Mis en place pour faire relai de radio klaxon de la ZAD de NDDL qui ne tenait apparement plus la charge, et pour un peu de crypto+annonymat. Ci-dessous, la config icecast, puis la config nginx.
Config pour icecast:
<icecast>
<limits>
<clients>500</clients>
<sources>2</sources>
<queue-size>524288</queue-size>
<client-timeout>30</client-timeout>
<header-timeout>15</header-timeout>
<source-timeout>10</source-timeout>
<burst-on-connect>1</burst-on-connect>
<burst-size>65535</burst-size>
</limits>
<hostname>pouet.hacktivis.me</hostname>
<listen-socket>
<port>8000</port>
<!-- <bind-address>127.0.0.1</bind-address> -->
</listen-socket>
<relay>
<server>radio.antirep.net</server>
<port>8000</port>
<mount>/RadioKlaxon</mount>
<local-mount>/RadioKlaxon</local-mount>
<on-demand>0</on-demand>
<relay-shoutcast-metadata>1</relay-shoutcast-metadata>
</relay>
<relay>
<server>radio.antirep.net</server>
<port>8000</port>
<mount>/RadioKlaxonOff</mount>
<local-mount>/RadioKlaxonOff</local-mount>
<on-demand>0</on-demand>
<relay-shoutcast-metadata>1</relay-shoutcast-metadata>
</relay>
<fileserve>1</fileserve>
<paths>
<basedir>/usr/share/icecast</basedir>
<logdir>/var/log/icecast</logdir>
<webroot>/srv/web/pouet.hacktivis.me</webroot>
<adminroot>/usr/share/icecast/admin</adminroot>
<alias source="/" dest="/status.xsl"/>
</paths>
<logging>
<errorlog>error.log</errorlog>
<loglevel>2</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
<logsize>10000</logsize> <!-- Max size of a logfile -->
</logging>
<security>
<chroot>0</chroot>
<changeowner>
<user>icecast</user>
<group>nogroup</group>
</changeowner>
</security>
</icecast>
Config pour nginx:
server {
listen 80;
listen [::]:80;
listen 8000;
listen [::]:8000;
server_name pouet.hacktivis.me;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name pouet.hacktivis.me;
large_client_header_buffers 4 16k;
root /srv/web/pouet.hacktivis.me/;
ssl_certificate certificates/pouet.hacktivis.me.pem;
ssl_certificate_key certificates/pouet.hacktivis.me.key;
ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM'; # or EECDH+CHACHA20:EECDH+AES:DHE+CHACHA20:DHE+AES:+SHA
ssl_prefer_server_ciphers on; # Parceque les clients on une config TLS toute pouritte
ssl_protocols TLSv1.2; # POODLE sur ≤TLS1.1
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; # Garder l’https pendant 6 mois et inclure les sous-domaines
#add_header Public-Key-Pins 'pin-sha256="nL2KrUGakuCVVOeO152WRynVeJs+clhS+02EiIbDrPQ="; pin-sha256="9kgt0my3CzTv4sK5TsYJmEw5FzYLLUrFJr86Vmhbb4k="; max-age=5184000';
add_header X-Frame-Options "DENY"; # Deny framing
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
#add_header Content-Security-Policy "default-src 'none'; script-src 'none'; style-src 'self'; img-src 'self'; media-src 'self';";
add_header Referrer-Policy "no-referrer";
add_header X-Clacks-Overhead "GNU Rémi Fraisse";
location @icecast2 {
proxy_buffering off;
proxy_ignore_client_abort off;
proxy_intercept_errors on;
proxy_next_upstream error timeout invalid_header;
proxy_redirect off;
proxy_set_header X-Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_connect_timeout 60;
proxy_send_timeout 21600;
proxy_read_timeout 21600;
proxy_pass http://localhost:8000;
}
location / {
try_files $uri @icecast2;
}
}