[Icecast] icecast and proxy

"Thomas B. Rücker" thomas at ruecker.fi
Wed Feb 25 11:50:26 UTC 2015


On 02/25/2015 11:28 AM, Rafael Gomes wrote:
> OK!
>
> I made this solution because it is not suitable
> to run as root applications that use ports below 1000

Did you read my statement?
I address exactly this misconception.

As this seems to mostly happen to people who run Debian or its
derivatives, here are the #exactsteps to make Icecast listen to port 80
and as a bonus advertize this properly on YP without breaking:

* edit two lines in /etc/default/icecast2:
USERID=root
GROUPID=root
* edit the following lines in /etc/icecast2/icecast.xml:
 - this must be the *first* <listen-socket> entry:
    <listen-socket>
        <port>80</port>
    <listen-socket>
 - in the security section:
        <changeowner>
            <user>icecast2</user>
            <group>icecast</group>
        </changeowner>
 - for yp listings, make sure <hostname> resolves to your Icecast server
(not your homepage!) and remove the <!-- --> around the <directory> section.
* start Icecast through its init script / systemd

What this does:
Instead of changing the user in the init script, it gets changed during
start-up. At no point will Icecast actually keep running as root, it
only uses this to bind to privileged ports, <1024.
It _starts_ as "root", but _runs_ as "icecast2", just as *every* other
service binding to a port below 1024 does too, e.g. Apache HTTPD or NginX.
Security wise this is almost identical, BUT it enables Icecast to bind
to port 80 (and 443 too if you'd enable SSL support, but on debian that
would mean recompiling Icecast).

What this avoids:
We see hundreds of servers trying to list on YP that claim to be
"localhost" or to be listening on port 8000 while they are only
reachable on port 80 or some other port. All these radio streams are
automatically rejected from the YP directory at http://dir.xiph.org as
unreachable.
Also there are some other cases where Icecast will either use the first
listener port or the hostname and this will break a port redirect or a
reverse proxy setup.

Cheers

Thomas




More information about the Icecast mailing list