blog

Mise en place d’un relai icecast.xhtml (5545B)

<!--
Copyright © 2014 Haelwenn (lanodan) Monnier
SPDX-License-Identifier: LAL-1.3
-->
<article lang="fr" class="h-entry">
<h1 class="p-name"><a class="u-url" href="/articles/Mise%20en%20place%20d%E2%80%99un%20relai%20icecast">Mise en place d’un relai icecast</a></h1>
<p>Mis en place pour faire relai de <a href="http://zad.nadir.org/spip.php?rubrique71">radio klaxon</a> de la <abbr title="Zone À Défendre">ZAD</abbr> de <abbr title="Notre Dame Des Landes">NDDL</abbr> qui ne tenait apparement plus la charge, et pour un peu de crypto+annonymat. Ci-dessous, la config icecast, puis la config nginx.</p>
<p>Config pour icecast:</p>
<pre><code>
&lt;icecast&gt;
    &lt;limits&gt;
        &lt;clients&gt;500&lt;/clients&gt;
        &lt;sources&gt;2&lt;/sources&gt;
        &lt;queue-size&gt;524288&lt;/queue-size&gt;
        &lt;client-timeout&gt;30&lt;/client-timeout&gt;
        &lt;header-timeout&gt;15&lt;/header-timeout&gt;
        &lt;source-timeout&gt;10&lt;/source-timeout&gt;
        &lt;burst-on-connect&gt;1&lt;/burst-on-connect&gt;
        &lt;burst-size&gt;65535&lt;/burst-size&gt;
    &lt;/limits&gt;
    &lt;hostname&gt;pouet.hacktivis.me&lt;/hostname&gt;
    &lt;listen-socket&gt;
        &lt;port&gt;8000&lt;/port&gt;
        &lt;!-- &lt;bind-address&gt;127.0.0.1&lt;/bind-address&gt; --&gt;
    &lt;/listen-socket&gt;
    &lt;relay&gt;
        &lt;server&gt;radio.antirep.net&lt;/server&gt;
        &lt;port&gt;8000&lt;/port&gt;
        &lt;mount&gt;/RadioKlaxon&lt;/mount&gt;
        &lt;local-mount&gt;/RadioKlaxon&lt;/local-mount&gt;
        &lt;on-demand&gt;0&lt;/on-demand&gt;
        &lt;relay-shoutcast-metadata&gt;1&lt;/relay-shoutcast-metadata&gt;
    &lt;/relay&gt;
    &lt;relay&gt;
        &lt;server&gt;radio.antirep.net&lt;/server&gt;
        &lt;port&gt;8000&lt;/port&gt;
        &lt;mount&gt;/RadioKlaxonOff&lt;/mount&gt;
        &lt;local-mount&gt;/RadioKlaxonOff&lt;/local-mount&gt;
        &lt;on-demand&gt;0&lt;/on-demand&gt;
        &lt;relay-shoutcast-metadata&gt;1&lt;/relay-shoutcast-metadata&gt;
    &lt;/relay&gt;
    &lt;fileserve&gt;1&lt;/fileserve&gt;
    &lt;paths&gt;
        &lt;basedir&gt;/usr/share/icecast&lt;/basedir&gt;
        &lt;logdir&gt;/var/log/icecast&lt;/logdir&gt;
        &lt;webroot&gt;/srv/web/pouet.hacktivis.me&lt;/webroot&gt;
        &lt;adminroot&gt;/usr/share/icecast/admin&lt;/adminroot&gt;
        &lt;alias source="/" dest="/status.xsl"/&gt;
    &lt;/paths&gt;
    &lt;logging&gt;
        &lt;errorlog&gt;error.log&lt;/errorlog&gt;
        &lt;loglevel&gt;2&lt;/loglevel&gt; &lt;!-- 4 Debug, 3 Info, 2 Warn, 1 Error --&gt;
        &lt;logsize&gt;10000&lt;/logsize&gt; &lt;!-- Max size of a logfile --&gt;
    &lt;/logging&gt;
    &lt;security&gt;
        &lt;chroot&gt;0&lt;/chroot&gt;
        &lt;changeowner&gt;
            &lt;user&gt;icecast&lt;/user&gt;
            &lt;group&gt;nogroup&lt;/group&gt;
        &lt;/changeowner&gt;
    &lt;/security&gt;
&lt;/icecast&gt;
</code></pre>
<p>Config pour nginx:</p>
<pre><code>
server {
        listen 80;
        listen [::]:80;
        listen 8000;
        listen [::]:8000;
        server_name pouet.hacktivis.me;
        location / {
                return 301 https://$server_name$request_uri;
        }
}
server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name pouet.hacktivis.me;
        large_client_header_buffers 4 16k;
        root /srv/web/pouet.hacktivis.me/;
        ssl_certificate     certificates/pouet.hacktivis.me.pem;
        ssl_certificate_key certificates/pouet.hacktivis.me.key;
        ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM'; # or EECDH+CHACHA20:EECDH+AES:DHE+CHACHA20:DHE+AES:+SHA
        ssl_prefer_server_ciphers on; # Parceque les clients on une config TLS toute pouritte
        ssl_protocols TLSv1.2; # POODLE sur ≤TLS1.1
        ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; # Garder l’https pendant 6 mois et inclure les sous-domaines
        #add_header Public-Key-Pins           'pin-sha256="nL2KrUGakuCVVOeO152WRynVeJs+clhS+02EiIbDrPQ="; pin-sha256="9kgt0my3CzTv4sK5TsYJmEw5FzYLLUrFJr86Vmhbb4k="; max-age=5184000';
        add_header X-Frame-Options           "DENY"; # Deny framing
        add_header X-Content-Type-Options    "nosniff";
        add_header X-XSS-Protection          "1; mode=block";
        #add_header Content-Security-Policy   "default-src 'none'; script-src 'none'; style-src 'self'; img-src 'self'; media-src 'self';";
        add_header Referrer-Policy           "no-referrer";
        add_header X-Clacks-Overhead         "GNU Rémi Fraisse";
        location @icecast2 {
                proxy_buffering           off;
                proxy_ignore_client_abort off;
                proxy_intercept_errors    on;
                proxy_next_upstream       error timeout invalid_header;
                proxy_redirect            off;
                proxy_set_header          X-Host $http_host;
                proxy_set_header          X-Forwarded-For $remote_addr;
                proxy_connect_timeout     60;
                proxy_send_timeout        21600;
                proxy_read_timeout        21600;
                proxy_pass http://localhost:8000;
        }
        location / {
                try_files $uri @icecast2;
        }
}
</code></pre>
</article>