发表新帖
发表新帖

Why Icecast2 does not want to give the stream through https?

后端 未结
关注
3 1182
情歌与酒
情歌与酒 2021-02-04 14:51

On a server with Ubuntu 14.04 LTS installed Icecast2 2.4.1 with SSL support. Also on this server work HTTPS website. I want insert on the page HTML5-player that will also take

相关标签:
3条回答
  • 挽巷
    2021-02-04 15:12

    I ran into this issue recently and didn't have a lot of time to solve it, nor did I see see much documentation for doing so. I assume it's not the most widely used icecast config, so I just proxied mine with nginx and it works fine.

    Here's an example nginx vhost. Be sure to change domain, check your paths and think about the location you want the mount proxied to and how you want to handle ports.

    Please note this will make your stream available on port 443 instead of 8000. Certain clients (such as facebookexternalhit/1.1) may try to hang onto the stream as thought it's a https url waiting to connect. This may not be the behavior you expect or desire.

    Also, if you want no http available at all, be sure to change bind-address back to the local host. eg:

     <bind-address>127.0.0.1</bind-address>

    www.example.com.nginx.conf

    server {
  listen 80;
  server_name www.example.com;
  location /listen {
    if ($ssl_protocol = "") {
      rewrite ^   https://$server_name$request_uri? permanent;
    }
  }
}

#### SSL

server {
  ssl on;
  ssl_certificate_key /etc/sslmate/www.example.com.key;
  ssl_certificate /etc/sslmate/www.example.com.chained.crt;

  # Recommended security settings from https://wiki.mozilla.org/Security/Server_Side_TLS
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:
ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA
-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES2
56-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_prefer_server_ciphers on;
  ssl_dhparam /usr/share/sslmate/dhparams/dh2048-group14.pem;
  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:5m;

  # Enable this if you want HSTS (recommended)
  add_header Strict-Transport-Security max-age=15768000;
  listen 443 ssl;
  server_name www.example.com;

  location / {
    proxy_pass         http://127.0.0.1:8000/;
    proxy_redirect     off;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
  }

}
    0 讨论(0)
  • 悲&欢浪女
    2021-02-04 15:22

    icecast provided for debian based versions don't provide https support since it is supported by openssl libraries that have licensing difficulties with GPL.

    to know if openssl was compiled with :

    ldd /usr/bin/icecast2 | grep ssl

    if is compiled with then a line like this one should de displayed :

    libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007ff5248a4000)

    else nothing...

    to get correct version those should be obtained from xiph.org directly : https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories)

    0 讨论(0)
  • 孤独总比滥情好
    2021-02-04 15:24

    In your icecast2.xml file

    If set to 1 will enable HTTPS on this listen-socket. Icecast must have been compiled against OpenSSL to be able to do so.

    <paths>
    <basedir>./</basedir>
    <logdir>./logs</logdir>
    <pidfile>./icecast.pid</pidfile>
    <webroot>./web</webroot>
    <adminroot>./admin</adminroot>
    <allow-ip>/path/to/ip_allowlist</allow-ip>
    <deny-ip>/path_to_ip_denylist</deny-ip>
    <tls-certificate>/path/to/certificate.pem</tls-certificate>
    <ssl-allowed-ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS</ssl-allowed-ciphers>
    <alias source="/foo" dest="/bar"/>
</paths>

<listen-socket>
    <port>8000</port>
    <bind-address>127.0.0.1</bind-address> </listen-socket>

<listen-socket>
    <port>8443</port>
    <tls>1</tls> </listen-socket>

<listen-socket>
    <port>8004</port>
    <shoutcast-mount>/live.mp3</shoutcast-mount> </listen-socket>
    0 讨论(0)
 看不清?
提交回复
热议问题