[Icecast] Icecast and HTTPS

Wang Wang at pc-factory.at
Wed Jan 6 12:59:55 UTC 2021


Right now I have the server running on port 8000 (http) and port 8443
(https). Is it possible to have it running only on port 8000, but with
https? I tried, but it did not work.

> That is also the reason I did it.
> You can even use port 80 and 443 if those are not in use on the server.
> Only thing to do this is start icecast2 as root user and group in /etc/init.d/icecast2 or /etc/default/icecast2 and use the <changeowner> section in icecast2.xml:
> 
>     <security>
>         <chroot>0</chroot>
>         <changeowner>
>             <user>icecast2</user>
>             <group>icecast</group>
>         </changeowner>
>     </security>
> 
> Glad I could help to make it work.
> 
> Paul
> -----Oorspronkelijk bericht-----
> Van: Icecast <icecast-bounces at xiph.org> Namens Wang
> Verzonden: Tuesday, 5 January 2021 16:14
> Aan: Icecast streaming server user discussions <icecast at xiph.org>
> Onderwerp: Re: [Icecast] Icecast and HTTPS
> 
> Thank you all for your answers, especially this one here!
> 
> Thank you, Paul, for the many good advices.
> 
> I actually got it working! In pretty much the same way you described it. ()
> 
> As players I tried with success: mpv, mplayer, vlc, cvlc (Linux).
> Also inside an <audio> tag in a https page, it worked!
> This was the reason I wanted to use https, because I wanted to embed the stream in an https site; if icecast runs only with http, chromium complains; in Firefox it worked well.
> 
> _zer0_ gravity <zer0___ at hotmail.com> schrieb am 04.01.2021 20:56:
> > There are some things to consider if you want Icecast to serve https:
> > 
> > The ssl certificate file needs BOTH the private key AND the chain into one file. The order did not make a difference in my setups.
> > The <ssl-private-key> is not needed, only the <ssl-certificate>
> > 
> > Make sure that the icecast2 user is the owner of the certificate:
> > chown icecast2:icecast /usr/share/icecast2/icecast.pem
> > 
> > Make sure NOT to put it in the "web" directory, the pem file should NOT be publicly accessible.
> > I have used both /etc/icecast2/ and /usr/share/icecast2/ directories successfully.
> > 
> > I am using letsencrypt and have use a post-hook script so that it only updates after a new certificate has been deployed:
> > #!/bin/bash
> > /bin/cat /etc/letsencrypt/live/YOURDOMAIN/privkey.pem 
> > /etc/letsencrypt/live/ YOURDOMAIN/fullchain.pem > 
> > /usr/share/icecast2/icecast.pem && /usr/bin/systemctl restart icecast2
> > 
> > Make sure you are NOT using the version from the Debian repositories, as they are compiled without SSL support.
> > Instead use the repositories described here: 
> > https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(offici
> > al_Xiph_repositories)
> > 
> > I also had to add a priority file to make sure apt grabs the right one, as the version number on both repositories is the same, but only the version on the official Xiph repo has SSL support.
> > After adding the official xiph repository add a file /etc/apt/preferences.d/icecast with the following:
> > 
> > Package: icecast2
> > Pin: origin "download.opensuse.org"
> > Pin-Priority: 999
> > 
> > Then do a reinstall with:
> > 
> > apt update
> > apt reinstall icecast2
> > 
> > This are the relevant parts of my icecast2.xml:
> > 
> >     <listen-socket>
> >         <port>8443</port>
> >         <ssl>1</ssl>
> >     </listen-socket>
> > 
> >     <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate>
> > 
> > Of course restart icecast2 after updating the ssl-certificate as it is only read during startup, that is also why I do a restart (and not a reload) in the certbot post-hook:
> > Systemctl restart icecast2
> > Also close and reopen your browser to test so that you are sure the certificate is not being cached locally.
> > 
> > Worked for me with Debian 9 and 10.
> > 
> > Regards, Paul
> > 
> > 
> > -----Oorspronkelijk bericht-----
> > Van: Icecast <icecast-bounces at xiph.org> Namens Marvin Scholz
> > Verzonden: Monday, 4 January 2021 20:59
> > Aan: Icecast streaming server user discussions <icecast at xiph.org>
> > Onderwerp: Re: [Icecast] Icecast and HTTPS
> > 
> > Icecast does support TLS and nearly all modern players do support streams over HTTPS too.
> > 
> > On 4 Jan 2021, at 20:56, Norbert Deleutre wrote:
> > 
> > > With a free player ?  Which one ?
> > >
> > > —-
> > > N.D
> > > LMGC
> > >
> > >
> > >> Le 4 janv. 2021 à 20:34, John McHarry <jmcharry at gmx.net> a écrit :
> > >>
> > >> It does. https://audio-mp3.ibiblio.org/whqr_hd1 is served from an
> > >> icecast2 server. Check http://audio-mp3.ibiblio.org:8000
> > >>
> > >>
> > >> On Mon, 2021-01-04 at 20:14 +0100, Norbert Deleutre wrote:
> > >>> I had made the same resquest in septembre 2020.
> > >>> And my conclusion is that icecast doesn’t Work with ssl-
> > >>>
> > >>> —-
> > >>> N.D
> > >>> LMGC
> > >>>
> > >>>
> > >>>> Le 4 janv. 2021 à 19:06, Wangr <Wang at pc-factory.at> a écrit :
> > >>>>
> > >>>> Hello to all!
> > >>>>
> > >>>> I have tried for days now to use icecast2 (version 2.4.99.2) with 
> > >>>> HTTPS. Been through so many manuals and howtos, but nothing works.
> > >>>>
> > >>>> I have used the Debian version, as well as compiled from source.
> > >>>>
> > >>>> Ports 8000 and 8443 are open on the firewall.
> > >>>>
> > >>>>
> > >>>> Here is some relevant info:
> > >>>>
> > >>>> /etc/icecast2/icecast.xml:
> > >>>>
> > >>>> <listen-socket>
> > >>>> <port>8000</port>
> > >>>> </listen-socket>
> > >>>> <listen-socket>
> > >>>> <port>8443</port>
> > >>>> <ssl>1</ssl>
> > >>>> </listen-socket>
> > >>>>
> > >>>> <http-headers>
> > >>>> <header name="Access-Control-Allow-Origin" value="*" /> 
> > >>>> </http-headers>
> > >>>>
> > >>>> <paths>
> > >>>> <basedir>/usr/share/icecast2</basedir>
> > >>>> <logdir>/var/log/icecast2</logdir>
> > >>>> <webroot>/usr/share/icecast2/web</webroot>
> > >>>> <adminroot>/usr/share/icecast2/admin</adminroot>
> > >>>> <alias source="/" destination="/status.xsl"/>
> > >>>> <ssl-certificate>/usr/share/icecast2/web/bundle.pem</ssl-
> > >>>> certificate>
> > >>>> <ssl-private-key>/usr/share/icecast2/web/bundle.pem</ssl-private-
> > >>>> key>
> > >>>> </paths>
> > >>>>
> > >>>> The bundle.pem file contains the privkey.pem and fullchain.pem 
> > >>>> files of the dehydrated (let's encrypt) certificates, in this 
> > >>>> order.
> > >>>>
> > >>>>
> > >>>> ices2 config file:
> > >>>>
> > >>>> <instance>
> > >>>> <port>8443</port>
> > >>>> </instance>
> > >>>>
> > >>>> with <port>8000</port> (HTTP) it works, not with 8443 (HTTPS).
> > >>>>
> > >>>>
> > >>>> I am thankful for any help!
> > >>>> _______________________________________________
> > >>>> Icecast mailing list
> > >>>> Icecast at xiph.org
> > >>>> http://lists.xiph.org/mailman/listinfo/icecast
> > >>> _______________________________________________
> > >>> Icecast mailing list
> > >>> Icecast at xiph.org
> > >>> http://lists.xiph.org/mailman/listinfo/icecast
> > >>
> > >> _______________________________________________
> > >> Icecast mailing list
> > >> Icecast at xiph.org
> > >> http://lists.xiph.org/mailman/listinfo/icecast
> > > _______________________________________________
> > > Icecast mailing list
> > > Icecast at xiph.org
> > > http://lists.xiph.org/mailman/listinfo/icecast
> > _______________________________________________
> > Icecast mailing list
> > Icecast at xiph.org
> > http://lists.xiph.org/mailman/listinfo/icecast
> > _______________________________________________
> > Icecast mailing list
> > Icecast at xiph.org
> > http://lists.xiph.org/mailman/listinfo/icecast
> 
> --
> Das School Community System
> https://pc-factory.at/school
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast

-- 
Das School Community System
https://pc-factory.at/school


More information about the Icecast mailing list