Go
Streaming & Messaging Azure

go2rtc on Ubuntu 24.04 on Azure User Guide

| Product: go2rtc 1.9.14 on Ubuntu 24.04 LTS on Azure

Overview

go2rtc is an ultra low latency camera streaming application and restreaming gateway. It connects to your cameras and video sources over the protocols they speak, RTSP, ONVIF, RTMP, HTTP and USB, and republishes each stream over whatever protocol the viewer needs: WebRTC for sub second latency in a browser, Media Source Extensions, HLS, MJPEG and RTSP. It is a single self contained Go binary with no database, driven by one readable configuration file, so a working streaming gateway is answering within minutes of launch.

The cloudimg image installs go2rtc 1.9.14 and puts it behind an nginx TLS reverse proxy that binds go2rtc to loopback. The appliance is secure by default. Upstream go2rtc ships with its web interface and API completely open, which is unsafe on any network, so this image closes that gap. go2rtc binds only to the local host, sits behind nginx on port 443, and its api.local_auth setting forces HTTP Basic authentication on every request, including the loopback requests the proxy makes. There is no default or shared login. On first boot go2rtc-firstboot.service generates a unique username and password, renders them into the configuration, writes the plaintext once to a root only file at /root/go2rtc-credentials.txt, and regenerates a per VM self signed TLS certificate. Nothing is baked into the image.

To show the pipeline working on first boot, the image ships a demonstration stream: a self contained ffmpeg test pattern that needs no camera hardware, transcoded to H.264 so it plays over WebRTC, MSE and HLS and yields JPEG snapshots the moment you sign in. This is demo data only, and Step 10 and Step 11 show you how to add your own cameras.

What is included:

  • go2rtc 1.9.14 single Go binary (/opt/go2rtc/go2rtc)
  • One readable configuration file (/etc/go2rtc/go2rtc.yaml), no database to maintain
  • go2rtc.service running as the unprivileged go2rtc user, with the web UI and API bound to loopback 127.0.0.1:1984
  • The RTSP restream server on TCP 8554 and WebRTC media on 8555 (with automatic public address discovery via STUN)
  • nginx.service reverse proxy terminating TLS on 443, with the whole UI and API behind HTTP Basic auth, a WebSocket upgrade for browser playback, an unauthenticated /healthz endpoint, and a 301 redirect from port 80
  • A self contained demonstration stream so the dashboard is populated on first boot (demo data only)
  • go2rtc-firstboot.service generating a per VM UI/API credential and TLS certificate on first boot
  • Ubuntu 24.04 LTS base, latest patches, unattended security upgrades enabled
  • 24/7 cloudimg support, 24h response SLA

Prerequisites

An active Azure subscription, an SSH key, and a VNet with a subnet. Recommended VM size: Standard_B2s (2 vCPU, 4 GB RAM). go2rtc is light; larger sizes only help when you transcode many simultaneous high resolution streams.

Step 1: Deploy from the Azure Portal

Search the Azure Marketplace for go2rtc, choose the plan, and create the VM. In the networking step attach an NSG that allows inbound TCP 22 (SSH) and TCP 443 (the web UI and API) from your client networks only, plus TCP/UDP 8555 (WebRTC) and TCP 8554 (RTSP) if you want low latency browser playback and RTSP restreaming from outside the VM. The go2rtc API on port 1984 is bound to loopback and is never exposed directly.

Step 2: Deploy from the Azure CLI

RG="go2rtc-prod"; LOCATION="eastus"; VM_NAME="go2rtc-01"
GALLERY_IMAGE_ID="/subscriptions/<sub-id>/resourceGroups/azure-cloudimg/providers/Microsoft.Compute/galleries/cloudimgGallery/images/go2rtc-ubuntu-24-04/versions/<version>"
SSH_KEY="$(cat ~/.ssh/id_rsa.pub)"
az group create --name "$RG" --location "$LOCATION"
az network vnet create -g "$RG" --name g2-vnet --address-prefix 10.120.0.0/16 --subnet-name g2-subnet --subnet-prefix 10.120.1.0/24
az network nsg create -g "$RG" --name g2-nsg
az network nsg rule create -g "$RG" --nsg-name g2-nsg --name allow-ssh --priority 100 \
  --source-address-prefixes "<your-mgmt-cidr>" --destination-port-ranges 22 --access Allow --protocol Tcp
az network nsg rule create -g "$RG" --nsg-name g2-nsg --name allow-https --priority 110 \
  --source-address-prefixes "<your-mgmt-cidr>" --destination-port-ranges 443 --access Allow --protocol Tcp
az network nsg rule create -g "$RG" --nsg-name g2-nsg --name allow-webrtc --priority 120 \
  --source-address-prefixes "<your-mgmt-cidr>" --destination-port-ranges 8555 --access Allow --protocol '*'
az vm create -g "$RG" --name "$VM_NAME" --image "$GALLERY_IMAGE_ID" \
  --size Standard_B2s --storage-sku StandardSSD_LRS \
  --admin-username azureuser --ssh-key-values "$SSH_KEY" \
  --vnet-name g2-vnet --subnet g2-subnet --nsg g2-nsg --public-ip-sku Standard

Step 3: Connect via SSH

ssh azureuser@<vm-ip>

go2rtc.service, nginx.service and go2rtc-firstboot.service all start automatically on first boot.

Step 4: Verify the Service

sudo systemctl is-active go2rtc nginx go2rtc-firstboot
sudo test -f /var/lib/cloudimg/go2rtc-firstboot.done && echo FIRSTBOOT_DONE
sudo ss -tlnp | grep -E ':443 |:1984 |:8554 |:8555 '

Expected output — the services are active, nginx is bound to the public port 443, go2rtc's API is bound to loopback 127.0.0.1:1984 only, and the RTSP and WebRTC ports are listening:

active
active
active
FIRSTBOOT_DONE
LISTEN 0 4096 127.0.0.1:1984 0.0.0.0:*  users:...
LISTEN 0 511  0.0.0.0:443    0.0.0.0:*  users:...
LISTEN 0 4096 *:8555         *:*        users:...
LISTEN 0 4096 *:8554         *:*        users:...

go2rtc, nginx and the firstboot service all active, with nginx bound to public port 443, the go2rtc API bound to loopback 127.0.0.1:1984 only, and the RTSP 8554 and WebRTC 8555 ports listening

Step 5: Get Your UI Credentials

go2rtc has no default login. On first boot a unique username and password are generated, rendered into the configuration and written to a root only note, so there is no usable credential baked into the image:

sudo cat /root/go2rtc-credentials.txt

The note contains the username, password and URL, unique to this machine:

GO2RTC_URL=https://<vm-ip>/
go2rtc.username=admin_<random>
go2rtc.password=<go2rtc-password>
go2rtc.host=<vm-ip>

The per VM credentials note, mode 0600 root only with the password redacted, and the go2rtc configuration showing the API bound to loopback with local_auth true so Basic auth is forced on every request

Step 6: Verify the Auth Round-Trip

The /healthz endpoint is public for liveness checks, but the web UI and the entire API require the per VM credential, even over loopback. Prove it end to end over TLS without ever printing your password:

UN=$(sudo grep '^go2rtc.username=' /root/go2rtc-credentials.txt | cut -d= -f2-)
PW=$(sudo grep '^go2rtc.password=' /root/go2rtc-credentials.txt | cut -d= -f2-)
curl -sk -o /dev/null -w 'GET /healthz            -> HTTP %{http_code}\n' https://127.0.0.1/healthz
curl -sk -o /dev/null -w 'GET /api (no creds)     -> HTTP %{http_code}\n' https://127.0.0.1/api
curl -sk -o /dev/null -w 'GET /api (per-VM creds) -> HTTP %{http_code}\n' -u "$UN:$PW" https://127.0.0.1/api

The health endpoint answers 200, the API is refused without credentials, and the per VM credential signs you in:

GET /healthz            -> HTTP 200
GET /api (no creds)     -> HTTP 401
GET /api (per-VM creds) -> HTTP 200

The auth round-trip over TLS: the health endpoint returns 200, the API returns 401 without credentials and 200 with the per VM credentials, and a JPEG snapshot is retrieved from the demo stream

Step 7: Open the Stream Dashboard

Open the web UI in a browser and sign in with the username and password from Step 5 (your browser shows a certificate warning the first time because the certificate is self signed and unique to this VM; accept it, or add a real certificate in Step 16). The dashboard lists every configured stream, its online state and one click links to view it, copy its protocol URLs, or inspect it:

open https://<vm-ip>/

The go2rtc web dashboard signed in, listing the demo stream with its online state and stream, links and delete actions, and the WebRTC, MSE, HLS and MJPEG mode toggles

Step 8: Watch the Live Stream

Click stream next to the demo stream to open the player. go2rtc negotiates the lowest latency protocol the browser supports, WebRTC first, then Media Source Extensions, so the demonstration test pattern plays live in the browser:

The go2rtc live viewer playing the demonstration test pattern stream in the browser over Media Source Extensions

Step 9: Copy the Stream Links

Click links next to a stream to see every way to consume it: WebRTC and MSE for browsers, HLS for Apple devices, MJPEG and a frame.jpeg snapshot, an stream.mp4 recording URL, and the raw rtsp:// restream address with a ready to paste ffplay command. This is how you embed a stream in your own page or wire it into another tool:

The go2rtc stream links page listing every protocol URL for the demo stream: WebRTC and MSE via stream.html, HLS via stream.m3u8, MJPEG, a frame.jpeg snapshot, and the raw RTSP restream address with an ffplay command

Step 10: Add a Camera in the Web UI

Click add in the top navigation to open the add source page. go2rtc can ingest a wide range of cameras and platforms, RTSP and ONVIF network cameras, USB and V4L2 devices, and integrations such as Apple HomeKit, Google Nest, Ring, Tuya and Home Assistant. Pick your source type and follow the prompts, and go2rtc writes the new stream into /etc/go2rtc/go2rtc.yaml for you:

The go2rtc add source page listing the supported camera and platform integrations including RTSP, ONVIF, FFmpeg devices, Apple HomeKit, Google Nest, GoPro, Home Assistant, Ring and Tuya

Step 11: Add a Camera in the Config File

You can also edit the configuration directly. Each entry under streams is a name mapped to one or more sources. Add your camera's RTSP URL (most IP cameras expose one) alongside the demo stream:

streams:
  demo: "ffmpeg:virtual?video&size=1280x720#video=h264"
  front_door: rtsp://<camera-username>:<camera-password>@<camera-ip>:554/stream1

Then apply the change and reload the dashboard in your browser:

# After editing /etc/go2rtc/go2rtc.yaml, apply the change and reload https://<vm-ip>/
sudo systemctl restart go2rtc.service

go2rtc connects to the camera on demand when a viewer opens the stream, and republishes it over WebRTC, MSE, HLS, MJPEG and RTSP without you touching the camera again.

Step 12: Server Components

Component Path
go2rtc binary /opt/go2rtc/go2rtc
Configuration /etc/go2rtc/go2rtc.yaml
Configuration template (for firstboot) /etc/go2rtc/go2rtc.yaml.template
Systemd unit /etc/systemd/system/go2rtc.service
Firstboot script /usr/local/sbin/go2rtc-firstboot.sh
nginx TLS reverse proxy /etc/nginx/sites-available/cloudimg-go2rtc
Self signed TLS certificate /etc/nginx/tls/go2rtc.crt
Per VM credentials note /root/go2rtc-credentials.txt (mode 0600)
Sentinel /var/lib/cloudimg/go2rtc-firstboot.done
/opt/go2rtc/go2rtc --version
ls /opt/go2rtc/go2rtc /etc/go2rtc/go2rtc.yaml /etc/systemd/system/go2rtc.service
UN=$(sudo grep '^go2rtc.username=' /root/go2rtc-credentials.txt | cut -d= -f2-)
PW=$(sudo grep '^go2rtc.password=' /root/go2rtc-credentials.txt | cut -d= -f2-)
curl -sk -u "$UN:$PW" https://127.0.0.1/api/streams | jq 'keys'

go2rtc reports version 1.9.14, the component paths exist, and the API lists the configured streams:

go2rtc version 1.9.14 (b5948cf) linux/amd64
/opt/go2rtc/go2rtc /etc/go2rtc/go2rtc.yaml /etc/systemd/system/go2rtc.service
[
  "demo"
]

go2rtc reporting version 1.9.14, the installed component paths, and the API listing the configured demo stream

Step 13: Managing the Service

sudo systemctl restart go2rtc.service
sudo journalctl -u go2rtc.service --no-pager -n 20

go2rtc restarts in well under a second because it is a single binary with no database. The service is hardened with NoNewPrivileges, ProtectSystem=full, ProtectHome and PrivateTmp, and is only granted write access to its own configuration directory so the web UI can persist streams you add.

Step 14: Configuration

go2rtc is configured entirely through /etc/go2rtc/go2rtc.yaml. The key sections set by this image:

Section Meaning Image default
api.listen Web UI and API bind address 127.0.0.1:1984 (loopback)
api.local_auth Force Basic auth on every request true
api.username / api.password Per VM credential (generated at first boot) unique per VM
rtsp.listen RTSP restream server :8554
webrtc.listen WebRTC media :8555
webrtc.candidates Public address discovery stun:8555
streams Named streams and their sources the demo stream

After editing the file, apply changes with sudo systemctl restart go2rtc.service. nginx is the sole public listener and terminates TLS; go2rtc never binds a public port for its UI.

Step 15: Change the UI Password

The credential is generated per VM at first boot. To set your own, edit api.username and api.password in the configuration and restart go2rtc (replace <new-password>):

sudo sed -i 's/^  password:.*/  password: "<new-password>"/' /etc/go2rtc/go2rtc.yaml
sudo systemctl restart go2rtc.service

Update /root/go2rtc-credentials.txt to match so your note stays accurate, and keep that file readable only by root.

Step 16: Add a Real TLS Certificate (Optional)

The image ships a per VM self signed certificate so the UI is encrypted out of the box. For production, point a DNS record at the VM and install a certificate from Let's Encrypt so browsers trust it without a warning:

sudo apt-get install -y certbot
sudo certbot certonly --standalone -d <your-domain>
sudo sed -i 's#/etc/nginx/tls/go2rtc.crt#/etc/letsencrypt/live/<your-domain>/fullchain.pem#; s#/etc/nginx/tls/go2rtc.key#/etc/letsencrypt/live/<your-domain>/privkey.pem#' /etc/nginx/sites-available/cloudimg-go2rtc
sudo systemctl reload nginx

certbot obtains the certificate and sets up automatic renewal, so your credentials and streams travel over a trusted TLS connection.

Step 17: Security Recommendations

  • Restrict the NSG so ports 443, 22 and the streaming ports only reach trusted networks.
  • Keep the API on loopback: the image binds go2rtc to 127.0.0.1 behind nginx. Do not expose port 1984 directly.
  • Change the credential (Step 15) and keep the note /root/go2rtc-credentials.txt readable only by root.
  • Use a real certificate (Step 16) so the per VM credential and your camera streams travel over trusted TLS.
  • Secure your cameras too: give each camera its own account, and restrict which networks can reach the RTSP and WebRTC ports.
  • Patch the OS monthly with sudo apt-get update && sudo apt-get upgrade; unattended security upgrades are already enabled.

Step 18: Support and Licensing

go2rtc is MIT licensed — no per CPU or per user fee. cloudimg provides commercial support separately.

  • Email: support@cloudimg.co.uk
  • Website: www.cloudimg.co.uk
  • Support hours: 24/7, 24h response SLA

Deploy on Azure

Launch go2rtc on Ubuntu 24.04 with 24/7 support from cloudimg.

View on Marketplace

Need Help?

Our support team is available 24/7. support@cloudimg.co.uk