logo

blog

My little blog can’t be this cute!

Mise en place d’un relai icecast.xhtml (5458B)


      1 <article lang="fr" class="h-entry">
      2 <h1 class="p-name"><a class="u-url" href="/articles/Mise%20en%20place%20d%E2%80%99un%20relai%20icecast">Mise en place d’un relai icecast</a></h1>
      3 <p>Mis en place pour faire relai de <a href="http://zad.nadir.org/spip.php?rubrique71">radio klaxon</a> de la <abbr title="Zone À Défendre">ZAD</abbr> de <abbr title="Notre Dame Des Landes">NDDL</abbr> qui ne tenait apparement plus la charge, et pour un peu de crypto+annonymat. Ci-dessous, la config icecast, puis la config nginx.</p>
      4 <p>Config pour icecast:</p>
      5 <pre><code>
      6 &lt;icecast&gt;
      7     &lt;limits&gt;
      8         &lt;clients&gt;500&lt;/clients&gt;
      9         &lt;sources&gt;2&lt;/sources&gt;
     10         &lt;queue-size&gt;524288&lt;/queue-size&gt;
     11         &lt;client-timeout&gt;30&lt;/client-timeout&gt;
     12         &lt;header-timeout&gt;15&lt;/header-timeout&gt;
     13         &lt;source-timeout&gt;10&lt;/source-timeout&gt;
     14         &lt;burst-on-connect&gt;1&lt;/burst-on-connect&gt;
     15         &lt;burst-size&gt;65535&lt;/burst-size&gt;
     16     &lt;/limits&gt;
     17     &lt;hostname&gt;pouet.hacktivis.me&lt;/hostname&gt;
     18     &lt;listen-socket&gt;
     19         &lt;port&gt;8000&lt;/port&gt;
     20         &lt;!-- &lt;bind-address&gt;127.0.0.1&lt;/bind-address&gt; --&gt;
     21     &lt;/listen-socket&gt;
     22     &lt;relay&gt;
     23         &lt;server&gt;radio.antirep.net&lt;/server&gt;
     24         &lt;port&gt;8000&lt;/port&gt;
     25         &lt;mount&gt;/RadioKlaxon&lt;/mount&gt;
     26         &lt;local-mount&gt;/RadioKlaxon&lt;/local-mount&gt;
     27         &lt;on-demand&gt;0&lt;/on-demand&gt;
     28 
     29         &lt;relay-shoutcast-metadata&gt;1&lt;/relay-shoutcast-metadata&gt;
     30     &lt;/relay&gt;
     31     &lt;relay&gt;
     32         &lt;server&gt;radio.antirep.net&lt;/server&gt;
     33         &lt;port&gt;8000&lt;/port&gt;
     34         &lt;mount&gt;/RadioKlaxonOff&lt;/mount&gt;
     35         &lt;local-mount&gt;/RadioKlaxonOff&lt;/local-mount&gt;
     36         &lt;on-demand&gt;0&lt;/on-demand&gt;
     37 
     38         &lt;relay-shoutcast-metadata&gt;1&lt;/relay-shoutcast-metadata&gt;
     39     &lt;/relay&gt;
     40     &lt;fileserve&gt;1&lt;/fileserve&gt;
     41     &lt;paths&gt;
     42         &lt;basedir&gt;/usr/share/icecast&lt;/basedir&gt;
     43         &lt;logdir&gt;/var/log/icecast&lt;/logdir&gt;
     44         &lt;webroot&gt;/srv/web/pouet.hacktivis.me&lt;/webroot&gt;
     45         &lt;adminroot&gt;/usr/share/icecast/admin&lt;/adminroot&gt;
     46         &lt;alias source="/" dest="/status.xsl"/&gt;
     47     &lt;/paths&gt;
     48 
     49     &lt;logging&gt;
     50         &lt;errorlog&gt;error.log&lt;/errorlog&gt;
     51         &lt;loglevel&gt;2&lt;/loglevel&gt; &lt;!-- 4 Debug, 3 Info, 2 Warn, 1 Error --&gt;
     52         &lt;logsize&gt;10000&lt;/logsize&gt; &lt;!-- Max size of a logfile --&gt;
     53     &lt;/logging&gt;
     54 
     55     &lt;security&gt;
     56         &lt;chroot&gt;0&lt;/chroot&gt;
     57         &lt;changeowner&gt;
     58             &lt;user&gt;icecast&lt;/user&gt;
     59             &lt;group&gt;nogroup&lt;/group&gt;
     60         &lt;/changeowner&gt;
     61     &lt;/security&gt;
     62 &lt;/icecast&gt;
     63 </code></pre>
     64 <p>Config pour nginx:</p>
     65 <pre><code>
     66 server {
     67         listen 80;
     68         listen [::]:80;
     69         listen 8000;
     70         listen [::]:8000;
     71 
     72         server_name pouet.hacktivis.me;
     73 
     74         location / {
     75                 return 301 https://$server_name$request_uri;
     76         }
     77 }
     78 server {
     79         listen 443 ssl http2;
     80         listen [::]:443 ssl http2;
     81 
     82         server_name pouet.hacktivis.me;
     83         large_client_header_buffers 4 16k;
     84 
     85         root /srv/web/pouet.hacktivis.me/;
     86 
     87         ssl_certificate     certificates/pouet.hacktivis.me.pem;
     88         ssl_certificate_key certificates/pouet.hacktivis.me.key;
     89 
     90         ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM'; # or EECDH+CHACHA20:EECDH+AES:DHE+CHACHA20:DHE+AES:+SHA
     91         ssl_prefer_server_ciphers on; # Parceque les clients on une config TLS toute pouritte
     92         ssl_protocols TLSv1.2; # POODLE sur ≤TLS1.1
     93         ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
     94         ssl_stapling on;
     95         ssl_stapling_verify on;
     96         ssl_session_cache   shared:SSL:10m;
     97         ssl_session_timeout 10m;
     98 
     99         add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; # Garder l’https pendant 6 mois et inclure les sous-domaines
    100         #add_header Public-Key-Pins           'pin-sha256="nL2KrUGakuCVVOeO152WRynVeJs+clhS+02EiIbDrPQ="; pin-sha256="9kgt0my3CzTv4sK5TsYJmEw5FzYLLUrFJr86Vmhbb4k="; max-age=5184000';
    101         add_header X-Frame-Options           "DENY"; # Deny framing
    102         add_header X-Content-Type-Options    "nosniff";
    103         add_header X-XSS-Protection          "1; mode=block";
    104         #add_header Content-Security-Policy   "default-src 'none'; script-src 'none'; style-src 'self'; img-src 'self'; media-src 'self';";
    105         add_header Referrer-Policy           "no-referrer";
    106         add_header X-Clacks-Overhead         "GNU Rémi Fraisse";
    107 
    108         location @icecast2 {
    109                 proxy_buffering           off;
    110                 proxy_ignore_client_abort off;
    111                 proxy_intercept_errors    on;
    112                 proxy_next_upstream       error timeout invalid_header;
    113                 proxy_redirect            off;
    114                 proxy_set_header          X-Host $http_host;
    115                 proxy_set_header          X-Forwarded-For $remote_addr;
    116                 proxy_connect_timeout     60;
    117                 proxy_send_timeout        21600;
    118                 proxy_read_timeout        21600;
    119                 proxy_pass http://localhost:8000;
    120         }
    121         location / {
    122                 try_files $uri @icecast2;
    123         }
    124 }
    125 </code></pre>
    126 </article>