Streaming Service with Icecast: Difference between revisions

From Run Your Own
Jump to navigation Jump to search
Line 111: Line 111:
=== NGINX Reverse Proxy ===
=== NGINX Reverse Proxy ===


=== TLS/SSL Support ===
It's possible to use existing X.509 certificates to provide HTTPS access to both listeners and sources. For this to work the server and intermediate certificates with the private key.
* merge <code>fullchain.pem<code> with <code>privkey.pem</code> (example with Let's Encrypt certs)
cat /etc/letsencrypt/live/domain.tld/fullchain.pem > /usr/local/share/icecast/icecast.pem
cat /etc/letsencrypt/live/domain.tld/privkey.pem >> /usr/local/share/icecast/icecast.pem
* Adjust <code>icecast.xml<code> config file with <code><ssl-certificate></code> and <code><ssl-allowed-ciphers></code>:
<pre>
      <paths>
          <basedir>/usr/local/share/icecast</basedir>
          <logdir>/log</logdir>
          <webroot>/web</webroot>
          <adminroot>/admin</adminroot>
          <ssl-certificate>/usr/local/share/icecast/icecast.pem</ssl-certificate>
          <ssl-allowed-ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:  RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS</ssl-allowed-ciphers>
          <alias source="/" dest="/index.html"/>
      </paths>
</pre>
=== Relaying an External Stream ===
=== Relaying an External Stream ===




[[Category: Streaming]]
[[Category: Streaming]]

Revision as of 13:28, 17 December 2019

Note: we will be using the icecast-kh fork that contains some extra stuff and features/fixes/improvements that may eventually land in vanilla icecast.

Installation for a Simple Setup

Software

Note: At time of writing, icecast-kh suffers from a small compilation problem with OpenSSL.

  • Install dependencies (Debian)
apt install libxslt1-dev libogg-dev libvorbis-dev libtheora-dev libcurl4-openssl-dev
  • Get the sources
cd /usr/src
git clone https://github.com/karlheyes/icecast-kh
  • Compile and install
cd icecast-kh
./configure --with-openssl
make
make install

Firewall

  • Make sure you listen on 8000, adjust your iptables:
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT

You can adjust to your liking, 8000 is the default for Icecast.

Basic Configuration

Simple setup with icecast accepting 4 sources, changing process ownership to nobody:nogroup, and running in a chroot.

  • log files in chroot:
mkdir /usr/local/share/icecast/log
chown nobody:nogroup /usr/local/share/icecast/log
  • /usr/local/etc/icecast.xml:
  <icecast>
      <location>𓅣</location>
      <admin>top.cool@c_est.super.deluxe</admin>
  
      <limits>
          <clients>64</clients>
          <sources>4</sources>
          <queue-size>524288</queue-size>
          <client-timeout>30</client-timeout>
          <header-timeout>15</header-timeout>
          <source-timeout>10</source-timeout>
          <burst-size>65535</burst-size>
      </limits>
  
      <authentication>
          <source-password>hackme</source-password>
          <relay-password>hackme</relay-password>
          <admin-user>admin</admin-user>
          <admin-password>hackme</admin-password>
      </authentication>
  
      <hostname>echo.lurk.org</hostname>
  
      <listen-socket>
          <port>8000</port>
      </listen-socket>
  
      <fileserve>1</fileserve>
  
      <paths>
          <basedir>/usr/local/share/icecast</basedir>
          <logdir>/log</logdir>
          <webroot>/web</webroot>
          <adminroot>/admin</adminroot>
          <alias source="/" dest="/index.html"/>
      </paths>
  
      <logging>
          <accesslog>access.log</accesslog>
          <errorlog>error.log</errorlog>
          <loglevel>1</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
          <logsize>10000</logsize> <!-- Max size of a logfile -->
       </logging>
  
      <security>
          <chroot>1</chroot>
          <changeowner>
              <user>nobody</user>
              <group>nogroup</group>
          </changeowner>
      </security>
  </icecast>

Service file and autostart (systemd)

  • Create a /etc/systemd/system/icecast.service unit file:
[Unit]
Description=Icecast
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/icecast -c /usr/local/etc/icecast.xml
ExecReload=/usr/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target
  • Enable the service on boot:
systemctl enable icecast
  • Manage the service with
service icecast start
service icecast status
service icecast stop

MOAR Configuration

With the previous section you will get something up and running, stable and all. It's a good starting point to tweak things further.

NGINX Reverse Proxy

TLS/SSL Support

It's possible to use existing X.509 certificates to provide HTTPS access to both listeners and sources. For this to work the server and intermediate certificates with the private key.

  • merge fullchain.pem with privkey.pem (example with Let's Encrypt certs)
cat /etc/letsencrypt/live/domain.tld/fullchain.pem > /usr/local/share/icecast/icecast.pem
cat /etc/letsencrypt/live/domain.tld/privkey.pem >> /usr/local/share/icecast/icecast.pem
  • Adjust icecast.xml config file with <ssl-certificate> and <ssl-allowed-ciphers>:
      <paths>
          <basedir>/usr/local/share/icecast</basedir>
          <logdir>/log</logdir>
          <webroot>/web</webroot>
          <adminroot>/admin</adminroot>
          <ssl-certificate>/usr/local/share/icecast/icecast.pem</ssl-certificate>
          <ssl-allowed-ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:  RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS</ssl-allowed-ciphers>
          <alias source="/" dest="/index.html"/>
      </paths>

Relaying an External Stream

Retrieved from "https://things.bleu255.com/runyourown/index.php?title=Streaming_Service_with_Icecast&oldid=404"