncast/data
cd /opt/owncast
tar -czvf $ARCHIVE_PATH data
chown myadmin:myadmin $ARCHIVE_PATH
# Start the Owncast service
systemctl start owncast