Ajitabh Pandey's Soul & Syntax

Exploring systems, souls, and stories – one post at a time

Author: Ajitabh

  • Who Holds the Plough and the Vision? Inside Dayalbagh’s Spiritual Ecology

    When people see photos of Dayalbagh’s lush fields, dairy, and tree‑lined roads, one question often follows: who actually runs all this? It is one thing to talk about ecotheology and community farming in theory; it is another to keep a whole settlement living that way, every single day, across generations.

    In an earlier post, I wrote about how farming in Dayalbagh can feel like stepping into an open‑air temple, where soil, seed, and sweat become part of a daily act of worship.

    In this post, I want to stay with that “who” and “how”: how a living spiritual centre, shared values, and a distinctive education system shape the way work, conflicts, and change are handled in Radhasoami Faith Dayalbagh.

    A Living Centre: Sant Satguru and the Shared Vision

    Dayalbagh is not simply an eco‑village that later added a religious identity; it is a faith‑based community that has grown its ecological and social practices around a spiritual centre. The overall direction of community life is shaped by the Radhasoami Satsang Sabha, the central body of the faith community, under the guidance of a living Sant Satguru.

    At present, Revered Prof. P. S. Satsangi is the Sant Satguru of the Radhasoami (Ra Dha Sva Aa Mi) Faith. He also serves as Chairman of the Advisory Committee on Education (ACE), which guides the educational policy of Dayalbagh Educational Institute. This dual role is important: it means that spiritual guidance and educational vision are not two parallel tracks but deeply intertwined.

    In Radhasoami (Ra Dha Sva Aa Mi) faith, understanding, bhakti (devotion) and prem (love) for the present and past Satgurus are not just private emotions; they are the inner source of discipline, commitment, and a willingness to work together for the common good. When people share the same spiritual focus, the “big picture” becomes more than a management chart—it becomes a lived aspiration.

    Dayalbagh Educational Institute: Where Vision Meets Research and Training

    Within Dayalbagh, the Dayalbagh Educational Institute (DEI) is a “deemed to be university” that functions as both an academic institution and a practical laboratory for the community’s way of life. Its education policy, originally framed in 1975, explicitly aims at “integral education” — spiritual, moral, intellectual, and vocational — rooted in the values of the Radhasoami (Ra Dha Sva Aa Mi) Faith and the everyday practices of Dayalbagh.

    DEI’s programmes range from pre‑nursery to doctoral levels and cover fields such as agriculture, dairy technology, renewable energy, management, social sciences, and education, with a strong emphasis on skill development and social service. Many faculty members serve in honorary or partly honorary capacities, reflecting the ethic of seva (selfless service) rather than purely transactional employment.

    In practical terms, DEI acts as the research and training “engine room” for Dayalbagh’s ecological projects:

    • developing agroecological methods for the community’s Agroecology‑cum‑Precision Farm,
    • studying water, soil, and air quality,
    • designing nano‑enterprises in dairy and food processing,
    • and taking these models to rural and tribal areas through outreach centres.

    So while the Sant Satguru and RSS hold the spiritual and overall vision, DEI operationalizes it in education, research, and training.

    From Vision to Daily Seva

    If you walk through Dayalbagh early in the morning, you will see that the vision is not only in policy papers; it is in the mud on people’s hands. Residents – young and old, men and women – go to the fields and Gaushala (Cowshed) in organized shifts, working voluntarily in ploughing, weeding, harvesting, fodder cutting, milking, composting, and related tasks.

    In Dayalbagh, all volunteers below the age of seventy are affectionately referred to as “Young Men” and “Women,” and everyone is encouraged to offer seva within the limits of their physical capacity. The emphasis is not on how much one can do, but on participating joyfully in a shared act of service.

    This is very much a “practice what you preach” culture. The present Sant Satguru himself, Revered Prof. P. S. Satsangi, continues to go to the agricultural fields to perform seva even at the age of eighty‑nine, setting a living example of humility and devotion for the entire community. In many ways, his quiet, steady fieldwork echoes the spirit of Srimadbhagavadgita (2.47) “कर्मण्येवाधिकारस्ते”कर्मणि (in action), एव (only), अधिकारः (your rightful responsibility), ते (yours): a reminder that one’s place is in doing the work, not grasping at its results.

    These daily rhythms are not enforced by salaries or fear of penalties. They are carried by shared values:

    • seva (selfless service) as an expression of bhakti (devotion),
    • dignity of labour,
    • simplicity of lifestyle,
    • and a commitment to the “Fatherhood of God and Brotherhood of Man,” which extends to care for land, water, animals, and neighbours.

    Because people see tangible fruits – cleaner surroundings, affordable food, strong community bonds, and a sense of participation in something larger than themselves – the model continues to attract participation without constant persuasion campaigns.

    A Values‑Driven Way of Handling Difficulty

    From outside, we rarely get access to the internal details of how interpersonal conflicts are handled, and it would not be honest to speculate. What we can see clearly, though, is how Dayalbagh responds to practical challenges and potential “failures” in its ecological and social experiments.

    Over the past decades, community members have:

    • transformed once sandy, ravine‑ridden land into fertile, organically managed fields;
    • addressed water scarcity by combining rainwater harvesting, treated wastewater reuse, and drip irrigation, reducing water use and production costs;
    • introduced sensor‑based monitoring and cooling systems in the Gaushala to protect animals from heat stress;
    • and responded to air pollution and the COVID‑19 pandemic by using open‑air spaces, restricting vehicles, and relying on biodiversity buffers and local food systems.

    In each of these cases, the community did not simply endure problems; it experimented, adjusted, and learned. DEI’s education policy speaks of fostering “frugal innovation” and “learning by doing,” and the institute’s entrepreneurial labs and nano‑enterprises embody a culture where trying, failing, troubleshooting, and trying again are normal parts of growth.

    Taken together, this suggests that Dayalbagh’s way of handling difficulty is less about hiding failure and more about treating it as a shared problem to be addressed in a spirit of seva and experiment. The system is deliberately values‑driven, experimental, and adaptive in the face of environmental and practical challenges.

    From a spiritual perspective, the presence of a living Sant Satguru and the community’s prem (love and affection) for the Satgurus of the past and present provide the inner orientation needed to resolve problems when they arise.

    Growing Up in the Middle of It: Children and Youth

    What does all this look like for children and Gen Z? In Dayalbagh, young people are not only observers of the system; they are formed by it from the earliest years.

    • Early childhood: Even very young children are exposed to field environments and values education in natural surroundings, through schemes that emphasize discipline, cooperation, and selfless service in age‑appropriate ways.
    • School and college: At DEI, courses in agriculture, environmental studies, social service, and rural development are built into the curriculum. Students regularly participate in field seva, Yamuna river clean‑up efforts, and social‑service camps, often working alongside older community members and teachers.
    • Higher education and skills: Programmes like B.Voc and M.Voc in Dairy Technology, Food Processing, Apparel, and Renewable Energy are tied to real units – mini dairy plants, garment workshops, and food‑processing labs – where students learn to run small enterprises in a value‑based way.

    Special initiatives such as ATMA (Apparel and Toy Making Association), ADyNam (Agricultural and Dairy Nano‑processing of Multi‑products), and AAM (Automotive and Multi‑skill Karkhana) train youth and women in practical skills, both within Dayalbagh and in outreach locations like the tribal cluster of Rajaborari.

    In this way, the younger generation does not have to be “convinced” of the model after the fact; they grow up inside it.

    Beyond Dayalbagh: Sharing the Model

    Though Dayalbagh has a strong internal identity, it is not inward‑looking. DEI and the community have taken their integrated model of faith, ecology, and education to other regions, especially rural and tribal areas.

    In Rajaborari (Madhya Pradesh), for example, DEI and Dayalbagh have helped establish a “Forest of the Merciful” cluster of villages where education from pre‑nursery to higher levels is provided through ICT (Information Communication and Technology) centres and EDUSAT, and where local people are trained in skills such as garment making, food processing, and automotive services under initiatives like ATMA, ADyNam, and AAM.

    Internationally, Dayalbagh’s approach has been showcased in policy forums (such as the G20/T20 process) as a community‑based path toward achieving the UN Sustainable Development Goals, and linked institutions like the International Centre for Agroecology (ICA) in New Jersey and the International Centre for Applied Systems and Sustainable Development (ICASSSD) in Toronto help carry its insights to other contexts.

    Here too, the sharing is not only technical; it is ethical and spiritual. The insistence on honesty, simplicity, non‑violence, and service shapes how training is offered and how partnerships are conceived.

    Organization as a Form of Bhakti

    Seen from a distance, Dayalbagh’s organization can look very intricate: spiritual leadership, Radhasoami Satsang Sabha, DEI, agroecology, precision farming, nano‑enterprises, outreach centres. But looked at from within, there is a simpler thread holding it together: bhakti and prem for the Satguru, expressed through values‑driven work in every domain of life.

    In that sense, the question “who sees the big picture?” has a layered answer. Yes, there are committees, frameworks, and institutional roles. But beneath them is a shared spiritual orientation that treats organizing, teaching, farming, and problem – solving themselves as forms of devotion.

    For those of us looking in from outside, Dayalbagh offers not a ready‑made blueprint, but a living example: when spiritual guidance, ethical values, research, and daily labour are all allowed to pull in the same direction, it becomes possible – not easy, but possible – to sustain a community that cares for its land and its people over the long haul.

  • Why Is My Computer Asking to “Find Devices” on My Network? (Should I Say Yes?)

    If you’ve opened Chrome, a coding app, or even some basic software lately, you might have seen a message like:

    “Allow this app to find and connect to devices on your local network?”

    That can sound a bit unsettling. It almost feels like your computer wants to look around your house. So what’s really going on?

    Think of It Like Your Home

    Imagine your Wi-Fi as a hallway inside your house.

    • Your laptop is in one room
    • Your TV is in another
    • Your printer is somewhere else

    Normally, these devices stay in their own spaces. When an app asks for “local network access,” it’s basically asking:

    “Can I walk into the hallway and see what other devices are nearby?”

    It’s not breaking in – it’s just asking permission to look around.

    Why Apps Ask for This

    Most of the time, apps aren’t trying to spy on you. They’re just trying to do useful things.

    Here are a few common situations:

    • Watching something and casting it to your TV
      Your browser needs to find your TV on the same Wi-Fi. Without permission, it simply can’t see it.
    • Printing a document
      Your laptop needs to locate your printer and send the file to it.
    • Setting up smart devices
      If you buy a smart bulb or camera, the setup app needs to find that device to connect it to your Wi-Fi.

    What About AI or Coding Apps?

    You might also see this with tools like Codex or Cursor or other AI apps.

    Even if you’re not a programmer, here’s why:

    • Some apps sync files between your devices over your home Wi-Fi
    • Some AI tools connect to local services or devices instead of using the internet

    So the request is still about devices talking to each other inside your home network.

    So… Should You Allow It?

    Here’s a simple way to decide:

    • Browsers (Chrome, Safari):
      Start with “No.” You don’t need it for normal browsing. If you try to cast something later, it’ll ask again.
    • Setting up a new device:
      Say “Yes.” It won’t work otherwise.
    • Coding or AI tools:
      Usually “No,” unless you know you need it.
    • Music or smart speaker apps (Spotify):
      Say “Yes” if you want to control devices around your house.

    Is There Any Privacy Risk?

    A little, yes.

    When you allow access, the app can see what devices are connected to your Wi-Fi. That might include things like your TV, speakers, or other gadgets.

    It’s not stealing anything, but it can build a picture of your setup. Companies might use that kind of information to better target ads or understand your habits.

    The Simple Rule

    If you’re unsure, just tap “Don’t Allow.”

    Nothing breaks permanently. If something stops working (like casting or printing), you can always go into your settings later and turn it on.

    Think of it this way: keep the doors closed until you actually need to open them.

  • Blocking Metadata Access: A Simple SSRF Hardening Win

    Blocking Metadata Access: A Simple SSRF Hardening Win

    If you’re running infrastructure on cloud platforms, there’s a quiet but powerful security control you can apply with almost no downside: block access to the instance metadata service (IMDS) from your workloads.

    I recently applied this on a couple of authoritative DNS nodes running on DigitalOcean, and it’s one of those rare changes that’s both low-risk and high-value.

    This blog post explains what is it and how to go about it.

    What is Instance Metadata?

    Most cloud providers expose a metadata service to instances (VMs). This is a local HTTP endpoint that lets the VM retrieve information about itself, such as:

    • Instance ID, hostname
    • Network configuration
    • SSH keys (sometimes)
    • IAM credentials (on some platforms)

    This service is not on the public internet. Instead, it’s exposed via a link-local IP address, meaning it’s only reachable from within the instance.

    The most commonly used metadata IP:

    169.254.169.254

    This address is part of the link-local range (169.254.0.0/16) and is widely adopted across cloud providers.

    Why is Metadata Access Dangerous?

    By itself, metadata access is not inherently bad, it’s useful for bootstrapping.

    The problem arises when you combine it with SSRF (Server-Side Request Forgery) vulnerabilities.

    The Risk Scenario

    If an attacker can trick your application into making HTTP requests (e.g., via SSRF), they may be able to:

    1. Access http://169.254.169.254
    2. Query metadata endpoints
    3. Extract sensitive data like:
      • Temporary credentials (e.g., IAM roles on Amazon Web Services)
      • Internal configuration

    This has been the root cause of several real-world breaches.

    • The Capital One data breach is the canonical example: an SSRF vulnerability was used to access the AWS Instance Metadata Service and extract credentials, ultimately exposing data of over 100 million customers
    • Security research consistently shows that IMDS (especially IMDSv1) can act as a “skeleton key,” allowing attackers to pivot from a simple SSRF bug to full cloud account compromise
    • A 2025 large-scale campaign specifically targeted EC2 instances by abusing metadata endpoints to steal credentials via SSRF
    • More recent vulnerabilities (e.g., CVE-2026-39361) explicitly note that attackers can retrieve IAM credentials from AWS, GCP, or Azure metadata services once SSRF is achieved
    • Industry threat reports confirm this is ongoing: attackers have been observed systematically exploiting metadata services at scale to steal credentials

    So, the metadata endpoints turn a “minor” SSRF bug into credential theft, privilege escalation, and full infrastructure compromise.

    Why Blocking It Makes Sense

    For many workloads, especially dedicated infrastructure nodes like:

    • Authoritative DNS servers
    • Reverse proxies
    • Stateless services

    there is no legitimate need to access metadata after provisioning.

    So blocking it gives you:

    • SSRF blast-radius reduction
    • Defense-in-depth
    • Zero operational impact (in most cases)

    How to Block Metadata Access (iptables)

    The simplest approach: deny outbound traffic to 169.254.169.254

    Basic Rule

    iptables -A OUTPUT -d 169.254.169.254 -j DROP

    With Logging (Optional)

    iptables -A OUTPUT -d 169.254.169.254 -j LOG --log-prefix "IMDS BLOCK: "
iptables -A OUTPUT -d 169.254.169.254 -j DROP

    If You Use Default-Deny Outbound (Recommended)

    If you already enforce a strict outbound policy:

    # Ensure metadata is explicitly blocked
iptables -A OUTPUT -d 169.254.169.254 -j REJECT

    nftables Equivalent

    nft add rule inet filter output ip daddr 169.254.169.254 drop

    Common Metadata IPs Across Cloud Providers

    While my own usage is mostly limited to DigitalOcean and Amazon Web Services Lightsail, a quick survey of other major platforms shows a consistent design choice: the same metadata endpoint (169.254.169.254) is used across Amazon Web Services, Google Cloud Platform, Microsoft Azure, DigitalOcean, and Oracle Cloud Infrastructure.

    NOTE – Blocking this single IP covers almost all major platforms.

    When Not to Block It

    There are a few scenarios where you should be careful:

    • Instances relying on dynamic IAM credentials (common in Amazon Web Services)
    • Auto-scaling systems fetching config at runtime
    • Agents that depend on metadata (monitoring, provisioning)

    If unsure, monitor before blocking:

    iptables -A OUTPUT -d 169.254.169.254 -j LOG

    Then review logs for a few days.

    A Practical Rule of Thumb

    • Infra nodes (DNS, proxies, load balancers): Block it
    • App servers with IAM roles: Evaluate carefully
    • Minimal/static workloads: Block it

    Final Thoughts

    Blocking metadata access is one of those rare controls that:

    • Takes minutes to implement
    • Requires no architectural change
    • Meaningfully reduces risk

    If you’re already running a default-deny outbound firewall, this should be part of your baseline.

    If not, this is a great place to start.

  • When Farming Becomes Prayer: Ecotheology and Everyday Life in Dayalbagh

    The agricultural fields of Dayalbagh, Agra do not feel like conventional farms. When you enter them, it can seem as though you have stepped into an open-air temple where soil, seed, and sweat are all part of an unbroken act of worship.

    During my master’s studies in theology at Dayalbagh Educational Institute, I wrote a short paper as part of a self-study project. This blog grows out of that work, exploring how a Radhasoami (Ra Dha Sva Aa Mi) faith-based community in Dayalbagh, Agra, approaches agriculture as a form of daily spiritual practice, and what this perspective might contribute to contemporary ecotheology.

    What Ecotheology Looks Like on the Ground

    Ecotheology is often defined in abstract terms: a branch of theology that reflects on the relationship between God, humans, and the natural world. But at its heart, ecotheology is simply a way of asking: if we truly believe the world is sacred, how should that change the way we live on the land, grow food, and treat other beings?

    Radhasoami (Ra Dha Sva Aa Mi) community at Dayalbagh offers a rare, concrete answer to that question. Rather than treating religion as something that happens only in a temple or during a weekly service, this community integrates spiritual practice into every layer of daily life – education, transport, healthcare, and crucially, agriculture. Here farming is not just an economic activity, it is a primary arena in which spiritual ideals like selfless service, quality, and stewardship are lived out.

    Dayalbagh: A Living Eco-Village

    Dayalbagh is often described as an eco‑village or eco‑city: a consciously designed community that strives to be socially, economically, and ecologically sustainable. With a few thousand permanent residents and many more pilgrims visiting during major festivals, it functions as a small town whose way of life influences neighboring communities as well.

    Agriculture and dairying are central pillars of this model. Over the last century, residents have transformed what was once difficult terrain into a largely self‑sufficient, green landscape that produces food, fodder, fruits, and herbs for residents, pilgrims, and associated institutions like the Dayalbagh Educational Institute.

    Dayalbagh today is characterized by organic fields, tree‑lined roads, rainwater harvesting structures, and a Gaushala (cowshed) that is fully integrated into the local food and energy system.

    Seva in the Fields: When Work Becomes Worship

    One of the most striking features of Dayalbagh’s agriculture is that most of the work is done as seva – voluntary, selfless service. Hundreds of residents, irrespective of age, caste, income, or occupation, gather in the fields morning and evening to weed, transplant, irrigate, and harvest, not for wages but as an expression of devotion.

    This is not romanticized rhetoric: fieldwork is recognized as physically demanding, and yet it is embraced as a spiritual discipline that cultivates humility, shared responsibility, and a direct connection with the land.
    The Dayalbagh model explicitly frames agriculture as an “opportunity to do selfless service,” a way of participating in the upliftment of all rather than merely securing one’s own livelihood.

    From an ecotheological perspective, this is profound. It means that environmental stewardship is not an optional “add‑on” to spiritual life, it is one of the main ways people actually practice their faith.

    Organic Farming as an Ethical Commitment

    Dayalbagh’s farm is officially described as an “Agroecology‑cum‑Precision Farm,” and one of its foundational commitments is to organic cultivation. Agriculture there “mostly follows the concept of zero chemical fertilizers and pesticides,” relying instead on compost, vermicompost, biofertilizers, and organic manure from the dairy.

    Cow dung and urine from the Gaushala are recycled as fertilizer and as inputs for biogas, creating a near closed‑loop system where waste becomes resource. This reduces dependence on external chemical inputs, protects soil and water quality, and aligns with the Radhasoami emphasis on ahimsa (non‑harm) and reverence for life, not only human life, but also plant, animal, and microbial life.

    Author, using organic manure in the Dayalbagh fields

    In a world where industrial agriculture often treats soil as an inert medium and animals as production units, Dayalbagh’s organic practices embody a different ethic: one of care, reciprocity, and restraint.

    Ecology, Community, and Consciousness

    Ecotheology is not only about “nature”, it is also about community. Dayalbagh’s agricultural system is deeply communal, involving residents, students, and visiting satsangis in everything from sowing to harvesting.
    Agricultural work is woven into the education system of the Dayalbagh Educational Institute, so that students learn not only theories in classrooms but also values like dignity of labour, cooperation, and environmental responsibility through hands‑on fieldwork.

    At the same time, the community’s broader philosophy – often captured in phrases like “better worldliness” and the “Dayalbagh Way of Life” – insists that spiritual growth and social responsibility cannot be separated. Living a good life means living in a way that reduces one’s footprint, shares resources fairly, and consciously aligns everyday practices with the welfare of all beings.

    This is why Dayalbagh’s way of life is frequently cited as a practical model for implementing all 17 UN Sustainable Development Goals: sustainability is not pursued through policy documents alone, but through daily habits in housing, food, energy, education, and transport.

    A Different Imagination of Progress

    Spending time with Dayalbagh’s fields invites us to rethink what “progress” means. Here, success is not measured only by yield per acre or income per capita, but by the quality of relationships – between people and land, humans and animals, elders and children, contemplation and work.

    The community does not reject technology; on the contrary, it uses innovations like drip irrigation, rainwater harvesting, and recycled wastewater to reduce resource use and environmental impact. Yet these tools are always subordinated to deeper values: selfless service, moderation, and a commitment to the upliftment of all rather than the enrichment of a few.

    For ecotheology, this is a crucial lesson. The question is not simply whether we use technology, but what spiritual and ethical frameworks guide that use.
    Dayalbagh suggests that when technology is harnessed in the spirit of seva and stewardship, it can support rather than undermine our sacred relationship with the earth.

    What We Can Learn Wherever We Are

    Most of us do not live in intentional eco‑villages, and we may not have access to community farms or Gaushalas. But we can still draw inspiration from the way Radhasoami (Ra Dha Sva Aa Mi) Faith at Dayalbagh turns farming into a daily liturgy of care: buying food more consciously, growing a few herbs or vegetables, reducing waste, and treating our local environments as sanctuaries rather than as commodities.

    For me, as a theology student, Dayalbagh has been a living commentary on ecotheology, one written not in academic prose, but in compost piles, irrigation channels, and tired yet joyful hands returning from the fields. It reminds us that the most compelling religious environmental ethics may not be found in books alone, but in communities where farming itself has become a form of prayer.

  • Lessons from Running a Live Streaming Setup for More than 7 Years

    After seven years of managing high-traffic live streams, you learn that the biggest challenges aren’t usually the video codecs—they are the “invisible” layers: filesystem synchronization, HTTP header inheritance, and metadata consistency.

    When you scale from a single server to a cluster of distribution nodes behind a Load Balancer (LB), the margin for error disappears. Here are the core lessons learned from troubleshooting a production-scale HLS environment.

    1. The “Last-Modified” Lie and LB Skew

    In a multi-server setup (we use 5 distribution nodes), your player is constantly rotating between different IPs. If you use lsyncd or rsync to push files from a source to these nodes, you will encounter Sync Skew.

    Even with a 0-second delay, one server might receive the latest .m3u8 playlist 500ms before another. If a player hits Server A and then Server B, and Server B is slightly behind, the player sees a Last-Modified timestamp that is “older” than the previous one. This triggers Stall Detection in the player (often seen as manifestAgeMs jumping between 20s and 70s), even if the stream is technically healthy.

    The Lesson: Don’t let the player rely on the file’s “birth certificate.” Force the player to judge the stream by its actual content (the Media Sequence) by suppressing metadata headers and using aggressive cache control.

    location /livestream/ {
        alias /var/www/liveout/;
        
        # HLS Playlists must never be cached by the LB or the Player
        add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0" always;
        expires -1;
        
        # Kill the headers that cause false "Stall" detections
        add_header Last-Modified "";
        add_header ETag "";
        if_modified_since off;

        open_file_cache off;
        include cors_support;
    }

    2. The Nginx Inheritance Trap (CORS)

    This is a silent killer. In Nginx, if you define an add_header directive in a parent location and then define any add_header in a nested child location, the child does not inherit the parent’s headers.

    If you optimize your .ts segments for caching but forget to re-include your CORS headers inside that specific block, your player will fetch the playlist successfully but then fail to download the actual media segments due to a CORS error.

    The Lesson: Always re-include your cors_support and use the always flag. The always flag ensures that even if a segment is briefly missing (404), the CORS headers are sent, allowing the player to see the 404 instead of throwing a confusing “CORS blocked” error.

    location ~* \.ts$ {
        # Re-include CORS because we are adding Cache-Control headers here
        include cors_support;
        
        # Segments are immutable; cache them forever
        add_header Cache-Control "max-age=31536000, public, immutable" always;
        expires 1y;
        
        # File handle caching is safe for segments
        open_file_cache max=1000 inactive=20s;
    }

    3. The “Two Masters” Conflict in rtmp.conf

    A common mistake is trying to “help” Nginx-RTMP by giving it an application block for every stream type. In our setup, we found that we have an application app_audio block with hls on; while a separate FFmpeg script was writing audio HLS directly to the same disk. This was causing random failures in generating the audio segments.

    Nginx-RTMP has a built-in “Garbage Collector” (hls_cleanup). If it sees files in its hls_path that it didn’t specifically create (because FFmpeg wrote them directly), it will delete them. To the admin, it looks like files are vanishing into thin air.

    The Lesson: If your FFmpeg script is handling the HLS generation (which is often necessary to satisfy strict Apple AVPlayer requirements for audio-only streams), remove the application block from Nginx-RTMP entirely.

    Correct Lean rtmp.conf Logic:

    • Application Ingest: Receives the stream and triggers the script.
    • Application Video: Receives the transcoded RTMP push for video HLS.
    • Audio: No application block. Let FFmpeg own the directory and the filesystem.

    4. The rsync Trap: --size-only

    When syncing HLS manifests to distribution nodes, it is tempting to use --size-only to speed up transfers. Do not do this. An HLS manifest often retains the same file size even when the content changes (e.g., by swapping one 12-second segment URL for another). rsync with --size-only will detect identical byte counts and skip the sync, leaving your distribution nodes with stale playlists.

    The Lesson: Stick to the default mtime (modification time) checks. On a high-performance instance like a DigitalOcean C4 Droplet, the overhead is negligible, but reliability is everything.

    Summary: The Good, the Bad, and the Buffering

    1. Split your caching: Playlists get max-age=0; Segments get immutable.
    2. Explicit CORS: Nginx inheritance is not your friend. Re-include headers in nested blocks.
    3. One Master per Folder: If FFmpeg writes the HLS, Nginx-RTMP should stay out of the way.
    4. Atomic Sync: Use lsyncd with delay = 0 and compress = false for the lowest possible latency across your Load Balancer.

    By following these principles, you ensure that strict players – especially Apple’s AVPlayer – receive a stream that is consistent, fresh, and compliant with the HLS spec.