logo

blog

My little blog can’t be this cute!
commit: ee89576a16a739a9e4f4bd7130a624a43493a8f9
parent: ea88369831476ffe1c2f682c0b65ca2d9cec2c2c
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Tue, 10 Apr 2018 22:54:06 +0200

[articles] Mise en place d’un relai icecast

Diffstat:

Marticles/J’ai changé de clé OpenPGP.shtml1+
Aarticles/Mise en place d’un relai icecast.html124+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Aarticles/Mise en place d’un relai icecast.shtml17+++++++++++++++++
3 files changed, 142 insertions(+), 0 deletions(-)

diff --git a/articles/J’ai changé de clé OpenPGP.shtml b/articles/J’ai changé de clé OpenPGP.shtml @@ -5,6 +5,7 @@ <title>J’ai changé de clé OpenPGP — Cyber-habitat de lanodan</title> <link type="application/rss+xml" href="/rss" title="flux RSS" rel="alternate"> <link rel="prev" href="/articles/All%20Communities%20Are%20Broken"> + <link rel="next" href="/articles/Mise%20en%20place%20d%E2%80%99un%20relai%20icecast"> </head> <body> <!--#set var="transPageUrl" value='/articles/I%20changed%20my%20OpenPGP%20keys' --><!--#include file="/templates/fr/nav.shtml" --> diff --git a/articles/Mise en place d’un relai icecast.html b/articles/Mise en place d’un relai icecast.html @@ -0,0 +1,124 @@ +<h1><a href="/articles/Mise%20en%20place%20d%E2%80%99un%20relai%20icecast">Mise en place d’un relai icecast</a></h1> +<p>Mis en place pour faire relai de <a href="http://zad.nadir.org/spip.php?rubrique71">radio klaxon</a> de la <abbr title="Zone À Défendre">ZAD</abbr> de <abbr title="Notre Dame Des Landes">NDDL</a> qui ne tenait apparement plus la charge, et pour un peu de crypto+annonymat. Ci-dessous, la config icecast, puis la config nginx.</p> +<p>Config pour icecast:</p> +<pre><code> +&lt;icecast&gt; + &lt;limits&gt; + &lt;clients&gt;500&lt;/clients&gt; + &lt;sources&gt;2&lt;/sources&gt; + &lt;queue-size&gt;524288&lt;/queue-size&gt; + &lt;client-timeout&gt;30&lt;/client-timeout&gt; + &lt;header-timeout&gt;15&lt;/header-timeout&gt; + &lt;source-timeout&gt;10&lt;/source-timeout&gt; + &lt;burst-on-connect&gt;1&lt;/burst-on-connect&gt; + &lt;burst-size&gt;65535&lt;/burst-size&gt; + &lt;/limits&gt; + &lt;hostname&gt;pouet.hacktivis.me&lt;/hostname&gt; + &lt;listen-socket&gt; + &lt;port&gt;8000&lt;/port&gt; + &lt;!-- &lt;bind-address&gt;127.0.0.1&lt;/bind-address&gt; --&gt; + &lt;/listen-socket&gt; + &lt;relay&gt; + &lt;server&gt;radio.antirep.net&lt;/server&gt; + &lt;port&gt;8000&lt;/port&gt; + &lt;mount&gt;/RadioKlaxon&lt;/mount&gt; + &lt;local-mount&gt;/RadioKlaxon&lt;/local-mount&gt; + &lt;on-demand&gt;0&lt;/on-demand&gt; + + &lt;relay-shoutcast-metadata&gt;1&lt;/relay-shoutcast-metadata&gt; + &lt;/relay&gt; + &lt;relay&gt; + &lt;server&gt;radio.antirep.net&lt;/server&gt; + &lt;port&gt;8000&lt;/port&gt; + &lt;mount&gt;/RadioKlaxonOff&lt;/mount&gt; + &lt;local-mount&gt;/RadioKlaxonOff&lt;/local-mount&gt; + &lt;on-demand&gt;0&lt;/on-demand&gt; + + &lt;relay-shoutcast-metadata&gt;1&lt;/relay-shoutcast-metadata&gt; + &lt;/relay&gt; + &lt;fileserve&gt;1&lt;/fileserve&gt; + &lt;paths&gt; + &lt;basedir&gt;/usr/share/icecast&lt;/basedir&gt; + &lt;logdir&gt;/var/log/icecast&lt;/logdir&gt; + &lt;webroot&gt;/srv/web/pouet.hacktivis.me&lt;/webroot&gt; + &lt;adminroot&gt;/usr/share/icecast/admin&lt;/adminroot&gt; + &lt;alias source="/" dest="/status.xsl"/&gt; + &lt;/paths&gt; + + &lt;logging&gt; + &lt;errorlog&gt;error.log&lt;/errorlog&gt; + &lt;loglevel&gt;2&lt;/loglevel&gt; &lt;!-- 4 Debug, 3 Info, 2 Warn, 1 Error --&gt; + &lt;logsize&gt;10000&lt;/logsize&gt; &lt;!-- Max size of a logfile --&gt; + &lt;/logging&gt; + + &lt;security&gt; + &lt;chroot&gt;0&lt;/chroot&gt; + &lt;changeowner&gt; + &lt;user&gt;icecast&lt;/user&gt; + &lt;group&gt;nogroup&lt;/group&gt; + &lt;/changeowner&gt; + &lt;/security&gt; +&lt;/icecast&gt; +</code></pre> +<p>Config pour nginx:</p> +<pre><code> +server { + listen 80; + listen [::]:80; + listen 8000; + listen [::]:8000; + + server_name pouet.hacktivis.me; + + location / { + return 301 https://$server_name$request_uri; + } +} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name pouet.hacktivis.me; + large_client_header_buffers 4 16k; + + root /srv/web/pouet.hacktivis.me/; + + ssl_certificate certificates/pouet.hacktivis.me.pem; + ssl_certificate_key certificates/pouet.hacktivis.me.key; + + ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM'; # or EECDH+CHACHA20:EECDH+AES:DHE+CHACHA20:DHE+AES:+SHA + ssl_prefer_server_ciphers on; # Parceque les clients on une config TLS toute pouritte + ssl_protocols TLSv1.2; # POODLE sur ≤TLS1.1 + ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1; + ssl_stapling on; + ssl_stapling_verify on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; # Garder l’https pendant 6 mois et inclure les sous-domaines + #add_header Public-Key-Pins 'pin-sha256="nL2KrUGakuCVVOeO152WRynVeJs+clhS+02EiIbDrPQ="; pin-sha256="9kgt0my3CzTv4sK5TsYJmEw5FzYLLUrFJr86Vmhbb4k="; max-age=5184000'; + add_header X-Frame-Options "DENY"; # Deny framing + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + #add_header Content-Security-Policy "default-src 'none'; script-src 'none'; style-src 'self'; img-src 'self'; media-src 'self';"; + add_header Referrer-Policy "no-referrer"; + add_header X-Clacks-Overhead "GNU Rémi Fraisse"; + + location @icecast2 { + proxy_buffering off; + proxy_ignore_client_abort off; + proxy_intercept_errors on; + proxy_next_upstream error timeout invalid_header; + proxy_redirect off; + proxy_set_header X-Host $http_host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_connect_timeout 60; + proxy_send_timeout 21600; + proxy_read_timeout 21600; + proxy_pass http://localhost:8000; + } + location / { + try_files $uri @icecast2; + } +} +</code></pre> diff --git a/articles/Mise en place d’un relai icecast.shtml b/articles/Mise en place d’un relai icecast.shtml @@ -0,0 +1,17 @@ +<!DOCTYPE html> +<html lang="fr"> + <head> +<!--#include file="/templates/head.shtml" --> + <title>Mise en place d’un relai icecast — Cyber-habitat de lanodan</title> + <link type="application/rss+xml" href="/rss" title="flux RSS" rel="alternate"> + <link rel="prev" href="/articles/J%E2%80%99ai%20chang%C3%A9%20de%20cl%C3%A9%20OpenPGP"> + </head> + <body> +<!--#include file="/templates/fr/nav.shtml" --> + <article> +<!--#include file="/articles/Mise en place d’un relai icecast.html"--> + </article> + <a href="/articles/Mise%20en%20place%20d%E2%80%99un%20relai%20icecast">article seul(HTML-brut)</a> +<!--#include file="/templates/fr/footer.html" --> + </body> +</html>