10

On a server with Ubuntu 14.04 LTS installed Icecast2 2.4.1 with SSL support. Also on this server work HTTPS website. I want insert on the page HTML5-player that will also take the stream through the SSL (otherwise - mixed content error). The site has a commercial SSL certificate, Icecast - a self-signed. Icecast config file:

<icecast>
<location>****</location>
<admin>admin@*************</admin>
<limits>
    <clients>1000</clients>
    <sources>2</sources>
    <threadpool>5</threadpool>
    <queue-size>524288</queue-size>
    <source-timeout>10</source-timeout>
    <burst-on-connect>0</burst-on-connect>
    <burst-size>65535</burst-size>
</limits>
<authentication>
    <source-password>*****</source-password>
    <relay-password>*****</relay-password>
    <admin-user>*****</admin-user>
    <admin-password>*****</admin-password>
</authentication>
<hostname>************</hostname> 
<listen-socket>
    <port>8000</port>
    <ssl>1</ssl>
</listen-socket>
<mount>
    <mount-name>/stream</mount-name>
    <charset>utf-8</charset>
</mount>
<mount> 
    <mount-name>/ogg</mount-name>
    <charset>utf-8</charset>
</mount>
<fileserve>1</fileserve>
<paths>
    <basedir>/usr/share/icecast2</basedir>
    <logdir>/var/log/icecast2</logdir>
    <webroot>/usr/share/icecast2/web</webroot>
    <adminroot>/usr/share/icecast2/admin</adminroot>
    <alias source="/" dest="/status.xsl"/>
    <ssl-certificate>/etc/icecast2/icecast2.pem</ssl-certificate>
</paths>
<logging>
    <accesslog>access.log</accesslog>
    <errorlog>error.log</errorlog>
    <loglevel>4</loglevel>
</logging>
<security>
    <chroot>0</chroot>
    <changeowner>
        <user>icecast2</user>
        <group>icecast</group>
    </changeowner>
</security>
</icecast>

Certificate for Icecast (/etc/icecast2/icecast2.pem) generated by:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout icecast2.pem -out icecast2.pem

I expect to get the output stream from the addresses https://domain.name:8000/stream https://domain.name:8000/ogg for insertion into the player via tag audio, but in response - silence. Thus the addresses with a simple http everything works fine. I did not understand what all the same mistake... Thanks in advance for your help!

Alexander
  • 101
  • 1
  • 1
  • 5

4 Answers4

8

I ran into this issue recently and didn't have a lot of time to solve it, nor did I see see much documentation for doing so. I assume it's not the most widely used icecast config, so I just proxied mine with nginx and it works fine.

Here's an example nginx vhost. Be sure to change domain, check your paths and think about the location you want the mount proxied to and how you want to handle ports.

Please note this will make your stream available on port 443 instead of 8000. Certain clients (such as facebookexternalhit/1.1) may try to hang onto the stream as thought it's a https url waiting to connect. This may not be the behavior you expect or desire.

Also, if you want no http available at all, be sure to change bind-address back to the local host. eg:

 <bind-address>127.0.0.1</bind-address>

www.example.com.nginx.conf

server {
  listen 80;
  server_name www.example.com;
  location /listen {
    if ($ssl_protocol = "") {
      rewrite ^   https://$server_name$request_uri? permanent;
    }
  }
}

#### SSL

server {
  ssl on;
  ssl_certificate_key /etc/sslmate/www.example.com.key;
  ssl_certificate /etc/sslmate/www.example.com.chained.crt;

  # Recommended security settings from https://wiki.mozilla.org/Security/Server_Side_TLS
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:
ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA
-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES2
56-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_prefer_server_ciphers on;
  ssl_dhparam /usr/share/sslmate/dhparams/dh2048-group14.pem;
  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:5m;

  # Enable this if you want HSTS (recommended)
  add_header Strict-Transport-Security max-age=15768000;
  listen 443 ssl;
  server_name www.example.com;

  location / {
    proxy_pass         http://127.0.0.1:8000/;
    proxy_redirect     off;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
  }

}
scytale
  • 12,346
  • 3
  • 32
  • 46
Warren Stevens
  • 301
  • 2
  • 5
  • 2
    This worked for me after struggling to find an icecast solution for too many hours. Thanks Warren! I used a slightly modified location block from https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins – ryanrain Jun 26 '17 at 18:36
  • So far, this is the best solution I could find to enable SSL in Icecast 2. I used the certbot-nginx package to generate the certificate. Then, I just had to modify the location block in nginx config to enable the proxy. Thanks. – Mateng May 12 '20 at 23:11
3

The icecast2 package provided for Debian-based versions doesn't provide SSL support (so it has not https:// support) since it is supported by openssl libraries that have licensing difficulties with the GNU GPL.

To know if icecast2 was compiled with openssl support, run this:

ldd /usr/bin/icecast2 | grep ssl

if it's compiled with it, then a line like this one should de displayed:

libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007ff5248a4000)

If instead you see nothing, you have no support for it.

To get the correct version you may want to obtain it from xiph.org directly:

https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories)

Leonardo Dagnino
  • 2,914
  • 7
  • 28
philippe lhardy
  • 3,096
  • 29
  • 36
1

Guys the issue is related to the certificate file. First of all, you need to have for example

<paths>
     <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate>
</paths>

and

<listen-socket>
     <port>8443</port>
     <ssl>1</ssl>
</listen-socket>

in your configuration. But that is not everything you need!

If you get your certificate for example from let's encrypt or sslforfree, you will have a certificate file and a private key file. But for Icecast, you need both files together. What you should do: 1- Open the private key and copy the content of this file 2- Open the certificate file and paste the content of your private key that you copied, at the end of this file and save it as icecast.pem.

Then use this file and you should be fine.

Thanks to the person who introduces it here: Icecast 2 and SSL

Abbas
  • 41
  • 8
0

In your icecast2.xml file

If set to 1 will enable HTTPS on this listen-socket. Icecast must have been compiled against OpenSSL to be able to do so.

<paths>
    <basedir>./</basedir>
    <logdir>./logs</logdir>
    <pidfile>./icecast.pid</pidfile>
    <webroot>./web</webroot>
    <adminroot>./admin</adminroot>
    <allow-ip>/path/to/ip_allowlist</allow-ip>
    <deny-ip>/path_to_ip_denylist</deny-ip>
    <tls-certificate>/path/to/certificate.pem</tls-certificate>
    <ssl-allowed-ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS</ssl-allowed-ciphers>
    <alias source="/foo" dest="/bar"/>
</paths>

<listen-socket>
    <port>8000</port>
    <bind-address>127.0.0.1</bind-address> </listen-socket>

<listen-socket>
    <port>8443</port>
    <tls>1</tls> </listen-socket>

<listen-socket>
    <port>8004</port>
    <shoutcast-mount>/live.mp3</shoutcast-mount> </listen-socket>
TheBetterJORT
  • 808
  • 9
  • 22