Why Icecast2 does not want to give the stream through https?

9
votes

On a server with Ubuntu 14.04 LTS installed Icecast2 2.4.1 with SSL support. Also on this server work HTTPS website. I want insert on the page HTML5-player that will also take the stream through the SSL (otherwise - mixed content error). The site has a commercial SSL certificate, Icecast - a self-signed. Icecast config file:

<icecast>
<location>****</location>
<admin>admin@*************</admin>
<limits>
    <clients>1000</clients>
    <sources>2</sources>
    <threadpool>5</threadpool>
    <queue-size>524288</queue-size>
    <source-timeout>10</source-timeout>
    <burst-on-connect>0</burst-on-connect>
    <burst-size>65535</burst-size>
</limits>
<authentication>
    <source-password>*****</source-password>
    <relay-password>*****</relay-password>
    <admin-user>*****</admin-user>
    <admin-password>*****</admin-password>
</authentication>
<hostname>************</hostname> 
<listen-socket>
    <port>8000</port>
    <ssl>1</ssl>
</listen-socket>
<mount>
    <mount-name>/stream</mount-name>
    <charset>utf-8</charset>
</mount>
<mount> 
    <mount-name>/ogg</mount-name>
    <charset>utf-8</charset>
</mount>
<fileserve>1</fileserve>
<paths>
    <basedir>/usr/share/icecast2</basedir>
    <logdir>/var/log/icecast2</logdir>
    <webroot>/usr/share/icecast2/web</webroot>
    <adminroot>/usr/share/icecast2/admin</adminroot>
    <alias source="/" dest="/status.xsl"/>
    <ssl-certificate>/etc/icecast2/icecast2.pem</ssl-certificate>
</paths>
<logging>
    <accesslog>access.log</accesslog>
    <errorlog>error.log</errorlog>
    <loglevel>4</loglevel>
</logging>
<security>
    <chroot>0</chroot>
    <changeowner>
        <user>icecast2</user>
        <group>icecast</group>
    </changeowner>
</security>
</icecast>

Certificate for Icecast (/etc/icecast2/icecast2.pem) generated by:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout icecast2.pem -out icecast2.pem

I expect to get the output stream from the addresses https://domain.name:8000/stream https://domain.name:8000/ogg for insertion into the player via tag audio, but in response - silence. Thus the addresses with a simple http everything works fine. I did not understand what all the same mistake... Thanks in advance for your help!

4
sslstreamingubuntu-14.04audio-streamingicecast
did you concatenate the cert && key? - austin

4 Answers

8
votes

I ran into this issue recently and didn't have a lot of time to solve it, nor did I see see much documentation for doing so. I assume it's not the most widely used icecast config, so I just proxied mine with nginx and it works fine.

Here's an example nginx vhost. Be sure to change domain, check your paths and think about the location you want the mount proxied to and how you want to handle ports.

Please note this will make your stream available on port 443 instead of 8000. Certain clients (such as facebookexternalhit/1.1) may try to hang onto the stream as thought it's a https url waiting to connect. This may not be the behavior you expect or desire.

Also, if you want no http available at all, be sure to change bind-address back to the local host. eg:

 <bind-address>127.0.0.1</bind-address>

www.example.com.nginx.conf

server {
  listen 80;
  server_name www.example.com;
  location /listen {
    if ($ssl_protocol = "") {
      rewrite ^   https://$server_name$request_uri? permanent;
    }
  }
}

#### SSL

server {
  ssl on;
  ssl_certificate_key /etc/sslmate/www.example.com.key;
  ssl_certificate /etc/sslmate/www.example.com.chained.crt;

  # Recommended security settings from https://wiki.mozilla.org/Security/Server_Side_TLS
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:
ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA
-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES2
56-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_prefer_server_ciphers on;
  ssl_dhparam /usr/share/sslmate/dhparams/dh2048-group14.pem;
  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:5m;

  # Enable this if you want HSTS (recommended)
  add_header Strict-Transport-Security max-age=15768000;
  listen 443 ssl;
  server_name www.example.com;

  location / {
    proxy_pass         http://127.0.0.1:8000/;
    proxy_redirect     off;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
  }

}
2
votes

icecast provided for debian based versions don't provide https support since it is supported by openssl libraries that have licensing difficulties with GPL.

to know if openssl was compiled with :

ldd /usr/bin/icecast2 | grep ssl

if is compiled with then a line like this one should de displayed :

libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007ff5248a4000)

else nothing...

to get correct version those should be obtained from xiph.org directly : https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories)

0
votes

In your icecast2.xml file

If set to 1 will enable HTTPS on this listen-socket. Icecast must have been compiled against OpenSSL to be able to do so.

<paths>
    <basedir>./</basedir>
    <logdir>./logs</logdir>
    <pidfile>./icecast.pid</pidfile>
    <webroot>./web</webroot>
    <adminroot>./admin</adminroot>
    <allow-ip>/path/to/ip_allowlist</allow-ip>
    <deny-ip>/path_to_ip_denylist</deny-ip>
    <tls-certificate>/path/to/certificate.pem</tls-certificate>
    <ssl-allowed-ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS</ssl-allowed-ciphers>
    <alias source="/foo" dest="/bar"/>
</paths>

<listen-socket>
    <port>8000</port>
    <bind-address>127.0.0.1</bind-address> </listen-socket>

<listen-socket>
    <port>8443</port>
    <tls>1</tls> </listen-socket>

<listen-socket>
    <port>8004</port>
    <shoutcast-mount>/live.mp3</shoutcast-mount> </listen-socket>
0
votes

Guys the issue is related to the certificate file. First of all, you need to have for example

<paths>
     <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate>
</paths>

and

<listen-socket>
     <port>8443</port>
     <ssl>1</ssl>
</listen-socket>

in your configuration. But that is not everything you need!

If you get your certificate for example from let's encrypt or sslforfree, you will have a certificate file and a private key file. But for Icecast, you need both files together. What you should do: 1- Open the private key and copy the content of this file 2- Open the certificate file and paste the content of your private key that you copied, at the end of this file and save it as icecast.pem.

Then use this file and you should be fine.

Thanks to the person who introduces it here: Icecast 2 and SSL