Merge branch 'AirenSoft:master' into chore/ffmpeg7

README.md

@@ -59,7 +59,8 @@ Although we have tested OvenMediaEngine on the platforms listed below, it may wo
 
 * [Docker](https://hub.docker.com/r/airensoft/ovenmediaengine)
 * Ubuntu 18+
-* ~~CentOS 7+~~ Rocky 9+ will be supported
+* Rocky Linux 9+
+* AlmaLinux 9+
 * Fedora 28+
 
 ## Quick Start

docs/README.md

@@ -54,7 +54,8 @@ We have tested OvenMediaEngine on platforms, listed below. However, we think it
 
 * Docker ([https://hub.docker.com/r/airensoft/ovenmediaengine](https://hub.docker.com/r/airensoft/ovenmediaengine))
 * Ubuntu 18+
-* ~~CentOS 7+~~ (Rocky 9+ will be supported)
+* Rocky Linux 9+
+* AlmaLinux 9+
 * Fedora 28+
 
 ## Getting Started

docs/access-control/admission-webhooks.md

@@ -50,6 +50,7 @@ X-OME-Signature: f871jd991jj1929jsjd91pqa0amm1
   {
     "address": "211.233.58.86",
     "port": 29291,
+    "real_ip": "192.0.2.43",
     "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
   },
   "request":
@@ -68,19 +69,15 @@ The message is sent in POST method and the payload is in application/json format
 
 Here is a detailed explanation of each element of Json payload:
 
-| Element | Sub-Element                     | Description                                                                                                 |
-| ------- | ------------------------------- | ----------------------------------------------------------------------------------------------------------- |
-| client  |                                 | Information of the client who requested the connection.                                                     |
-|         | address                         | Client's IP address                                                                                         |
-|         | port                            | Client's Port number                                                                                        |
-|         | <p>user_agent<br>(optional)</p> | Client's User_Agent                                                                                         |
-| request |                                 | Information about the client's request                                                                      |
-|         | direction                       | <p>incoming : A client requests to publish a stream</p><p>outgoing : A client requests to play a stream</p> |
-|         | protocol                        | webrtc, srt, rtmp, llhls, thumbnail                                                                         |
-|         | status                          | <p>opening : A client requests to open a stream</p><p>closing : A client closed the stream</p>              |
-|         | url                             | url requested by the client                                                                                 |
-|         | <p>new_url<br>(optional)</p>    | url redirected from user's control server (status "closing" only)                                           |
-|         | time                            | time requested by the client (ISO8601 format)                                                               |
+<table><thead><tr><th width="138">Element</th><th width="162">Sub-Element</th><th>Description</th></tr></thead><tbody><tr><td>client</td><td></td><td>Information of the client who requested the connection.</td></tr><tr><td></td><td>address</td><td>IP address of the client connected to the server</td></tr><tr><td></td><td>port</td><td>Port number of the client connected to the server</td></tr><tr><td></td><td>real_ip</td><td>IP address of the client forwarded by the proxy server</td></tr><tr><td></td><td>user_agent<br>(optional)</td><td>Client's User_Agent</td></tr><tr><td>request</td><td></td><td>Information about the client's request</td></tr><tr><td></td><td>direction</td><td><p>incoming : A client requests to publish a stream</p><p>outgoing : A client requests to play a stream</p></td></tr><tr><td></td><td>protocol</td><td>webrtc, srt, rtmp, llhls, thumbnail</td></tr><tr><td></td><td>status</td><td><p>opening : A client requests to open a stream</p><p>closing : A client closed the stream</p></td></tr><tr><td></td><td>url</td><td>url requested by the client</td></tr><tr><td></td><td>new_url<br>(optional)</td><td>url redirected from user's control server (status "closing" only)</td></tr><tr><td></td><td>time</td><td>time requested by the client (ISO8601 format)</td></tr></tbody></table>
+
+{% hint style="info" %}
+OME searches for and sets the values ​​in real\_ip in the following order:
+
+1. The value of the X-REAL-IP header&#x20;
+2. The value of the first item of X-FORWARDED-FOR&#x20;
+3. The IP of the client that is actually connected
+{% endhint %}
 
 ### Security
 
@@ -129,12 +126,12 @@ Connection: Closed
 }
 ```
 
-| Element                | Description                                                                                                                                                                                                                                             |
-| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| allowed **(required)** | <p>true or false</p><p>Allows or rejects the client's request.</p>                                                                                                                                                                                      |
-| new\_url (optional)    | Redirects the client to a new url. However, the `scheme`, `port`, and `file` cannot be different from the request. Only host, app, and stream can be changed. The host can only be changed to another virtual host on the same server.                  |
+| Element                | Description                                                                                                                                                                                                                               |
+| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| allowed **(required)** | <p>true or false</p><p>Allows or rejects the client's request.</p>                                                                                                                                                                        |
+| new\_url (optional)    | Redirects the client to a new url. However, the `scheme`, `port`, and `file` cannot be different from the request. Only host, app, and stream can be changed. The host can only be changed to another virtual host on the same server.    |
 | lifetime (optional)    | <p>The amount of time (in milliseconds) that a client can maintain a connection (Publishing or Playback)</p><ul><li>0 means infinity</li></ul><p>HTTP based streaming (HLS) does not keep a connection, so this value does not apply.</p> |
-| reason (optional)      | If allowed is false, it will be output to the log.                                                                                                                                                                                                      |
+| reason (optional)      | If allowed is false, it will be output to the log.                                                                                                                                                                                        |
 
 ### User authentication and control
 

docs/access-control/signedpolicy.md

@@ -19,21 +19,25 @@ Policy is in json format and provides the following properties.
     "url_activate":1399711581,                                    
     "url_expire":1399721581,                                    
     "stream_expire":1399821581,                                    
-    "allow_ip":"192.168.100.5/32"
+    "allow_ip":"192.168.100.5/32",
+    "real_ip":"111.111.111.111/32"
 }
 ```
 
-| Key                                                    | Value                                   | Description                                                                                |
-| ------------------------------------------------------ | --------------------------------------- | ------------------------------------------------------------------------------------------ |
-| <p>url_expire</p><p><strong>(Required)</strong></p>    | \<Number> Milliseconds since unix epoch | <p>The time the URL expires<br>Reject on request after the expiration</p>                  |
-| <p>url_activate</p><p><strong>(Optional)</strong></p>  | \<Number> Milliseconds since unix epoch | <p>The time the URL activates<br>Reject on request before activation</p>                   |
-| <p>stream_expire</p><p><strong>(Optional)</strong></p> | \<Number> Milliseconds since unix epoch | <p>The time the Stream expires<br>Transmission and playback stop when the time expires</p> |
-| <p>allow_ip</p><p><strong>(Optional)</strong></p>      | \<String> IPv4 CIDR                     | Allowed IP address range, 192.168.0.0/24                                                   |
+<table><thead><tr><th width="156.33333333333331">Key</th><th width="162">Value</th><th>Description</th></tr></thead><tbody><tr><td><p>url_expire</p><p><strong>(Required)</strong></p></td><td>&#x3C;Number> Milliseconds since unix epoch</td><td><strong>The time the URL expires</strong><br>Reject on request after the expiration</td></tr><tr><td><p>url_activate</p><p><strong>(Optional)</strong></p></td><td>&#x3C;Number> Milliseconds since unix epoch</td><td><strong>The time the URL activates</strong><br>Reject on request before activation</td></tr><tr><td><p>stream_expire</p><p><strong>(Optional)</strong></p></td><td>&#x3C;Number> Milliseconds since unix epoch</td><td><strong>The time the Stream expires</strong><br>Transmission and playback stop when the time expires</td></tr><tr><td><p>allow_ip</p><p><strong>(Optional)</strong></p></td><td>&#x3C;String> IPv4 CIDR</td><td><p><strong>Allowed IP Address Range</strong></p><p>Check the IP address of the client connected to the server</p></td></tr><tr><td>real_ip<br><strong>(Optional)</strong></td><td>&#x3C;String> IPv4 CIDR</td><td><p><strong>Allowed IP Address Range</strong></p><p>Check the IP address of the client forwarded by the proxy server</p></td></tr></tbody></table>
 
 {% hint style="info" %}
 **url\_expire** means the time the URL is valid, so if you connect before the URL expires, you can continue to use it, and sessions that have already been connected will not be deleted even if the time expires. However, **stream\_expire** forcibly terminates the session when the time expires even if it is already playing.
 {% endhint %}
 
+{% hint style="info" %}
+If `real_ip` is in the policy, OME searches for and checks the values ​​in the following order.
+
+1. The value of the **X-REAL-IP** header&#x20;
+2. The value of the first item of **X-FORWARDED-FOR**&#x20;
+3. The IP of the client that actually connected
+{% endhint %}
+
 ### Signature
 
 Signature is generated by HMAC-SHA1 encoding all URLs except signature query string. The generated Signature is encoded using [Base64URL](https://tools.ietf.org/html/rfc4648#section-5) and included as a query string of the existing URL.

docs/getting-started/README.md

@@ -8,7 +8,7 @@ OvenMediaEngine provides Docker images from AirenSoft's Docker Hub (airensoft/ov
 
 ### Installing dependencies
 
-OvenMediaEngine can work with a variety of open-sources and libraries. First, install them on your clean Linux machine as described below. We think that OME can support most Linux packages, but the tested platforms we use are Ubuntu 18+, Fedora 28+, and CentOS 7+.
+OvenMediaEngine can work with a variety of open-sources and libraries. First, install them on your clean Linux machine as described below. We think that OME can support most Linux packages, but the tested platforms we use are Ubuntu 18+, Fedora 28+, Rocky Linux 9+, and AlmaLinux 9+.
 
 ```bash
 curl -LOJ https://github.com/AirenSoft/OvenMediaEngine/archive/master.tar.gz && \
@@ -49,10 +49,9 @@ systemctl enable ovenmediaengine.service
 ```
 {% endtab %}
 
-{% tab title="CentOS 7" %}
+{% tab title="Rocky Linux 9" %}
 ```bash
-sudo yum update
-source scl_source enable devtoolset-7
+sudo dnf update
 cd OvenMediaEngine-master/src
 make release
 sudo make install
@@ -61,11 +60,19 @@ systemctl start ovenmediaengine
 systemctl enable ovenmediaengine.service
 ```
 
-In addition, we recommend that you permanently set environment variables as follows.
+{% endtab %}
 
+{% tab title="AlmaLinux 9" %}
 ```bash
-$ echo 'source scl_source enable devtoolset-7' >> ~/.bashrc 
+sudo dnf update
+cd OvenMediaEngine-master/src
+make release
+sudo make install
+systemctl start ovenmediaengine
+# If you want automatically start on boot
+systemctl enable ovenmediaengine.service
 ```
+
 {% endtab %}
 {% endtabs %}
 

docs/troubleshooting.md

@@ -25,13 +25,10 @@ sudo yum install -y gcc-c++ make nasm autoconf libtool zlib-devel tcl cmake
 ```
 {% endtab %}
 
-{% tab title="CentOS 7" %}
+{% tab title="Rocky Linux/AlmaLinux 9" %}
 ```bash
-# for downloading latest version of nasm (x264 needs nasm 2.13+ but centos provides 2.10 )
-sudo curl -so /etc/yum.repos.d/nasm.repo https://www.nasm.us/nasm.repo
-sudo yum install centos-release-scl
-sudo yum install -y bc gcc-c++ cmake nasm autoconf libtool glibc-static tcl bzip2 zlib-devel devtoolset-7
-source scl_source enable devtoolset-7
+sudo dnf install -y bc gcc-c++ autoconf libtool tcl bzip2 zlib-devel cmake libuuid-devel
+sudo dnf install -y perl-IPC-Cmd perl-FindBin
 ```
 {% endtab %}
 {% endtabs %}