Soutenons La Quadrature Du Net

Mise en place d’un relai icecast

Mis en place pour faire relai de radio klaxon de la ZAD de NDDL qui ne tenait apparement plus la charge, et pour un peu de crypto+annonymat. Ci-dessous, la config icecast, puis la config nginx.

Config pour icecast:


<icecast>
    <limits>
        <clients>500</clients>
        <sources>2</sources>
        <queue-size>524288</queue-size>
        <client-timeout>30</client-timeout>
        <header-timeout>15</header-timeout>
        <source-timeout>10</source-timeout>
        <burst-on-connect>1</burst-on-connect>
        <burst-size>65535</burst-size>
    </limits>
    <hostname>pouet.hacktivis.me</hostname>
    <listen-socket>
        <port>8000</port>
        <!-- <bind-address>127.0.0.1</bind-address> -->
    </listen-socket>
    <relay>
        <server>radio.antirep.net</server>
        <port>8000</port>
        <mount>/RadioKlaxon</mount>
        <local-mount>/RadioKlaxon</local-mount>
        <on-demand>0</on-demand>

        <relay-shoutcast-metadata>1</relay-shoutcast-metadata>
    </relay>
    <relay>
        <server>radio.antirep.net</server>
        <port>8000</port>
        <mount>/RadioKlaxonOff</mount>
        <local-mount>/RadioKlaxonOff</local-mount>
        <on-demand>0</on-demand>

        <relay-shoutcast-metadata>1</relay-shoutcast-metadata>
    </relay>
    <fileserve>1</fileserve>
    <paths>
        <basedir>/usr/share/icecast</basedir>
        <logdir>/var/log/icecast</logdir>
        <webroot>/srv/web/pouet.hacktivis.me</webroot>
        <adminroot>/usr/share/icecast/admin</adminroot>
        <alias source="/" dest="/status.xsl"/>
    </paths>

    <logging>
        <errorlog>error.log</errorlog>
        <loglevel>2</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
        <logsize>10000</logsize> <!-- Max size of a logfile -->
    </logging>

    <security>
        <chroot>0</chroot>
        <changeowner>
            <user>icecast</user>
            <group>nogroup</group>
        </changeowner>
    </security>
</icecast>

Config pour nginx:


server {
        listen 80;
        listen [::]:80;
        listen 8000;
        listen [::]:8000;

        server_name pouet.hacktivis.me;

        location / {
                return 301 https://$server_name$request_uri;
        }
}
server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name pouet.hacktivis.me;
        large_client_header_buffers 4 16k;

        root /srv/web/pouet.hacktivis.me/;

        ssl_certificate     certificates/pouet.hacktivis.me.pem;
        ssl_certificate_key certificates/pouet.hacktivis.me.key;

        ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM'; # or EECDH+CHACHA20:EECDH+AES:DHE+CHACHA20:DHE+AES:+SHA
        ssl_prefer_server_ciphers on; # Parceque les clients on une config TLS toute pouritte
        ssl_protocols TLSv1.2; # POODLE sur ≤TLS1.1
        ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;

        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; # Garder l’https pendant 6 mois et inclure les sous-domaines
        #add_header Public-Key-Pins           'pin-sha256="nL2KrUGakuCVVOeO152WRynVeJs+clhS+02EiIbDrPQ="; pin-sha256="9kgt0my3CzTv4sK5TsYJmEw5FzYLLUrFJr86Vmhbb4k="; max-age=5184000';
        add_header X-Frame-Options           "DENY"; # Deny framing
        add_header X-Content-Type-Options    "nosniff";
        add_header X-XSS-Protection          "1; mode=block";
        #add_header Content-Security-Policy   "default-src 'none'; script-src 'none'; style-src 'self'; img-src 'self'; media-src 'self';";
        add_header Referrer-Policy           "no-referrer";
        add_header X-Clacks-Overhead         "GNU Rémi Fraisse";

        location @icecast2 {
                proxy_buffering           off;
                proxy_ignore_client_abort off;
                proxy_intercept_errors    on;
                proxy_next_upstream       error timeout invalid_header;
                proxy_redirect            off;
                proxy_set_header          X-Host $http_host;
                proxy_set_header          X-Forwarded-For $remote_addr;
                proxy_connect_timeout     60;
                proxy_send_timeout        21600;
                proxy_read_timeout        21600;
                proxy_pass http://localhost:8000;
        }
        location / {
                try_files $uri @icecast2;
        }
}
article seul(HTML-brut)