Why Icecast2 does not want to give the stream through https?

Alexander picture Alexander · May 14, 2015 · Viewed 10.3k times · Source

On a server with Ubuntu 14.04 LTS installed Icecast2 2.4.1 with SSL support. Also on this server work HTTPS website. I want insert on the page HTML5-player that will also take the stream through the SSL (otherwise - mixed content error). The site has a commercial SSL certificate, Icecast - a self-signed. Icecast config file:

<icecast>
<location>****</location>
<admin>admin@*************</admin>
<limits>
    <clients>1000</clients>
    <sources>2</sources>
    <threadpool>5</threadpool>
    <queue-size>524288</queue-size>
    <source-timeout>10</source-timeout>
    <burst-on-connect>0</burst-on-connect>
    <burst-size>65535</burst-size>
</limits>
<authentication>
    <source-password>*****</source-password>
    <relay-password>*****</relay-password>
    <admin-user>*****</admin-user>
    <admin-password>*****</admin-password>
</authentication>
<hostname>************</hostname> 
<listen-socket>
    <port>8000</port>
    <ssl>1</ssl>
</listen-socket>
<mount>
    <mount-name>/stream</mount-name>
    <charset>utf-8</charset>
</mount>
<mount> 
    <mount-name>/ogg</mount-name>
    <charset>utf-8</charset>
</mount>
<fileserve>1</fileserve>
<paths>
    <basedir>/usr/share/icecast2</basedir>
    <logdir>/var/log/icecast2</logdir>
    <webroot>/usr/share/icecast2/web</webroot>
    <adminroot>/usr/share/icecast2/admin</adminroot>
    <alias source="/" dest="/status.xsl"/>
    <ssl-certificate>/etc/icecast2/icecast2.pem</ssl-certificate>
</paths>
<logging>
    <accesslog>access.log</accesslog>
    <errorlog>error.log</errorlog>
    <loglevel>4</loglevel>
</logging>
<security>
    <chroot>0</chroot>
    <changeowner>
        <user>icecast2</user>
        <group>icecast</group>
    </changeowner>
</security>
</icecast>

Certificate for Icecast (/etc/icecast2/icecast2.pem) generated by:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout icecast2.pem -out icecast2.pem

I expect to get the output stream from the addresses https://domain.name:8000/stream https://domain.name:8000/ogg for insertion into the player via tag audio, but in response - silence. Thus the addresses with a simple http everything works fine. I did not understand what all the same mistake... Thanks in advance for your help!

Answer

Warren Stevens picture Warren Stevens · Jul 17, 2015

I ran into this issue recently and didn't have a lot of time to solve it, nor did I see see much documentation for doing so. I assume it's not the most widely used icecast config, so I just proxied mine with nginx and it works fine.

Here's an example nginx vhost. Be sure to change domain, check your paths and think about the location you want the mount proxied to and how you want to handle ports.

Please note this will make your stream available on port 443 instead of 8000. Certain clients (such as facebookexternalhit/1.1) may try to hang onto the stream as thought it's a https url waiting to connect. This may not be the behavior you expect or desire.

Also, if you want no http available at all, be sure to change bind-address back to the local host. eg:

 <bind-address>127.0.0.1</bind-address>

www.example.com.nginx.conf

server {
  listen 80;
  server_name www.example.com;
  location /listen {
    if ($ssl_protocol = "") {
      rewrite ^   https://$server_name$request_uri? permanent;
    }
  }
}

#### SSL

server {
  ssl on;
  ssl_certificate_key /etc/sslmate/www.example.com.key;
  ssl_certificate /etc/sslmate/www.example.com.chained.crt;

  # Recommended security settings from https://wiki.mozilla.org/Security/Server_Side_TLS
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:
ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA
-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES2
56-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_prefer_server_ciphers on;
  ssl_dhparam /usr/share/sslmate/dhparams/dh2048-group14.pem;
  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:5m;

  # Enable this if you want HSTS (recommended)
  add_header Strict-Transport-Security max-age=15768000;
  listen 443 ssl;
  server_name www.example.com;

  location / {
    proxy_pass         http://127.0.0.1:8000/;
    proxy_redirect     off;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
  }

}