Mise en place d’un relai icecast
Mis en place pour faire relai de radio klaxon de la ZAD de NDDL qui ne tenait apparement plus la charge, et pour un peu de crypto+annonymat. Ci-dessous, la config icecast, puis la config nginx.
Config pour icecast:
<icecast>
<limits>
<clients>500</clients>
<sources>2</sources>
<queue-size>524288</queue-size>
<client-timeout>30</client-timeout>
<header-timeout>15</header-timeout>
<source-timeout>10</source-timeout>
<burst-on-connect>1</burst-on-connect>
<burst-size>65535</burst-size>
</limits>
<hostname>pouet.hacktivis.me</hostname>
<listen-socket>
<port>8000</port>
<!-- <bind-address>127.0.0.1</bind-address> -->
</listen-socket>
<relay>
<server>radio.antirep.net</server>
<port>8000</port>
<mount>/RadioKlaxon</mount>
<local-mount>/RadioKlaxon</local-mount>
<on-demand>0</on-demand>
<relay-shoutcast-metadata>1</relay-shoutcast-metadata>
</relay>
<relay>
<server>radio.antirep.net</server>
<port>8000</port>
<mount>/RadioKlaxonOff</mount>
<local-mount>/RadioKlaxonOff</local-mount>
<on-demand>0</on-demand>
<relay-shoutcast-metadata>1</relay-shoutcast-metadata>
</relay>
<fileserve>1</fileserve>
<paths>
<basedir>/usr/share/icecast</basedir>
<logdir>/var/log/icecast</logdir>
<webroot>/srv/web/pouet.hacktivis.me</webroot>
<adminroot>/usr/share/icecast/admin</adminroot>
<alias source="/" dest="/status.xsl"/>
</paths>
<logging>
<errorlog>error.log</errorlog>
<loglevel>2</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
<logsize>10000</logsize> <!-- Max size of a logfile -->
</logging>
<security>
<chroot>0</chroot>
<changeowner>
<user>icecast</user>
<group>nogroup</group>
</changeowner>
</security>
</icecast>
Config pour nginx:
server {
listen 80;
listen [::]:80;
listen 8000;
listen [::]:8000;
server_name pouet.hacktivis.me;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name pouet.hacktivis.me;
large_client_header_buffers 4 16k;
root /srv/web/pouet.hacktivis.me/;
ssl_certificate certificates/pouet.hacktivis.me.pem;
ssl_certificate_key certificates/pouet.hacktivis.me.key;
ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM'; # or EECDH+CHACHA20:EECDH+AES:DHE+CHACHA20:DHE+AES:+SHA
ssl_prefer_server_ciphers on; # Parceque les clients on une config TLS toute pouritte
ssl_protocols TLSv1.2; # POODLE sur ≤TLS1.1
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; # Garder l’https pendant 6 mois et inclure les sous-domaines
#add_header Public-Key-Pins 'pin-sha256="nL2KrUGakuCVVOeO152WRynVeJs+clhS+02EiIbDrPQ="; pin-sha256="9kgt0my3CzTv4sK5TsYJmEw5FzYLLUrFJr86Vmhbb4k="; max-age=5184000';
add_header X-Frame-Options "DENY"; # Deny framing
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
#add_header Content-Security-Policy "default-src 'none'; script-src 'none'; style-src 'self'; img-src 'self'; media-src 'self';";
add_header Referrer-Policy "no-referrer";
add_header X-Clacks-Overhead "GNU Rémi Fraisse";
location @icecast2 {
proxy_buffering off;
proxy_ignore_client_abort off;
proxy_intercept_errors on;
proxy_next_upstream error timeout invalid_header;
proxy_redirect off;
proxy_set_header X-Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_connect_timeout 60;
proxy_send_timeout 21600;
proxy_read_timeout 21600;
proxy_pass http://localhost:8000;
}
location / {
try_files $uri @icecast2;
}
}