Jump to content

[solved] Icecast2 and ssl


maxlinux2000

Recommended Posts

Hello everyone
I have a problem with icecast because I can't get the let's encrypt ssl certificate to work.
I have followed several tutorials online, but in the end they were all the same, so I explain what I am doing, to see if someone tells me where I am wrong.

 

I have created a script to concatenate certificates, change ownership and permissions, so that I can run it with cron along with the let's encrypt certbot. Here the script
----------------------
#!/bin/bash

cat /etc/letsencrypt/live/radio.example.org/cert.pem \
/etc/letsencrypt/live/radio.example.org/privkey.pem \
> /usr/share/icecast2/icecast.pem

chown icecast2.icecast /usr/share/icecast2/icecast.pem
chmod go-r /usr/share/icecast2/icecast.pem
----------------------

Then I modified /etc/icecast2/icecast.xml like this:


<icecast>

    <location>Earth</location>
    <admin>icemaster@localhost</admin>
    <limits>
        <clients>100</clients>
        <sources>2</sources>
        <queue-size>524288</queue-size>
        <client-timeout>30</client-timeout>
        <header-timeout>15</header-timeout>
        <source-timeout>10</source-timeout>

        <burst-on-connect>1</burst-on-connect>
        <burst-size>65535</burst-size>
    </limits>

    <authentication>
           <source-password>MySecretPasswd</source-password>
        <relay-password>MySecretPasswd</relay-password>

        <admin-user>admin</admin-user>
        <admin-password>MySecretPasswd</admin-password>
    </authentication>
    <hostname>radio.example.org</hostname>
    </listen-socket>
<listen-socket>
     <port>8002</port>
     <ssl>1</ssl>
</listen-socket>

    <http-headers>
        <header name="Access-Control-Allow-Origin" value="*" />
    </http-headers>

    <!-- Normal mounts -->
    <mount type="normal">
        <mount-name>/radio</mount-name>

        <username>source</username>
        <password>MySecretPasswd</password>

        <max-listeners>500</max-listeners>
        <dump-file>/mnt/1TB/podcast/dump-example1.mp3</dump-file>
        <burst-size>65536</burst-size>
        <!--fallback-mount>/example2.ogg</fallback-mount>
        <fallback-override>1</fallback-override>
        <fallback-when-full>1</fallback-when-full>
        <intro>/example_intro.ogg</intro-->
        <hidden>1</hidden>
        <public>1</public>
        <http-headers>
                <header name="Access-Control-Allow-Origin" value="http://webplayer.example.org" />
                <header name="baz" value="quux" />
        </http-headers>
    </mount>
    <fileserve>1</fileserve>

    <paths>
        <basedir>/usr/share/icecast2</basedir>
        <logdir>/var/log/icecast2</logdir>
        <webroot>/usr/share/icecast2/web</webroot>
        <adminroot>/usr/share/icecast2/admin</adminroot>
        <alias source="/" destination="/status.xsl"/>

    </paths>

    <paths>
         <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate>
    </paths>

    <logging>
        <accesslog>access.log</accesslog>
        <errorlog>error.log</errorlog>
        <!-- <playlistlog>playlist.log</playlistlog> -->
        <loglevel>4</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
        <logsize>10000</logsize> <!-- Max size of a logfile -->
    </logging>

    <security>
        <chroot>0</chroot>
    </security>
</icecast>


... but the log at each restart of the icecast2 service, shows me:

"INFO connection /get_ssl_certificate No SSL capability", and of course on port 8002 I can't connect to https

 

 

[2019-08-29  20:25:31] INFO stats/stats_shutdown stats thread finished
[2019-08-29  20:25:31] INFO main/main Icecast 2.4.3 server started
[2019-08-29  20:25:31] DBUG yp/yp_recheck_config Updating YP configuration
[2019-08-29  20:25:31] INFO connection/get_ssl_certificate No SSL capability
[2019-08-29  20:25:31] INFO yp/yp_update_thread YP update thread started
[2019-08-29  20:25:32] DBUG slave/_slave_thread checking master stream list

 

Anyone have any idea where I am wrong?


 

Link to comment
Share on other sites

OK I solved the problem by myself. 

 

Solution to the problem of having SSL support in Icecast on Armbian.
Apparently in Ubuntu the icecast2 package is not compiled with ssl support, so we have to recompile it ourselves.


I will share my notes here, for posterity and for my future reference in the case I need it.


I will assume that you already have ispConfig installed in your armbian (OrangePi Pc2 in my case), that you have a fixed and public IP (123.123.123.100) that you have a subdomain assigned from your register with an A record, for example like this:

 

radio.example.org -> 123.123.123.100

 

1) Create a website in ispConfig with SSL and Let's Encrypt to the subdomain radio.example.org with IP 123.123.123.100.
Nothing is missing. This web page is not really going to be used if it were for SSL certificates.

 

2) Now we are going to desistalar if still you have not done it eventual installations of icecast2

 

# apt remove --purge icecast2

 

3) Let's prepare the compilation environment for icecast:

 

# apt install git gcc build-essential libcurl4-openssl-dev libxslt1-dev libxml2-dev libogg-dev libvorbis-dev libflac-dev libtheora-dev libssl-dev libspeex-dev

 

4) now download the latest available icecast source code

 

# git clone --recursive https://git.xiph.org/icecast-server.git  (tarda un poco a mostrar algo... espera)
# cd icecast-server
# ./autogen.sh
# ./configure --with-curl --with-openssl
# make -j4  (if your board has 8 cores, put -j8 ... and if you only want to use 2 cores put -j2)
# make install

 

5) Now you have to create a user for icecast

 

# adduser --disabled-password --gecos "" icecast

 

6) create logs

 

# mkdir -p /var/log/icecast/  
# touch /var/log/icecast/error.log
# touch /var/log/icecast/access.log
# chown -R icecast.icecast /var/log/icecast
# chown -R icecast.icecast /etc/icecast

 

7) now the SSL certificate already created in ispconfig for the radio.example.org website

 

# mkdir /etc/icecast/ssl/
# touch /usr/local/bin/icecastLetEncrypt.sh
# chmod 755 /usr/local/bin/icecastLetEncrypt.sh
# mcedit /usr/local/bin/icecastLetEncrypt.sh

...and write on it something like:

 

---------------------------------------------------------------
#!/bin/bash
cat /etc/letsencrypt/live/radio.example.org/cert.pem \
/etc/letsencrypt/live/radio.example.org/privkey.pem \
> /usr/share/icecast/icecast.pem
chown icecast.icecast /etc/icecast/ssl/icecast.pem
chmod go-r /etc/icecast/ssl/icecast.pem
---------------------------------------------------------------


8) Now the icecast settings:

 

---------------------------------------------------------------

<icecast>
    <!-- location and admin are two arbitrary strings that are e.g. visible
         on the server info page of the icecast web interface
         (server_version.xsl). -->
    <location>ESpaña</location>
    <admin>maxlinux2000@gmail.com</admin>

    <!-- IMPORTANT!
         Especially for inexperienced users:
         Start out by ONLY changing all passwords and restarting Icecast.
         For detailed setup instructions please refer to the documentation.
         It's also available here: http://icecast.org/docs/
    -->

    <limits>
        <clients>100</clients>
        <sources>2</sources>
        <queue-size>524288</queue-size>
        <client-timeout>30</client-timeout>
        <header-timeout>15</header-timeout>
        <source-timeout>10</source-timeout>
        <!-- If enabled, this will provide a burst of data when a client 
             first connects, thereby significantly reducing the startup 
             time for listeners that do substantial buffering. However,
             it also significantly increases latency between the source
             client and listening client.  For low-latency setups, you
             might want to disable this. -->
        <burst-on-connect>1</burst-on-connect>
        <!-- same as burst-on-connect, but this allows for being more
             specific on how much to burst. Most people won't need to
             change from the default 64k. Applies to all mountpoints  -->
        <burst-size>65535</burst-size>
    </limits>

    <authentication>
        <!-- Sources log in with username 'source' -->
        <source-password>MySecretPasswd</source-password>
        <!-- Relays log in with username 'relay' -->
        <relay-password>MySecretPasswd</relay-password>

        <!-- Admin logs in with the username given below -->
        <admin-user>admin</admin-user>
        <admin-password>MySecretPasswd</admin-password>
    </authentication>

    <!-- set the mountpoint for a shoutcast source to use, the default if not
         specified is     /stream but you can change it here if an alternative is
         wanted or an extension is required
    <shoutcast-mount>/live.nsv</shoutcast-mount>
    -->

    <!-- Uncomment this if you want directory listings -->
    <!--
    <directory>
        <yp-url-timeout>15</yp-url-timeout>
        <yp-url>http://dir.xiph.org/cgi-bin/yp-cgi</yp-url>
    </directory>
    -->

    <!-- This is the hostname other people will use to connect to your server.
         It affects mainly the urls generated by Icecast for playlists and yp
         listings. You MUST configure it properly for YP listings to work!
    -->
    <hostname>radio.example.org</hostname>

    <!-- You may have multiple <listener> elements -->
    <listen-socket>
        <port>8000</port>
        <!-- <bind-address>127.0.0.1</bind-address> -->
        <!-- <shoutcast-mount>/stream</shoutcast-mount> -->
    </listen-socket>
    <!--
    <listen-socket>
        <port>8080</port>
    </listen-socket>
    -->

    <listen-socket>
        <port>8443</port>
        <ssl>1</ssl>
    </listen-socket>


    <!-- Global header settings 
         Headers defined here will be returned for every HTTP request to Icecast.

         The ACAO header makes Icecast public content/API by default
         This will make streams easier embeddable (some HTML5 functionality needs it).
         Also it allows direct access to e.g. /status-json.xsl from other sites.
         If you don't want this, comment out the following line or read up on CORS. 
    -->
    <http-headers>
        <header name="Access-Control-Allow-Origin" value="*" />
    </http-headers>


    <!-- Relaying
         You don't need this if you only have one server.
         Please refer to the config for a detailed explanation.
    -->
    <!--<master-server>127.0.0.1</master-server>-->
    <!--<master-server-port>8001</master-server-port>-->
    <!--<master-update-interval>120</master-update-interval>-->
    <!--<master-password>hackme</master-password>-->

    <!-- setting this makes all relays on-demand unless overridden, this is
         useful for master relays which do not have <relay> definitions here.
         The default is 0 -->
    <!--<relays-on-demand>1</relays-on-demand>-->

    <!--
    <relay>
        <server>127.0.0.1</server>
        <port>8080</port>
        <mount>/example.ogg</mount>
        <local-mount>/different.ogg</local-mount>
        <on-demand>0</on-demand>

        <relay-shoutcast-metadata>0</relay-shoutcast-metadata>
    </relay>
    -->


    <!-- Mountpoints
         Only define <mount> sections if you want to use advanced options,
         like alternative usernames or passwords
    -->

    <!-- Default settings for all mounts that don't have a specific <mount type="normal">.
    -->
    <!--
    <mount type="default">
        <public>0</public>
        <intro>/server-wide-intro.ogg</intro>
        <max-listener-duration>3600</max-listener-duration>
        <authentication type="url">
                <option name="mount_add" value="http://auth.example.org/stream_start.php"/>
        </authentication>
        <http-headers>
                <header name="foo" value="bar" />
        </http-headers>
    </mount>
    -->

    <!-- Normal mounts -->

    <mount type="normal">
        <mount-name>/stream2.mp3</mount-name>

        <username>Tester</username>
        <password>MySecretPasswd</password>

        <max-listeners>1</max-listeners>
        <!--dump-file>/tmp/dump-example1.ogg</dump-file-->
        <burst-size>65536</burst-size>
        <!--fallback-mount>/example2.ogg</fallback-mount>
        <fallback-override>1</fallback-override>
        <fallback-when-full>1</fallback-when-full>
        <intro>/example_intro.ogg</intro-->
        <hidden>1</hidden>
        <public>1</public>
        <!--authentication type="htpasswd">
                <option name="filename" value="myauth"/>
                <option name="allow_duplicate_users" value="0"/>
        </authentication-->
        <http-headers>
                <header name="Access-Control-Allow-Origin" value="http://webplayer.example.org" />
        </http-headers>
        <!--on-connect>/home/icecast/bin/stream-start</on-connect>
        <on-disconnect>/home/icecast/bin/stream-stop</on-disconnect-->
    </mount>


    <!--
    <mount type="normal">
        <mount-name>/example-complex.ogg</mount-name>

        <username>othersource</username>
        <password>hackmemore</password>

        <max-listeners>1</max-listeners>
        <dump-file>/tmp/dump-example1.ogg</dump-file>
        <burst-size>65536</burst-size>
        <fallback-mount>/example2.ogg</fallback-mount>
        <fallback-override>1</fallback-override>
        <fallback-when-full>1</fallback-when-full>
        <intro>/example_intro.ogg</intro>
        <hidden>1</hidden>
        <public>1</public>
        <authentication type="htpasswd">
                <option name="filename" value="myauth"/>
                <option name="allow_duplicate_users" value="0"/>
        </authentication>
        <http-headers>
                <header name="Access-Control-Allow-Origin" value="http://webplayer.example.org" />
                <header name="baz" value="quux" />
        </http-headers>
        <on-connect>/home/icecast/bin/stream-start</on-connect>
        <on-disconnect>/home/icecast/bin/stream-stop</on-disconnect>
    </mount>
    -->

    <!--
    <mount type="normal">
        <mount-name>/auth_example.ogg</mount-name>
        <authentication type="url">
            <option name="mount_add"       value="http://myauthserver.net/notify_mount.php"/>
            <option name="mount_remove"    value="http://myauthserver.net/notify_mount.php"/>
            <option name="listener_add"    value="http://myauthserver.net/notify_listener.php"/>
            <option name="listener_remove" value="http://myauthserver.net/notify_listener.php"/>
            <option name="headers"         value="x-pragma,x-token"/>
            <option name="header_prefix"   value="ClientHeader."/>
        </authentication>
    </mount>
    -->

    <fileserve>1</fileserve>

    <paths>
        <!-- basedir is only used if chroot is enabled -->
        <basedir>/usr/share/icecast</basedir>

        <!-- Note that if <chroot> is turned on below, these paths must both
             be relative to the new root, not the original root -->
        <logdir>/var/log/icecast</logdir>
        <webroot>/usr/share/icecast/web</webroot>
        <adminroot>/usr/share/icecast/admin</adminroot>
        <!-- <pidfile>/usr/share/icecast/icecast.pid</pidfile> -->

        <!-- Aliases: treat requests for 'source' path as being for 'dest' path
             May be made specific to a port or bound address using the "port"
             and "bind-address" attributes.
          -->
        <!--
        <alias source="/foo" destination="/bar"/>
        -->
        <!-- Aliases: can also be used for simple redirections as well,
             this example will redirect all requests for http://server:port/ to
             the status page
        -->
        <alias source="/" destination="/status.xsl"/>
        <!-- The certificate file needs to contain both public and private part.
             Both should be PEM encoded.
    -->
        <ssl-certificate>/etc/icecast/ssl/icecast.pem</ssl-certificate>
    </paths>

    <logging>
        <accesslog>access.log</accesslog>
        <errorlog>error.log</errorlog>
        <!-- <playlistlog>playlist.log</playlistlog> -->
        <loglevel>3</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
        <logsize>10000</logsize> <!-- Max size of a logfile -->
        <!-- If logarchive is enabled (1), then when logsize is reached
             the logfile will be moved to [error|access|playlist].log.DATESTAMP,
             otherwise it will be moved to [error|access|playlist].log.old.
             Default is non-archive mode (i.e. overwrite)
        -->
        <!-- <logarchive>1</logarchive> -->
    </logging>

    <security>
        <chroot>0</chroot>
        <!--
        <changeowner>
            <user>nobody</user>
            <group>nogroup</group>
        </changeowner>
        -->
    </security>
</icecast>

---------------------------------------------------------------

 

9) Now we test if it works with:

 

# sudo -H -u icecast /usr/local/bin/icecast -b -c /etc/icecast/icecast.xml

 

If there are errors, they must be corrected.
The reason for the error appears on the screen.
Normally they are permission problems or you cannot find a file or a folder.


10) creation of a systemd service

 

# mcedit /etc/systemd/system/icecast.service

...and copy/paste on it:

 

----------------------
[Unit]
Description=icecast service
After=multi-user.target

[Service]
Type=forking
Restart=on-failure
User=icecast
ExecStart=/usr/local/bin/icecast -b -c /etc/icecast/icecast.xml
WorkingDirectory=/home/icecast
StandardOutput=syslog
StandardError=syslog

[Install]
WantedBy=multi-user.target

----------------------

 

11) kill icecast if it is eventually active. To look the PID number, you can give this command:

 

# ps -A | grep icecast 

 

and the console show something like that:

 

  PID TTY          TIME CMD
22780 pts/0    00:00:04 icecast

 

To kill the process do 

 

# kill -9 22780  (yo must to put your PID number)

 

and then:

 

# systemctl daemon-reload
# systemctl enable icecast.service
# systemctl start icecast.service

 

Now you have icecast active and with SSL support!!

 

Go to https://radio.example.org:8443 and you will see that icecast opens with SSL support

 

Notes:
This configuration of icecast.xml, allows 2 simultaneous transmissions at the same time. One at the mount point:
https://radio.example.org:8443/stream (source/MySecretPasswd)
and the other in
https://radio.example.org:8443/stream2.mp3 (Tester/MySecretPasswd)


Source transmission (like Cool Mic in android or ffmpeg in linux or another app that supports icecast), you should be put:


icecast server: radio.example.org
Mount: stream
port: 8000
user: source
passwd: MySecretePasswd


icecast server: radio.example.org
Mount: stream2.mp3
port: 8000
user: Tester
passwd: MySecretePasswd


Second note.... the cron rule for the ssl certificate still missing. I have to do it and add here.


 

Link to comment
Share on other sites

below the traduction in spanish language of previous post.

 

Solución al problema de tener soporte SSL en Icecast bajo Armbian.
al parecer en Ubuntu el paquete icecast2, no está compilado con soporte ssl, así que tenemos que volver a compilarlo nosotros mismo.
Comparto aquí mis notas, por la posteridad y para mi futura referencia en el caso lo necesite.


Voy a asumir que ya tines instalado ispConfig en tu armbian (OrangePi Pc2 en mi caso), de que tienes IP fija y pública (123.123.123.100) de que tienes un subdominio asignado desde tu registar con un record A, por ejemplo así:

radio.example.org -> 123.123.123.100

1) Crea una web en ispConfig con SSL y Let's Encrypt al subdominio radio.example.org con IP 123.123.123.100.
No hace falsta nada mas. Esta pagina web en realidad no se va a usar si fuera para los cerfiticados SSL.

2) Ahora vamos a desistalar si aúno no lo has hecho eventuales isntalaciones de icecast2

# apt remove --purge icecast2

3) vamos preparar el entorno de compilación para icecast:

# apt install git gcc build-essential libcurl4-openssl-dev libxslt1-dev libxml2-dev libogg-dev libvorbis-dev libflac-dev libtheora-dev libssl-dev libspeex-dev

4) ahora bajamo el último código fuente disponible de icecast

# git clone --recursive https://git.xiph.org/icecast-server.git  (tarda un poco a mostrar algo... espera)
# cd icecast-server
# ./autogen.sh
# ./configure --with-curl --with-openssl
# make -j4  (si tu placa tiene 8 núcleos, pon -j8 ... y si solo quieres usar 2 pon -j2)
# make install

5) ahora hay que crear un usuario para icecast

# adduser --disabled-password --gecos "" icecast

6) crear logs

# mkdir -p /var/log/icecast/  
# touch /var/log/icecast/error.log
# touch /var/log/icecast/access.log
# chown -R icecast.icecast /var/log/icecast
# chown -R icecast.icecast /etc/icecast

7) ahora el certificado SSL ya creado en ispconfig para la pagina web radio.example.org

# mkdir /etc/icecast/ssl/
# touch /usr/local/bin/icecastLetEncrypt.sh
# chmod 755 /usr/local/bin/icecastLetEncrypt.sh
# mcedit /usr/local/bin/icecastLetEncrypt.sh

...y escribe algo así:
---------------------------------------------------------------
#!/bin/bash
cat /etc/letsencrypt/live/radio.example.org/cert.pem \
/etc/letsencrypt/live/radio.example.org/privkey.pem \
> /usr/share/icecast/icecast.pem
chown icecast.icecast /etc/icecast/ssl/icecast.pem
chmod go-r /etc/icecast/ssl/icecast.pem
---------------------------------------------------------------

8) ahora la configuración de icecast:

---------------------------------------------------------------

<icecast>
    <!-- location and admin are two arbitrary strings that are e.g. visible
         on the server info page of the icecast web interface
         (server_version.xsl). -->
    <location>ESpaña</location>
    <admin>maxlinux2000@gmail.com</admin>

    <!-- IMPORTANT!
         Especially for inexperienced users:
         Start out by ONLY changing all passwords and restarting Icecast.
         For detailed setup instructions please refer to the documentation.
         It's also available here: http://icecast.org/docs/
    -->

    <limits>
        <clients>100</clients>
        <sources>2</sources>
        <queue-size>524288</queue-size>
        <client-timeout>30</client-timeout>
        <header-timeout>15</header-timeout>
        <source-timeout>10</source-timeout>
        <!-- If enabled, this will provide a burst of data when a client 
             first connects, thereby significantly reducing the startup 
             time for listeners that do substantial buffering. However,
             it also significantly increases latency between the source
             client and listening client.  For low-latency setups, you
             might want to disable this. -->
        <burst-on-connect>1</burst-on-connect>
        <!-- same as burst-on-connect, but this allows for being more
             specific on how much to burst. Most people won't need to
             change from the default 64k. Applies to all mountpoints  -->
        <burst-size>65535</burst-size>
    </limits>

    <authentication>
        <!-- Sources log in with username 'source' -->
        <source-password>MySecretPasswd</source-password>
        <!-- Relays log in with username 'relay' -->
        <relay-password>MySecretPasswd</relay-password>

        <!-- Admin logs in with the username given below -->
        <admin-user>admin</admin-user>
        <admin-password>MySecretPasswd</admin-password>
    </authentication>

    <!-- set the mountpoint for a shoutcast source to use, the default if not
         specified is     /stream but you can change it here if an alternative is
         wanted or an extension is required
    <shoutcast-mount>/live.nsv</shoutcast-mount>
    -->

    <!-- Uncomment this if you want directory listings -->
    <!--
    <directory>
        <yp-url-timeout>15</yp-url-timeout>
        <yp-url>http://dir.xiph.org/cgi-bin/yp-cgi</yp-url>
    </directory>
    -->

    <!-- This is the hostname other people will use to connect to your server.
         It affects mainly the urls generated by Icecast for playlists and yp
         listings. You MUST configure it properly for YP listings to work!
    -->
    <hostname>radio.example.org</hostname>

    <!-- You may have multiple <listener> elements -->
    <listen-socket>
        <port>8000</port>
        <!-- <bind-address>127.0.0.1</bind-address> -->
        <!-- <shoutcast-mount>/stream</shoutcast-mount> -->
    </listen-socket>
    <!--
    <listen-socket>
        <port>8080</port>
    </listen-socket>
    -->

    <listen-socket>
        <port>8443</port>
        <ssl>1</ssl>
    </listen-socket>


    <!-- Global header settings 
         Headers defined here will be returned for every HTTP request to Icecast.

         The ACAO header makes Icecast public content/API by default
         This will make streams easier embeddable (some HTML5 functionality needs it).
         Also it allows direct access to e.g. /status-json.xsl from other sites.
         If you don't want this, comment out the following line or read up on CORS. 
    -->
    <http-headers>
        <header name="Access-Control-Allow-Origin" value="*" />
    </http-headers>


    <!-- Relaying
         You don't need this if you only have one server.
         Please refer to the config for a detailed explanation.
    -->
    <!--<master-server>127.0.0.1</master-server>-->
    <!--<master-server-port>8001</master-server-port>-->
    <!--<master-update-interval>120</master-update-interval>-->
    <!--<master-password>hackme</master-password>-->

    <!-- setting this makes all relays on-demand unless overridden, this is
         useful for master relays which do not have <relay> definitions here.
         The default is 0 -->
    <!--<relays-on-demand>1</relays-on-demand>-->

    <!--
    <relay>
        <server>127.0.0.1</server>
        <port>8080</port>
        <mount>/example.ogg</mount>
        <local-mount>/different.ogg</local-mount>
        <on-demand>0</on-demand>

        <relay-shoutcast-metadata>0</relay-shoutcast-metadata>
    </relay>
    -->


    <!-- Mountpoints
         Only define <mount> sections if you want to use advanced options,
         like alternative usernames or passwords
    -->

    <!-- Default settings for all mounts that don't have a specific <mount type="normal">.
    -->
    <!--
    <mount type="default">
        <public>0</public>
        <intro>/server-wide-intro.ogg</intro>
        <max-listener-duration>3600</max-listener-duration>
        <authentication type="url">
                <option name="mount_add" value="http://auth.example.org/stream_start.php"/>
        </authentication>
        <http-headers>
                <header name="foo" value="bar" />
        </http-headers>
    </mount>
    -->

    <!-- Normal mounts -->

    <mount type="normal">
        <mount-name>/stream2.mp3</mount-name>

        <username>Tester</username>
        <password>MySecretPasswd</password>

        <max-listeners>1</max-listeners>
        <!--dump-file>/tmp/dump-example1.ogg</dump-file-->
        <burst-size>65536</burst-size>
        <!--fallback-mount>/example2.ogg</fallback-mount>
        <fallback-override>1</fallback-override>
        <fallback-when-full>1</fallback-when-full>
        <intro>/example_intro.ogg</intro-->
        <hidden>1</hidden>
        <public>1</public>
        <!--authentication type="htpasswd">
                <option name="filename" value="myauth"/>
                <option name="allow_duplicate_users" value="0"/>
        </authentication-->
        <http-headers>
                <header name="Access-Control-Allow-Origin" value="http://webplayer.example.org" />
        </http-headers>
        <!--on-connect>/home/icecast/bin/stream-start</on-connect>
        <on-disconnect>/home/icecast/bin/stream-stop</on-disconnect-->
    </mount>


    <!--
    <mount type="normal">
        <mount-name>/example-complex.ogg</mount-name>

        <username>othersource</username>
        <password>hackmemore</password>

        <max-listeners>1</max-listeners>
        <dump-file>/tmp/dump-example1.ogg</dump-file>
        <burst-size>65536</burst-size>
        <fallback-mount>/example2.ogg</fallback-mount>
        <fallback-override>1</fallback-override>
        <fallback-when-full>1</fallback-when-full>
        <intro>/example_intro.ogg</intro>
        <hidden>1</hidden>
        <public>1</public>
        <authentication type="htpasswd">
                <option name="filename" value="myauth"/>
                <option name="allow_duplicate_users" value="0"/>
        </authentication>
        <http-headers>
                <header name="Access-Control-Allow-Origin" value="http://webplayer.example.org" />
                <header name="baz" value="quux" />
        </http-headers>
        <on-connect>/home/icecast/bin/stream-start</on-connect>
        <on-disconnect>/home/icecast/bin/stream-stop</on-disconnect>
    </mount>
    -->

    <!--
    <mount type="normal">
        <mount-name>/auth_example.ogg</mount-name>
        <authentication type="url">
            <option name="mount_add"       value="http://myauthserver.net/notify_mount.php"/>
            <option name="mount_remove"    value="http://myauthserver.net/notify_mount.php"/>
            <option name="listener_add"    value="http://myauthserver.net/notify_listener.php"/>
            <option name="listener_remove" value="http://myauthserver.net/notify_listener.php"/>
            <option name="headers"         value="x-pragma,x-token"/>
            <option name="header_prefix"   value="ClientHeader."/>
        </authentication>
    </mount>
    -->

    <fileserve>1</fileserve>

    <paths>
        <!-- basedir is only used if chroot is enabled -->
        <basedir>/usr/share/icecast</basedir>

        <!-- Note that if <chroot> is turned on below, these paths must both
             be relative to the new root, not the original root -->
        <logdir>/var/log/icecast</logdir>
        <webroot>/usr/share/icecast/web</webroot>
        <adminroot>/usr/share/icecast/admin</adminroot>
        <!-- <pidfile>/usr/share/icecast/icecast.pid</pidfile> -->

        <!-- Aliases: treat requests for 'source' path as being for 'dest' path
             May be made specific to a port or bound address using the "port"
             and "bind-address" attributes.
          -->
        <!--
        <alias source="/foo" destination="/bar"/>
        -->
        <!-- Aliases: can also be used for simple redirections as well,
             this example will redirect all requests for http://server:port/ to
             the status page
        -->
        <alias source="/" destination="/status.xsl"/>
        <!-- The certificate file needs to contain both public and private part.
             Both should be PEM encoded.
    -->
        <ssl-certificate>/etc/icecast/ssl/icecast.pem</ssl-certificate>
    </paths>

    <logging>
        <accesslog>access.log</accesslog>
        <errorlog>error.log</errorlog>
        <!-- <playlistlog>playlist.log</playlistlog> -->
        <loglevel>3</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
        <logsize>10000</logsize> <!-- Max size of a logfile -->
        <!-- If logarchive is enabled (1), then when logsize is reached
             the logfile will be moved to [error|access|playlist].log.DATESTAMP,
             otherwise it will be moved to [error|access|playlist].log.old.
             Default is non-archive mode (i.e. overwrite)
        -->
        <!-- <logarchive>1</logarchive> -->
    </logging>

    <security>
        <chroot>0</chroot>
        <!--
        <changeowner>
            <user>nobody</user>
            <group>nogroup</group>
        </changeowner>
        -->
    </security>
</icecast>

---------------------------------------------------------------

9) ahora probamos si funciona con

# sudo -H -u icecast /usr/local/bin/icecast -b -c /etc/icecast/icecast.xml

si hay errores hay que corregirlos. 
El motivo del error aparece en la pantalla. 
En normalidad son problemas de permisos o de que no encuentra un archivo o una carpeta.


10) creación de un servicio systemd

# mcedit /etc/systemd/system/icecast.service

y pega dentro al fichero:

----------------------
[Unit]
Description=icecast service
After=multi-user.target

[Service]
Type=forking
Restart=on-failure
User=icecast
ExecStart=/usr/local/bin/icecast -b -c /etc/icecast/icecast.xml
WorkingDirectory=/home/icecast
StandardOutput=syslog
StandardError=syslog

[Install]
WantedBy=multi-user.target

----------------------

11) mata a icecast si es eventualmente activo. Para mirar el PID, puedes dar este comando:

# ps -A | grep icecast 

y te sale ago así:

  PID TTY          TIME CMD
22780 pts/0    00:00:04 icecast

Para matar icecast dale un 

# kill -9 22780  (el pid no será lo mismo)

y luego

systemctl daemon-reload
systemctl enable icecast.service
systemctl start icecast.service

ahora tienes icecast activo y con SSL

vete a la pagina https://radio.example.org:8443 y verás que se abre icecast con soporte para SSL

Notas:
Esta configuración de icecast.xml, permite 2 trasmisiones simultáneas a la vez. Una en el punto de montaje: 
https://radio.example.org:8443/stream  (source/MySecretPasswd)
y el otro en
https://radio.example.org:8443/stream2.mp3 (Tester/MySecretPasswd)


la trasmisión de Source (cool mic desde android o ffmpeg desde linux u otra app que soporte icecast) hay que ponerle:


servidor: radio.example.org
Mount: stream
puerto: 8000
usuario: source
contraseña: MySecretePasswd


servidor: radio.example.org
Mount: stream2.mp3
puerto: 8000
usuario: Tester
contraseña: MySecretePasswd


Segunda nota. Aún falta la regla de cron para el crtificato ssl. La podrá más adelante.


 

Link to comment
Share on other sites

Hello,

I had problems with the MaxLinux2000 solution but I found and easier one: https://mediarealm.com.au/articles/icecast-https-ssl-setup-lets-encrypt/

 

Installing Icecast with HTTPS Support

On your server, add the Xiph package repository to your apt source list:

sudo sh -c "echo deb http://download.opensuse.org/repositories/multimedia:/xiph/xUbuntu_18.10/ ./ >>/etc/apt/sources.list.d/icecast.list"

Download the signing key and add it to apt:

wget -qO - http://icecast.org/multimedia-obs.key | sudo apt-key add -

Note: at the time of writing, the key supplied in the above command has expired. You can instead use this command to download the the newer one from OpenSUSE directly:

wget -qO - https://build.opensuse.org/projects/multimedia:libs/public_key | sudo apt-key add -

Update the packages cache:

apt-get update

Now, you can install or update Icecast:

apt-get install icecast2

You can keep your old  configuration file and make the next steps on it:

 

If you have the ssl files ready:

cat /etc/letsencrypt/live/<YOUR ADDRESS>/fullchain.pem  /etc/letsencrypt/live/<YOUR ADDRESS>/privkey.pem >  /usr/share/icecast2/icecast2.pem

If not: https://tecadmin.net/install-lets-encrypt-create-ssl-ubuntu/

 

Configure Icecast for SSL

We are now ready to finish this off and get Icecast running with our new certificate.

Edit Icecast.xml in a text editor:

nano /etc/icecast2/icecast.xml

Add this line to the <paths></paths> section:

<ssl-certificate>/usr/share/icecast2/icecast2.pem</ssl-certificate>

Now, add this section to the document (in the root XML node):

<listen-socket> <port>443</port> <ssl>1</ssl> </listen-socket>

Quit the text editor, and now restart Icecast:

sudo service icecast2 restart

 

Regards.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines