[articles] Mise en place d’un relai icecast - blog - My little blog can’t be this cute!

commit: ee89576a16a739a9e4f4bd7130a624a43493a8f9
parent ea88369831476ffe1c2f682c0b65ca2d9cec2c2c
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Tue, 10 Apr 2018 22:54:06 +0200

[articles] Mise en place d’un relai icecast

Diffstat:
M articles/J’ai changé de clé OpenPGP.shtml 1 +
A articles/Mise en place d’un relai icecast.html 124 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A articles/Mise en place d’un relai icecast.shtml 17 +++++++++++++++++

3 files changed, 142 insertions(+), 0 deletions(-)
diff --git a/articles/J’ai changé de clé OpenPGP.shtml b/articles/J’ai changé de clé OpenPGP.shtml
@@ -5,6 +5,7 @@
 		<title>J’ai changé de clé OpenPGP — Cyber-habitat de lanodan</title>
 		<link type="application/rss+xml" href="/rss" title="flux RSS" rel="alternate">
 		<link rel="prev" href="/articles/All%20Communities%20Are%20Broken">
+		<link rel="next" href="/articles/Mise%20en%20place%20d%E2%80%99un%20relai%20icecast">
 	</head>
 	<body>
 <!--#set var="transPageUrl" value='/articles/I%20changed%20my%20OpenPGP%20keys' --><!--#include file="/templates/fr/nav.shtml" -->
diff --git a/articles/Mise en place d’un relai icecast.html b/articles/Mise en place d’un relai icecast.html
@@ -0,0 +1,124 @@
+<h1><a href="/articles/Mise%20en%20place%20d%E2%80%99un%20relai%20icecast">Mise en place d’un relai icecast</a></h1>
+<p>Mis en place pour faire relai de <a href="http://zad.nadir.org/spip.php?rubrique71">radio klaxon</a> de la <abbr title="Zone À Défendre">ZAD</abbr> de <abbr title="Notre Dame Des Landes">NDDL</a> qui ne tenait apparement plus la charge, et pour un peu de crypto+annonymat. Ci-dessous, la config icecast, puis la config nginx.</p>
+<p>Config pour icecast:</p>
+<pre><code>
+&lt;icecast&gt;
+    &lt;limits&gt;
+        &lt;clients&gt;500&lt;/clients&gt;
+        &lt;sources&gt;2&lt;/sources&gt;
+        &lt;queue-size&gt;524288&lt;/queue-size&gt;
+        &lt;client-timeout&gt;30&lt;/client-timeout&gt;
+        &lt;header-timeout&gt;15&lt;/header-timeout&gt;
+        &lt;source-timeout&gt;10&lt;/source-timeout&gt;
+        &lt;burst-on-connect&gt;1&lt;/burst-on-connect&gt;
+        &lt;burst-size&gt;65535&lt;/burst-size&gt;
+    &lt;/limits&gt;
+    &lt;hostname&gt;pouet.hacktivis.me&lt;/hostname&gt;
+    &lt;listen-socket&gt;
+        &lt;port&gt;8000&lt;/port&gt;
+        &lt;!-- &lt;bind-address&gt;127.0.0.1&lt;/bind-address&gt; --&gt;
+    &lt;/listen-socket&gt;
+    &lt;relay&gt;
+        &lt;server&gt;radio.antirep.net&lt;/server&gt;
+        &lt;port&gt;8000&lt;/port&gt;
+        &lt;mount&gt;/RadioKlaxon&lt;/mount&gt;
+        &lt;local-mount&gt;/RadioKlaxon&lt;/local-mount&gt;
+        &lt;on-demand&gt;0&lt;/on-demand&gt;
+
+        &lt;relay-shoutcast-metadata&gt;1&lt;/relay-shoutcast-metadata&gt;
+    &lt;/relay&gt;
+    &lt;relay&gt;
+        &lt;server&gt;radio.antirep.net&lt;/server&gt;
+        &lt;port&gt;8000&lt;/port&gt;
+        &lt;mount&gt;/RadioKlaxonOff&lt;/mount&gt;
+        &lt;local-mount&gt;/RadioKlaxonOff&lt;/local-mount&gt;
+        &lt;on-demand&gt;0&lt;/on-demand&gt;
+
+        &lt;relay-shoutcast-metadata&gt;1&lt;/relay-shoutcast-metadata&gt;
+    &lt;/relay&gt;
+    &lt;fileserve&gt;1&lt;/fileserve&gt;
+    &lt;paths&gt;
+        &lt;basedir&gt;/usr/share/icecast&lt;/basedir&gt;
+        &lt;logdir&gt;/var/log/icecast&lt;/logdir&gt;
+        &lt;webroot&gt;/srv/web/pouet.hacktivis.me&lt;/webroot&gt;
+        &lt;adminroot&gt;/usr/share/icecast/admin&lt;/adminroot&gt;
+        &lt;alias source="/" dest="/status.xsl"/&gt;
+    &lt;/paths&gt;
+
+    &lt;logging&gt;
+        &lt;errorlog&gt;error.log&lt;/errorlog&gt;
+        &lt;loglevel&gt;2&lt;/loglevel&gt; &lt;!-- 4 Debug, 3 Info, 2 Warn, 1 Error --&gt;
+        &lt;logsize&gt;10000&lt;/logsize&gt; &lt;!-- Max size of a logfile --&gt;
+    &lt;/logging&gt;
+
+    &lt;security&gt;
+        &lt;chroot&gt;0&lt;/chroot&gt;
+        &lt;changeowner&gt;
+            &lt;user&gt;icecast&lt;/user&gt;
+            &lt;group&gt;nogroup&lt;/group&gt;
+        &lt;/changeowner&gt;
+    &lt;/security&gt;
+&lt;/icecast&gt;
+</code></pre>
+<p>Config pour nginx:</p>
+<pre><code>
+server {
+        listen 80;
+        listen [::]:80;
+        listen 8000;
+        listen [::]:8000;
+
+        server_name pouet.hacktivis.me;
+
+        location / {
+                return 301 https://$server_name$request_uri;
+        }
+}
+server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+
+        server_name pouet.hacktivis.me;
+        large_client_header_buffers 4 16k;
+
+        root /srv/web/pouet.hacktivis.me/;
+
+        ssl_certificate     certificates/pouet.hacktivis.me.pem;
+        ssl_certificate_key certificates/pouet.hacktivis.me.key;
+
+        ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM'; # or EECDH+CHACHA20:EECDH+AES:DHE+CHACHA20:DHE+AES:+SHA
+        ssl_prefer_server_ciphers on; # Parceque les clients on une config TLS toute pouritte
+        ssl_protocols TLSv1.2; # POODLE sur ≤TLS1.1
+        ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+        ssl_session_cache   shared:SSL:10m;
+        ssl_session_timeout 10m;
+
+        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; # Garder l’https pendant 6 mois et inclure les sous-domaines
+        #add_header Public-Key-Pins           'pin-sha256="nL2KrUGakuCVVOeO152WRynVeJs+clhS+02EiIbDrPQ="; pin-sha256="9kgt0my3CzTv4sK5TsYJmEw5FzYLLUrFJr86Vmhbb4k="; max-age=5184000';
+        add_header X-Frame-Options           "DENY"; # Deny framing
+        add_header X-Content-Type-Options    "nosniff";
+        add_header X-XSS-Protection          "1; mode=block";
+        #add_header Content-Security-Policy   "default-src 'none'; script-src 'none'; style-src 'self'; img-src 'self'; media-src 'self';";
+        add_header Referrer-Policy           "no-referrer";
+        add_header X-Clacks-Overhead         "GNU Rémi Fraisse";
+
+        location @icecast2 {
+                proxy_buffering           off;
+                proxy_ignore_client_abort off;
+                proxy_intercept_errors    on;
+                proxy_next_upstream       error timeout invalid_header;
+                proxy_redirect            off;
+                proxy_set_header          X-Host $http_host;
+                proxy_set_header          X-Forwarded-For $remote_addr;
+                proxy_connect_timeout     60;
+                proxy_send_timeout        21600;
+                proxy_read_timeout        21600;
+                proxy_pass http://localhost:8000;
+        }
+        location / {
+                try_files $uri @icecast2;
+        }
+}
+</code></pre>
diff --git a/articles/Mise en place d’un relai icecast.shtml b/articles/Mise en place d’un relai icecast.shtml
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html lang="fr">
+	<head>
+<!--#include file="/templates/head.shtml" -->
+		<title>Mise en place d’un relai icecast — Cyber-habitat de lanodan</title>
+		<link type="application/rss+xml" href="/rss" title="flux RSS" rel="alternate">
+		<link rel="prev" href="/articles/J%E2%80%99ai%20chang%C3%A9%20de%20cl%C3%A9%20OpenPGP">
+	</head>
+	<body>
+<!--#include file="/templates/fr/nav.shtml" -->
+		<article>
+<!--#include file="/articles/Mise en place d’un relai icecast.html"-->
+		</article>
+		<a href="/articles/Mise%20en%20place%20d%E2%80%99un%20relai%20icecast">article seul(HTML-brut)</a>
+<!--#include file="/templates/fr/footer.html" -->
+	</body>
+</html>

M	articles/J’ai changé de clé OpenPGP.shtml	1	+
A	articles/Mise en place d’un relai icecast.html	124	+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A	articles/Mise en place d’un relai icecast.shtml	17	+++++++++++++++++