[Icecast] add user failed check log

Philipp Schafft phschafft at de.loewenfelsen.net
Tue Feb 28 11:28:08 UTC 2023


Good morning,

On Tue, 2023-02-28 at 01:07 +0000, Coolvibes Reloaded wrote:
> i'm trying to config the usr authentication 
> but when i goto add myself into the admin part 
> i get add user failed check log?
> 
> so i did and i'm getting this
> [...]
> [2023-02-28  00:46:16] EROR auth_htpasswd/auth_htpasswd.c No filename
> given in options for authenticator.
> [...]

There is no filename given for the htpasswd auth, will comment below.



> [2023-02-28  00:44:26] WARN auth/auth.c unknown auth setting (auth)
> [2023-02-28  00:44:26] WARN auth/auth.c unknown auth setting
> (comment)
> [2023-02-28  00:44:26] EROR auth_htpasswd/auth_htpasswd.c No filename
> given in options for authenticator.
> [2023-02-28  00:44:26] EROR connection/connection.c Could not create
> listener socket on port 8080 bind my ip
> [2023-02-28  00:44:26] EROR connection/connection.c Could not create
> listener socket on port 8081 bind my ip

Another set of warnings. Looking at the config below you seem to have
fallen into the over configuration trap. Plus I'm not sure where some
of that came from. Maybe you want to comment on that so we can improve
docs/default configs.


What is also missing is which exact version of Icecast you are running.
The below seems to be a mix of 2.4.x and 2.5.x. I try to answer in a
generic was for both.

I would also suggest you to run xmllint every time you change the
config as it checks the syntax. Helps to spot problems early. It also
provides a way to autoformat (with the --format option) the file. Which
is very nice.

Another general note here: Everyone using 2.5.x is recommended to have
a look at the dashboard. Icecast reports many common problems there. It
is much easier to spot things very early there.


> now my config file is 
> 
> <icecast>
>   <!-- location and admin are two arbitrary strings that are e.g.
> visible
>          on the server info page of the icecast web interface
>          (server_version.xsl). -->
>   <location>United Kingdom</location>
>   <admin>someemail at example.com</admin>
> 
>   <!-- This is the hostname other people will use to connect to your
> server.
>          It affects mainly the urls generated by Icecast for
> playlists and yp
>          listings. You MUST configure it properly for YP listings to
> work!
>     -->
>   <hostname>yourip/url</hostname>

This is not for an IP address nor an URL. It is for the hostname of the
server. ;)


>   <!-- IMPORTANT!
>          Especially for inexperienced users:
>          Start out by ONLY changing all passwords and restarting
> Icecast.
>          For detailed setup instructions please refer to the
> documentation.
>          It's also available here: http://icecast.org/docs/
>     -->
> 
>   <limits>
>     <clients>9000</clients>
>     <sources>2</sources>
>     <queue-size>524288</queue-size>
>     <client-timeout>30</client-timeout>
>     <header-timeout>15</header-timeout>
>     <source-timeout>10</source-timeout>
>     <!-- If enabled, this will provide a burst of data when a client 
>              first connects, thereby significantly reducing the
> startup 
>              time for listeners that do substantial buffering.
> However,
>              it also significantly increases latency between the
> source
>              client and listening client.  For low-latency setups,
> you
>              might want to disable this. -->
>     <burst-on-connect>1</burst-on-connect>
>     <!-- same as burst-on-connect, but this allows for being more
>              specific on how much to burst. Most people won't need to
>              change from the default 64k. Applies to all mountpoints
>  -->
>     <burst-size>65535</burst-size>
>   </limits>
> 
>   <authentication>
>     <!-- Sources log in with username 'source' -->
>     <source-password>somepass</source-password>
>     <!-- Relays log in with username 'relay' -->
>     <relay-password>somepass</relay-password>
> 
>     <!-- Admin logs in with the username given below -->
>     <admin-user>admin</admin-user>
>     <admin-password>somepass</admin-password>
>   </authentication>
>   
> 
>   <!-- set the mountpoint for a shoutcast source to use, the default
> if not -->
>   <!-- specified is /stream but you can change it here if an
> alternative is -->
>   <!-- wanted or an extension is required -->
>   <shoutcast-mount>/stream</shoutcast-mount>


>   <directory>
>     <yp-url-timeout>15</yp-url-timeout>
>     <yp-url>http://dir.xiph.org/cgi-bin/yp-cgi</yp-url>
>   </directory>
> 
>   <!-- You may have multiple <listener> elements -->
>   <listen-socket>
>     <port>someport</port>
>     <bind-address>someip</bind-address>
> <shoutcast-mount>/stream</shoutcast-mount>
>     <tls>1</tls>
> <ssl>1</ssl>
>   </listen-socket>
> 
>   <listen-socket>
>     <port>8080</port>
>     <tls>1</tls>
>   </listen-socket>
> 
>   <listen-socket>
>     <port>8080</port>
>     <tls>1</tls>
>   </listen-socket>
> 
>   <listen-socket>
>     <port>8080</port>
>     <shoutcast-mount>/stream</shoutcast-mount>
>   </listen-socket>
> 
>   <listen-socket>
>     <port>8080</port>
>   </listen-socket>
> 
>   <listen-socket>
>     <port>8080</port>
>   </listen-socket>
> 
>   <listen-socket>
>     <port>8080</port>
>     <ssl>1</ssl>
>   </listen-socket>

You repeat yourself a lot here. Clearly you can only bind once to each
port and address pair. (If no bind address is given, the wildcard
address is assumed.)

As for the TLS settings: in 2.4.x it is <ssl>1</ssl> and in 2.5.x it is
<tls>true</tls> (which is the same as setting it to "rfc2818"). However
for 2.5.x I would recommend to set this to <tls>auto</tls> (which
allows any mode, including non-TLS) or <tls>auto_no_plain</tls> which
allows any mode but non-TLS.

More details can be found e.g. here:
https://wiki.xiph.org/Icecast_Server/known_https_restrictions#Icecast2_2.5.x_.28branch_.22master.22.29

If there is general interest in this I can talk a little bit about this
on Friday as well.


>   <!-- Global header settings 
>          Headers defined here will be returned for every HTTP request
> to Icecast.
> 
>          The ACAO header makes Icecast public content/API by default
>          This will make streams easier embeddable (some HTML5
> functionality needs it).
>          Also it allows direct access to e.g. /status-json.xsl from
> other sites.
>          If you don't want this, comment out the following line or
> read up on CORS. 
>     -->
>   <http-headers>
>     <header name="Access-Control-Allow-Origin" value="*" />
>     <header name="X-Robots-Tag" value="index, noarchive" status="200"
> />
>   </http-headers>
> 
>   <!-- Relaying
>          You don't need this if you only have one server.
>          Please refer to the config for a detailed explanation.
>     -->
>   <!--<master-server>127.0.0.1</master-server>-->
>   <!--<master-server-port>8001</master-server-port>-->
>   <!--<master-update-interval>120</master-update-interval>-->
>   <!--<master-password>hackme</master-password>-->
> 
>   <!-- setting this makes all relays on-demand unless overridden,
> this is
>          useful for master relays which do not have <relay>
> definitions here.
>          The default is 0 -->
>   <!--<relays-on-demand>1</relays-on-demand>-->
> 
>   <relay>
>     <server>someip</server>
>     <port>someport</port>
>     <mount>/coolvibes.ogg</mount>
>     <local-mount>/strawbs.ogg</local-mount>
>     <on-demand>0</on-demand>
> 
>     <relay-shoutcast-metadata>0</relay-shoutcast-metadata>
>   </relay>

If you're using recent 2.5.x you can also use
<url>http://example.org/blubb</url> here for the upstream address.


>   <!-- Mountpoints
>          Only define <mount> sections if you want to use advanced
> options,
>          like alternative usernames or passwords
>     -->
> 
>   <!-- Default settings for all mounts that don't have a specific -->
> 
>   <mount type="normal">
>     <mount-name>/live.mp3</mount-name>

In this block you set a real huge amount of options. I guess most of
them can go. Some are set to the default value (e.g. you set <burst-
size> to the same value as the global default). Some should be avoided
unless there is a real requiement (e.g. <*type*>, <*metadata*>,
<*header*>, <bitrate>, ...). And for some I'm not sure if you actually
use them (<on-*>, <fallback*>, <intro>).

Generally speaking use as little options as possible.


>     <username>someusername</username>
>     <password>someexamplepass</password>
>     <max-listeners>900</max-listeners>
>     <max-listener-duration>3600</max-listener-duration>
>     <dump-file>/tmp/dump-example1.ogg</dump-file>
>     <intro>/intro.ogg</intro>
>     <fallback-mount>/stream.ogg</fallback-mount>
>     <fallback-override>1</fallback-override>
>     <fallback-when-full>1</fallback-when-full>
>     <charset>ISO8859-1</charset>
>     <public>1</public>
>     <stream-name>somestream</stream-name>
>     <stream-description>'hello'</stream-description>
>     <stream-url>someurl</stream-url>
>     <genre>World</genre>
>     <bitrate>160</bitrate>
>     <type>application/mp3</type>
>     <subtype>mp3</subtype>
>     <hidden>1</hidden>
>     <burst-size>65536</burst-size>
>     <mp3-metadata-interval>4096</mp3-metadata-interval>

>     <authentication type="htpasswd">
>       <auth name="stream_auth" value="#" />
>  <option name="allow_duplicate_users" value="1"/>
>       <!-- See authentication documentation -->
>     </authentication>

Not sure where you got this block from.
Generally the htpasswd type takes an option with the filename. From the
2.4.4 example:
        <authentication type="htpasswd">
                <option name="filename" value="myauth"/>
        </authentication>

The filename is relativ to Icecast's cwd (after chroot if any). So
depending on your setup you might want to set it absolute.



>     <http-headers>
>       <header name="Access-Control-Allow-Origin" value="*" />
>       <header name="X-Robots-Tag" value="index, noarchive" />
>       <header name="foo" value="bar" status="200" />
>       <header name="Nelson" value="Ha-Ha!" status="404" />
>     </http-headers>
>     <on-connect>/home/icecast/bin/source-start</on-connect>
>     <on-disconnect>/home/icecast/bin/source-end</on-disconnect>
>   </mount>


The rest below is 2.4.x style config. Nothing wroth with it even for
2.5.x. But it might be a bit nicer to read/work with in 2.5.x style.

>   <fileserve>1</fileserve>
> 
>     <paths>
>         <logdir>./log</logdir>
>         <webroot>./web</webroot>
>         <adminroot>./admin</adminroot>

Relative paths here look a bit like you try to run it not as a service.
I would avoid this outside of testing.


> 
>         <!-- Aliases: treat requests for 'source' path as being for
> 'dest' path
>              May be made specific to a port or bound address using
> the "port"
>              and "bind-address" attributes.
>           -->
>         <!--
>         <alias source="/foo" destination="/bar"/>
>         -->
>         <!-- Aliases: can also be used for simple redirections as
> well,
>              this example will redirect all requests for 
> http://server:port/ to
>              the status page
>         -->
>         <alias source="/" destination="/status.xsl"/>
>         <!-- The certificate file needs to contain both public and
> private part.
>              Both should be PEM encoded.
>         <ssl-certificate>./icecast.pem</ssl-certificate>
>         -->
>     </paths>
> 
> <security>
>         <chroot>0</chroot>
> 
>         <changeowner>

Having changeowner active is not the nicest thing. Unless you need the
extra permissions for e.g. binding to a privileged port I would suggest
to not use this. If running as a service it is best to let the
operating system change to the correct user before starting Icecast. if
running ín a more test setup sudo/doas -u works very nice to switch to
the target user.


>             <user>user</user>
>             <group>users</group>
>         </changeowner>
> 
>     </security>
> 
>   <logging>
>         <accesslog>access.log</accesslog>
>         <errorlog>error.log</errorlog>
>         <!-- <playlistlog>playlist.log</playlistlog> -->
>         <loglevel>4</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error
> -->
>         <logsize>10000</logsize> <!-- Max size of a logfile -->
>         <!-- If logarchive is enabled (1), then when logsize is
> reached
>              the logfile will be moved to
> [error|access|playlist].log.DATESTAMP,
>              otherwise it will be moved to
> [error|access|playlist].log.old.
>              Default is non-archive mode (i.e. overwrite)
>         -->
>         <!-- <logarchive>1</logarchive> -->
>     </logging>
> </icecast>


With best regards,

-- 
Philipp Schafft (CEO/Geschäftsführer)
Telephone:           +49.3535 490 17 92
Website:             https://www.loewenfelsen.net/
Follow us:           https://www.linkedin.com/company/loewenfelsen/
Geschäftsführer/CEO: Philipp Schafft

Löwenfelsen UG (haftungsbeschränkt)     Registration number:
Bickinger Straße 21                     HRB 12308 CB
04916 Herzberg (Elster)                 VATIN/USt-ID:
Germany                                 DE305133015
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20230228/3c347250/attachment.sig>


More information about the Icecast mailing list