From 92dfb9cfec62decc488780fb70e71789594dd9b7 Mon Sep 17 00:00:00 2001 From: n9k Date: Sun, 12 Jun 2022 04:12:29 +0000 Subject: [PATCH] STREAMING.md: way more comprehensive instructions --- STREAMING.md | 203 +++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 172 insertions(+), 31 deletions(-) diff --git a/STREAMING.md b/STREAMING.md index f511406..91be24c 100644 --- a/STREAMING.md +++ b/STREAMING.md @@ -1,23 +1,140 @@ ### Tor -Install tor and include these lines in your [torrc][torrc]: +Install tor. On Linux you can probably install a package called `tor` and +be done, otherwise [compile it][tor]. On Windows download this binary: +. +Find your [torrc][torrc]. On Linux it is probably at `/etc/tor/torrc`. +On Windows it might be somewhere in `%appdata%\tor` or something. + +#### Background + +A Tor hidden service is a regular TCP service that you talk to via a +6-hop circuit created inside the Tor network. You initiate the creation +of this circuit by providing tor with the service's hostname, which is a +long base32-encoded string ending in ".onion". This hostname is derived +from a pair of cryptographic keys generated by the hidden service +operator. + +A TCP service is a computer program you interact with over the Internet +using TCP. TCP is a low-level networking protocol that sits above IP +and creates a reliable so-called "connection" between two computers. It +handles the reordering and resending of packets that are shuffled or +lost in transit on the Internet, such that the bytes sent from one +computer will match exactly the bytes that arrive at the other computer +(barring active interference (MITM), TCP is not secure). Getting +reliability for free greatly simplifies the creation of network +applications, and for this reason and other historical reasons TCP is +ubiquitous on the Internet to this day. Many applications use TCP, for +example IRC, SSH, RTMP, Minecraft, and HTTP (like us here). + +#### Configuration + +We are now going to create a hidden service. We need to give tor a +directory to store the keys it generates, the location of our existing +TCP service, and a virtual TCP port to listen on. There are two +directives we have to add to our torrc: `HiddenServiceDir` and +`HiddenServicePort`. (There is a commented-out section in the default +torrc for hidden services, you may wish to make these changes there.) + +##### `HiddenServiceDir` + +`HiddenServiceDir` sets the directory for the hidden service's keys and +other data. You could choose any directory, but you should make sure +it's owned by the user the tor daemon runs as, and the directory's +permissions are `0700/drwx------` (`rwx` for user, `---` for group and +everyone else). + +If you configure this in a way tor doesn't like, tor will kill itself +and complain in one of these two ways: +``` +Jun 11 23:21:17.000 [warn] Directory /home/n9k/projects/anonstream/hidden_service cannot be read: Permission denied +``` +``` +Jun 12 02:37:51.036 [warn] Permissions on directory /var/lib/tor/anonstream are too permissive. +``` + +The simplest option is to copy the examples provided in the torrc, on +Linux that would probably be a directory inside `/var/lib/tor`, e.g. +`HiddenServiceDir /var/lib/tor/anonstream`. tor will create this +directory itself with the uid, gid, and permissions that it likes, which +for me are these: +``` +Access: (0700/drwx------) Uid: ( 42/ tor) Gid: ( 42/ tor) +``` + +###### `HiddenServiceDir` troubleshooting + +If you created the directory yourself and gave it the wrong permissions +or uid or gid, delete the directory and let tor create it itself, or do +this: +``` +# chown -R tor:tor /var/lib/tor/anonstream +# chmod 0700 /var/lib/tor/anonstream +# chmod 0600 /var/lib/tor/anonstream/* +# chmod 0700 /var/lib/tor/anonstream/*/ +``` + +If the user and group `tor` do not exist, your tor daemon runs as some +other user. There may be a `User` directive in your torrc or in a file +included by your torrc, for example on Debian it's `User debian-tor`. +This means that a tor process running as root will immediately drop +privileges by switching to the user `debian-tor`. The user's primary +group should have the same name, but you can check as root like this: +`# id debian-tor`. + +On Linux, if tor is already running you can see what user and group it is +running as like this: +``` +$ ps -C tor -o uid,gid,cmd +UID GID CMD + 42 42 tor --quiet --runasdaemon 0 +$ cat /etc/passwd | grep :42: | cut -f 1 -d : # 42 is the UID here +tor +$ cat /etc/group | grep :42: | cut -f 1 -d : # 42 is the GID here +tor +``` + +Alternatively you could specify a directory inside the cloned +repository, e.g. `/home/delphine/Documents/anonstream/hidden_service` +or something like that. This will only work if the tor daemon has `rwx` +permissions on the directory and at least `r-x` permissions on all the +directories above it. This is probably not the case for you since your +home folder might have `0700/drwx------` permissions. If you +installed tor as a package, the daemon probably runs as its own user +(e.g. `debian-tor` on Debian, `tor` on Arch/Gentoo). If you want to +figure this out yourself go ahead. I would advise just using +`/var/lib/tor/anonstream` though. + +##### `HiddenServicePort` + +Include this line verbatim directly below the `HiddenServiceDir` line: ``` -HiddenServiceDir $PROJECT_ROOT/hidden_service HiddenServicePort 80 127.0.0.1:5051 ``` -but replace `$PROJECT_ROOT` with the folder you cloned the git repo -into. -Then reload tor. If everything went well, the directory will have been -created and your onion address will be in -`$PROJECT_ROOT/hidden_service/hostname`. +tor will listen for connections to our onion address at virtual port +80 (this is the conventional HTTP port), and it will forward that +traffic to our TCP service at 127.0.0.1:5051, which is our webserver. + +##### Finish + +Example configuration: +``` +HiddenServiceDir /var/lib/tor/anonstream +HiddenServicePort 80 127.0.0.1:5051 +``` + +Reload tor to make it reread its torrc: `# pkill -HUP tor`. With +systemd you can alternatively do `# systemctl reload tor`. If +everything went well, the directory will have been created and your +onion address will be in `$HIDDEN_SERVICE_DIR/hostname`. ### OBS Studio -Install OBS Studio. If the autoconfiguration wizard prompts you to -choose a third-party service, ignore it since we're not gonna be doing -that. +Install OBS Studio. If the autoconfiguration wizard prompts you to +choose a third-party service, ignore it since we're not going to be +using a third-party service. Click `Settings` and set these: @@ -26,33 +143,57 @@ Click `Settings` and set these: * Filename Formatting: `stream` * Overwrite if file exists: yes * Video - * Output (Scaled) Resolution: `960x540` or lower + * Output (Scaled) Resolution: `960x540` or lower, or whatever you want * Common FPS Values: any integer framerate (e.g. 30 or 60) * Output * Output Mode: `Advanced` * Recording: - | | | - |----------------------------|------------------------------------------------------------------------------------------------| - | Type | `Custom Output (FFmpeg)` | - | FFmpeg Output Type | `Output to File` | - | File path or URL | same as config.toml: `segments/directory` (but should be an absolute path) | - | Container Format | `hls` | - | Muxer Settings (if any) | `hls_init_time=0 hls_time=2 hls_list_size=120 hls_flags=delete_segments hls_segment_type=fmp4` | - | Video bitrate | `420 Kbps` or lower | - | Keyframe interval (frames) | `framerate*hls_time`, e.g. for 60fps and an `hls_time` of 2 seconds, use 120 | - | Video Encoder | libx264, or an H.264 hardware encoder (e.g. `h264_nvenc` for Nvidia, [see here][ffmpeg]) | - | Audio Bitrate | `96 Kbps` | - | Audio Encoder | `aac` | + ``` + +----------------------------+-------------------------------------+ + | Field | Value | + +============================+=====================================+ + | Type | `Custom Output (FFmpeg)` | + +----------------------------+-------------------------------------+ + | FFmpeg Output Type | `Output to File` | + +----------------------------+-------------------------------------+ + | File path or URL | same as the `segments/directory` | + | | option in config.toml, but make it | + | | an absolute path | + +----------------------------+-------------------------------------+ + | Container Format | `hls` | + +----------------------------+-------------------------------------+ + | Muxer Settings (if any) | `hls_init_time=0 hls_time=2 ` | + | | `hls_list_size=120 ` | + | | `hls_flags=delete_segments ` | + | | `hls_segment_type=fmp4` | + +----------------------------+-------------------------------------+ + | Video bitrate | `420 Kbps` or lower, or whatever | + | | you want | + +----------------------------+-------------------------------------+ + | Keyframe interval (frames) | `framerate` * `hls_time`, e.g. for | + | | 60fps and an `hls_time` of 2 | + | | seconds, set this to 120 | + +----------------------------+-------------------------------------+ + | Video Encoder | libx264, or an H.264 hardware | + | | encoder (e.g. `h264_nvenc` for | + | | Nvidia, [see here][ffmpeg]) | + +----------------------------+-------------------------------------+ + | Audio Bitrate | `96 Kbps`, or whatever you want | + +----------------------------+-------------------------------------+ + | Audio Encoder | `aac` | + +----------------------------+-------------------------------------+ + ``` -Then click `OK`. +To start streaming click `Start Recording`. -That's it. To start streaming click `Start Recording`. - -Because of the muxer settings we used, segments older than four -minutes will be constantly deleted. When you stop streaming, the last -four minutes worth of segments will remain the segments directory. -You can delete them if you want. When you're not streaming you can -delete everything in the segments directory and it'll be fine. +When it is recording, segments older than four minutes will be regularly +deleted, and when it stops recording the last four minutes worth of +segments will remain the segments directory. (You can change the number +of kept segments by modifying the `hls_list_size` option in the muxer +settings.) When it is not recording, you can delete the files in the +segments directory without consequence. Old segments will never be sent +over the network even if they are not deleted. +[tor]: https://gitlab.torproject.org/tpo/core/tor [torrc]: https://support.torproject.org/#tbb-editing-torrc [ffmpeg]: https://trac.ffmpeg.org/wiki/HWAccelIntro