93
Ich zeige euch hier, wie ihr einen Live-Streaming-Server Owncast in wenigen Minuten mit Docker realisiert. Traefik dient uns hier als Reverse Proxy.
0. Grundvoraussetzungen
- Docker & Docker Compose v2 (Debian / Ubuntu)
- Traefik ab v3.6 mit CrowdSec installieren und konfigurieren
1. Ordner anlegen
mkdir -p /opt/containers/owncast2. Docker Compose anlegen
Hier die Original-Anleitung (LINK). Musste natürlich einiges angepasst werden.
CODE 1: Befehl | CODE 2: docker-compose.yml
nano /opt/containers/owncast/docker-compose.ymlservices:
owncast:
image: owncast/owncast:latest
restart: unless-stopped
labels:
traefik.docker.network: proxy
traefik.enable: "true"
traefik.http.routers.owncast.entrypoints: websecure
traefik.http.routers.owncast.rule: Host(`stream.euredomain.de`)
traefik.http.routers.owncast.service: owncast
traefik.http.routers.owncast.tls: "true"
traefik.http.routers.owncast.tls.certresolver: tls_resolver
traefik.http.services.owncast.loadbalancer.server.port: "8080"
traefik.tcp.routers.owncast-rtmp.entrypoints: rtmp
traefik.tcp.routers.owncast-rtmp.rule: HostSNI(`*`)
traefik.tcp.services.owncast-rtmp.loadbalancer.server.port: "1935"
networks:
default: null
proxy: null
volumes:
- ./data:/app/data
networks:
proxy:
external: true
Code-Sprache: JavaScript (javascript) Host entsprechend anpassen (Zeile 9): stream.euredomain.de
3. Traefik anpassen
3.1. Traefik Compose anpassen
nano /opt/containers/traefik-crowdsec-stack/compose/traefik.yml - mode: host #owncast
target: 1935
published: "1935"
protocol: tcpCode-Sprache: PHP (php)services:
traefik:
container_name: ${SERVICES_TRAEFIK_CONTAINER_NAME:-traefik}
depends_on:
crowdsec:
condition: service_healthy
socket-proxy:
condition: service_healthy
env_file: ${ABSOLUTE_PATH}/data/traefik/.env
hostname: ${SERVICES_TRAEFIK_HOSTNAME:-traefik}
healthcheck:
test: ["CMD", "traefik", "healthcheck", "--ping"]
timeout: 1s
interval: 10s
retries: 3
start_period: 10s
image: ${SERVICES_TRAEFIK_IMAGE:-traefik}:${SERVICES_TRAEFIK_IMAGE_VERSION:-3.6}
networks:
crowdsec:
ipv4_address: ${SERVICES_TRAEFIK_NETWORKS_CROWDSEC_IPV4:-172.31.127.253}
ipv6_address: ${SERVICES_TRAEFIK_NETWORKS_CROWDSEC_IPV6:-fd00:1:be:a:7001:0:3e:6ffe}
proxy:
ipv4_address: ${SERVICES_TRAEFIK_NETWORKS_PROXY_IPV4:-172.31.191.254}
ipv6_address: ${SERVICES_TRAEFIK_NETWORKS_PROXY_IPV6:-fd00:1:be:a:7001:0:3e:7fff}
socket_proxy:
ipv4_address: ${SERVICES_TRAEFIK_NETWORKS_SOCKET_PROXY_IPV4:-172.31.255.253}
ipv6_address: ${SERVICES_TRAEFIK_NETWORKS_SOCKET_PROXY_IPV6:-fd00:1:be:a:7001:0:3e:8ffe}
ports:
- mode: host
target: 80
published: "80"
protocol: tcp
- mode: host
target: 443
published: "443"
protocol: tcp
- mode: host
target: 443
published: "443"
protocol: udp
- mode: host #owncast
target: 1935
published: "1935"
protocol: tcp
restart: unless-stopped
security_opt:
- no-new-privileges:true
volumes:
- /etc/localtime:/etc/localtime:ro
- ${ABSOLUTE_PATH}/data/traefik/traefik.yml:/etc/traefik/traefik.yml
- ${ABSOLUTE_PATH}/data/traefik/.htpasswd:/etc/traefik/.htpasswd
- ${ABSOLUTE_PATH}/data/traefik/certs/acme_letsencrypt.json:/etc/traefik/acme_letsencrypt.json
- ${ABSOLUTE_PATH}/data/traefik/certs/tls_letsencrypt.json:/etc/traefik/tls_letsencrypt.json
- ${ABSOLUTE_PATH}/data/traefik/dynamic_conf:/etc/traefik/dynamic_conf:ro
- /var/log/traefik/:/var/log/traefik/
Code-Sprache: PHP (php)3.2. Traefik EntryPoint ergänzen
nano /opt/containers/traefik-crowdsec-stack/data/traefik/traefik.yml rtmp: #owncast
address: ':1935'Code-Sprache: PHP (php)api:
dashboard: true
metrics:
prometheus:
addRoutersLabels: true
certificatesResolvers:
http_resolver:
acme:
email: "deine@email.de"
storage: "/etc/traefik/acme_letsencrypt.json"
httpChallenge:
entryPoint: web
tls_resolver:
acme:
email: "deine@email.de"
storage: "/etc/traefik/tls_letsencrypt.json"
tlsChallenge: {}
entryPoints:
ping:
address: ':88'
web:
address: ':80'
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ':443'
http3: {}
http:
middlewares:
- crowdsec@file
- default@file
rtmp: #owncast
address: ':1935'
ping:
entryPoint: "ping"
global:
checknewversion: true
sendanonymoususage: false
providers:
docker:
endpoint: "tcp://socket-proxy:2375"
exposedByDefault: false
network: "proxy"
file:
directory: "/etc/traefik/dynamic_conf"
watch: true
providersThrottleDuration: 10s
log:
level: WARN
filePath: "/var/log/traefik/traefik.log"
format: json
maxSize: 10
maxBackups: 10
maxAge: 14
accessLog:
format: json
filePath: "/var/log/traefik/access.log"
fields:
defaultMode: keep
names:
ClientUsername: drop
headers:
defaultMode: keep
names:
# ✅ Security-essentiell:
User-Agent: keep
X-Forwarded-For: keep
X-Real-IP: keep
CF-Connecting-IP: keep
Referer: keep
Content-Type: keep
Accept: keep
# ✅ KRITISCH: REDACT statt DROP
Authorization: redact # Zeigt "REDACTED" wenn Header vorhanden
Cookie: redact # Zeigt "REDACTED" wenn Cookie vorhanden
Set-Cookie: redact
experimental:
plugins:
bouncer:
moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
version: v1.4.6
Code-Sprache: PHP (php)3.3. Traefik neu starten
cd /opt/containers/traefik-crowdsec-stack/
docker compose up -d --force-recreate4. Owncast starten und einrichten
cd /opt/containers/owncast/
docker compose up -d- Auf deiner Seite anmelden: https://stream.euredomain.de/admin/
- » Benutzername: admin
- » Passwort: abc123
- Passwort ändern: https://stream.euredomain.de/admin/config/server/ » Server Config
- Streamschlüssel ändern: https://stream.euredomain.de/admin/config/server/ » Stream Keys
- Broadcasting Software einrichten: z.B.: OBS
- Einstellungen » Stream
- Plattform: Benutzerdefiniert
- Server: rtmp://stream.euredomain.de/live
- Streamschlüssel eintragen
- Einstellungen » Stream
- Zusätzliche Infos
