Clever Geek Handbook

Why doesn't Icecast2 want to stream over https?

Icecast2 2.4.1 with SSL support is installed on the server with Ubuntu 14.04 LTS. There is also an HTTPS site running on this server. I want to embed an HTML5 player into the page that will also take the stream over SSL (otherwise a mixed content error). The site has a commercial SSL certificate, Icecast is self-signed. Icecast config file:

<icecast>
<location>****</location>
<admin>admin@*************</admin>
<limits>
    <clients>1000</clients>
    <sources>2</sources>
    <threadpool>5</threadpool>
    <queue-size>524288</queue-size>
    <source-timeout>10</source-timeout>
    <burst-on-connect>0</burst-on-connect>
    <burst-size>65535</burst-size>
</limits>
<authentication>
    <source-password>*****</source-password>
    <relay-password>*****</relay-password>
    <admin-user>*****</admin-user>
    <admin-password>*****</admin-password>
</authentication>
<hostname>************</hostname> 
<listen-socket>
    <port>8000</port>
    <ssl>1</ssl>
</listen-socket>
<mount>
    <mount-name>/stream</mount-name>
    <charset>utf-8</charset>
</mount>
<mount> 
    <mount-name>/ogg</mount-name>
    <charset>utf-8</charset>
</mount>
<fileserve>1</fileserve>
<paths>
    <basedir>/usr/share/icecast2</basedir>
    <logdir>/var/log/icecast2</logdir>
    <webroot>/usr/share/icecast2/web</webroot>
    <adminroot>/usr/share/icecast2/admin</adminroot>
    <alias source="/" dest="/status.xsl"/>
    <ssl-certificate>/etc/icecast2/icecast2.pem</ssl-certificate>
</paths>
<logging>
    <accesslog>access.log</accesslog>
    <errorlog>error.log</errorlog>
    <loglevel>4</loglevel>
</logging>
<security>
    <chroot>0</chroot>
    <changeowner>
        <user>icecast2</user>
        <group>icecast</group>
    </changeowner>
</security>
</icecast>

Certificate for Icecast (/etc/icecast2/icecast2.pem) generated by:

openssl req -new -newkey rsa: 2048-days 365 -nodes -x509 -keyout icecast2.pem -out icecast2.pem

I expect to get an output stream from the addresses https://domain.name:8000/stream https://domain.name:8000/ogg for insertion into the player by the audio tag, but the response is silence. So, plain http addresses all work fine. I didn’t understand that it’s an error after all ... Thanks in advance for your help!

+3


source to share


1 answer


I recently ran into this problem and didn't have much time to solve it, and didn't see a lot of documentation for it. I am guessing this is not the most widely used icecast config, so I just proxied my nginx and it works fine.

Here is an example nginx vhost. Make sure to change the domain, check your paths, and think about the location you want the proxy to connect to and how you want to handle the ports.

Note that this will make your stream available on port 443 instead of 8000. Some clients (eg facebookexternalhit / 1.1) may try to hang on the stream because they think the https url is waiting for a connection. This may not be the behavior you expect or desire.

Also, if you don't want HTTP to be available at all, be sure to change the bind address to localhost. eg:



 <bind-address>127.0.0.1</bind-address>

www.example.com.nginx.conf

##### NO SSL REDIRECT #########################################

server
  {
  listen 80;
  server_name www.example.com;
  location /listen
    {
    if ($ssl_protocol = "")
        {
         rewrite ^   https://$server_name$request_uri? permanent;
        }

    }

  }

#### SSL ######################################################

server
 {
 ssl on;
 ssl_certificate_key /etc/sslmate/www.example.com.key;
 ssl_certificate /etc/sslmate/www.example.com.chained.crt;
 # Recommended security settings from https://wiki.mozilla.org/Security/Server_Side_TLS
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 ssl_prefer_server_ciphers on;
 ssl_dhparam /usr/share/sslmate/dhparams/dh2048-group14.pem;
 ssl_session_timeout 5m;
 ssl_session_cache shared:SSL:5m;
 # Enable this if you want HSTS (recommended)
 add_header Strict-Transport-Security max-age=15768000;
 listen 443 ssl;
 server_name www.example.com;

 location /
  {
  proxy_pass         http://127.0.0.1:8000/;
  proxy_redirect     off;
  proxy_set_header   Host             $host;
  proxy_set_header   X-Real-IP        $remote_addr;
  proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
  }

  }
+5


source






More articles:


All Articles