We'll cover a basic install of Owncast, a self-hosted live streaming and chat server. We'll also configure nginx with a free Let's Encrypt certificate.

This article assumes you are running a fresh install of Debian 11, and that you know the basics of the command line. Let's get started!

Before starting, make sure that your domain name is set up correctly, pointing to your server's IP address. Configuring your domain name will depend on the provider you use, so you should check their documentation for instructions.

The first step is to install the packages we'll need to complete this tutorial. These are:

  • wget: Used to download the Owncast release archive.
  • unzip: Used to extract the Owncast release archive.
  • curl: Used to change the stream key from the command line.
  • nginx: Used as a reverse proxy to route traffic from the public domain to the owncast server.
  • certbot and python3-certbot-nginx: Used to get a certificate from Let's Encrypt and configure nginx automatically for TLS (https).
  • ffmpeg: Used by Owncast to receive your stream and send it to your viewers.

To do this, use this command line:

sudo apt install wget unzip curl nginx certbot python3-certbot-nginx ffmpeg

Once that's done, it's time to install Owncast.

Installing Owncast

Let's begin the Owncast installation by downloading the appropriate version for your system from https://github.com/owncast/owncast/releases. You probably want the linux-64bit version. Use wget to download it to your server:

wget https://github.com/owncast/owncast/releases/download/v0.0.13/owncast-0.0.13-linux-64bit.zip

Next, extract the zip file to a 'owncast' directory in your home folder:

unzip owncast-0.0.13-linux-64bit.zip -d $HOME/owncast

The $HOME/owncast directory will be created if it does not exist yet.

That's all that is strictly necessary to install Owncast, but for more reliability you'll also want to set up a service for it. To do this, create the file /etc/systemd/system/owncast.service:

sudo nano /etc/systemd/system/owncast.service

Paste the following content in the file, but make sure you replace /home/myuser/ with the real path of your home folder on the WorkingDir and ExecStart lines!

Description=Owncast Service



To save the file, use CTRL+S, then exit with CTRL+X.

We can now enable the new service and start it:

sudo systemctl daemon-reload
sudo systemctl enable owncast
sudo systemctl start owncast

Having this service in place allows us to use the commands provided by systemd to start and stop the Owncast service, it also allows us to make sure Owncast starts automatically at boot.

Owncast should be up and running now, on port 8080. Open your browser and try visiting http://yourdomain:8080 (not https!). If Owncast is not loading, check the content of the service file we created above, especially the WorkingDir and ExecStart lines. They should look something like this:


Now that Owncast is running, it's a good idea to change your stream key to keep intruders out! You can do it from the admin panel of Owncast, but in this tutorial we'll do it from the server's command line with the commands below. Replace myverysecurestreamkey with a (better) key of your choice! If you're new to this, avoid using simple quotes in the key:

curl -s -u admin:abc123 -X POST -H "Content-Type: application/json" -d "{\"value\": \"${NEW_STREAM_KEY}\"}"

Keep the stream key in your password manager or other trusted store, as you'll need it to login into your admin panel as well as to configure your streaming software!

Configuring a nginx https reverse proxy

We can now configure nginx as a reverse proxy for https. Create the file /etc/nginx/sites-available/owncast-reverse-proxy with the following content (you need root privileges):

map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;

server {
    server_name example.com;
    proxy_intercept_errors on;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

On the line which starts with server_name, replace example.com with your domain!

This config is only http, not https. The https config will be added later, when we use certbot to request a certificate.

Enable the new site configuration by creating a link to it in the sites-enableddirectory. This will allow nginx to recognize the configuration and start using it. To do this, run the following command:

sudo ln -s /etc/nginx/sites-available/owncast-reverse-proxy /etc/nginx/sites-enabled/owncast-reverse-proxy

The sites-available directory contains all available configuration files for the websites on your server, while the sites-enabled directory contains symbolic links to the configuration files that are currently active. This allows for easy activation and deactivation of websites: to deactivate a site, remove the link from the sites-enabled directory.

Nginx on Debian ships with a default website enabled. We don't need it, let's remove the link:

sudo rm /etc/nginx/sites-enabled/default

It's a good idea to check the new nginx configuration before going further, to make sure that there are no errors:

sudo nginx -t

If the output tells you about any error, read it carefully to know what you should fix. Maybe there was a copy/paste error?

Lastly, request a certificate from Let's Encrypt, which will enable a secure connection to your domain. Certbot will also configure nginx to use the new certificate. Do this with the command:

sudo certbot --nginx -d example.com

Again, don't forget to replace example.com with your actual domain. Certbot will prompt you for your email address and your agreement to their Terms Of Service (answer 'Y'), as well as an optional request to share your email adress with the Electronic Frontier Foundation (answer 'N' if you'd prefer not to). The EFF is a nonprofit organization dedicated to protecting civil liberties in the digital world. They helped develop Let's Encrypt.

If all went according to plan, Owncast should now be available at your domain with SSL! You can now head over to your Owncast admin panel (at https://yourdomain/admin) and configure your server. To login to your admin panel, use the username "admin" and the stream key you set above as the password.

Have fun!