logo

blog

My website can't be that messy, right? git clone https://anongit.hacktivis.me/git/blog.git/

Mise en place d’un relai icecast.xhtml (5458B)


  1. <article lang="fr" class="h-entry">
  2. <h1 class="p-name"><a class="u-url" href="/articles/Mise%20en%20place%20d%E2%80%99un%20relai%20icecast">Mise en place d’un relai icecast</a></h1>
  3. <p>Mis en place pour faire relai de <a href="http://zad.nadir.org/spip.php?rubrique71">radio klaxon</a> de la <abbr title="Zone À Défendre">ZAD</abbr> de <abbr title="Notre Dame Des Landes">NDDL</abbr> qui ne tenait apparement plus la charge, et pour un peu de crypto+annonymat. Ci-dessous, la config icecast, puis la config nginx.</p>
  4. <p>Config pour icecast:</p>
  5. <pre><code>
  6. &lt;icecast&gt;
  7. &lt;limits&gt;
  8. &lt;clients&gt;500&lt;/clients&gt;
  9. &lt;sources&gt;2&lt;/sources&gt;
  10. &lt;queue-size&gt;524288&lt;/queue-size&gt;
  11. &lt;client-timeout&gt;30&lt;/client-timeout&gt;
  12. &lt;header-timeout&gt;15&lt;/header-timeout&gt;
  13. &lt;source-timeout&gt;10&lt;/source-timeout&gt;
  14. &lt;burst-on-connect&gt;1&lt;/burst-on-connect&gt;
  15. &lt;burst-size&gt;65535&lt;/burst-size&gt;
  16. &lt;/limits&gt;
  17. &lt;hostname&gt;pouet.hacktivis.me&lt;/hostname&gt;
  18. &lt;listen-socket&gt;
  19. &lt;port&gt;8000&lt;/port&gt;
  20. &lt;!-- &lt;bind-address&gt;127.0.0.1&lt;/bind-address&gt; --&gt;
  21. &lt;/listen-socket&gt;
  22. &lt;relay&gt;
  23. &lt;server&gt;radio.antirep.net&lt;/server&gt;
  24. &lt;port&gt;8000&lt;/port&gt;
  25. &lt;mount&gt;/RadioKlaxon&lt;/mount&gt;
  26. &lt;local-mount&gt;/RadioKlaxon&lt;/local-mount&gt;
  27. &lt;on-demand&gt;0&lt;/on-demand&gt;
  28. &lt;relay-shoutcast-metadata&gt;1&lt;/relay-shoutcast-metadata&gt;
  29. &lt;/relay&gt;
  30. &lt;relay&gt;
  31. &lt;server&gt;radio.antirep.net&lt;/server&gt;
  32. &lt;port&gt;8000&lt;/port&gt;
  33. &lt;mount&gt;/RadioKlaxonOff&lt;/mount&gt;
  34. &lt;local-mount&gt;/RadioKlaxonOff&lt;/local-mount&gt;
  35. &lt;on-demand&gt;0&lt;/on-demand&gt;
  36. &lt;relay-shoutcast-metadata&gt;1&lt;/relay-shoutcast-metadata&gt;
  37. &lt;/relay&gt;
  38. &lt;fileserve&gt;1&lt;/fileserve&gt;
  39. &lt;paths&gt;
  40. &lt;basedir&gt;/usr/share/icecast&lt;/basedir&gt;
  41. &lt;logdir&gt;/var/log/icecast&lt;/logdir&gt;
  42. &lt;webroot&gt;/srv/web/pouet.hacktivis.me&lt;/webroot&gt;
  43. &lt;adminroot&gt;/usr/share/icecast/admin&lt;/adminroot&gt;
  44. &lt;alias source="/" dest="/status.xsl"/&gt;
  45. &lt;/paths&gt;
  46. &lt;logging&gt;
  47. &lt;errorlog&gt;error.log&lt;/errorlog&gt;
  48. &lt;loglevel&gt;2&lt;/loglevel&gt; &lt;!-- 4 Debug, 3 Info, 2 Warn, 1 Error --&gt;
  49. &lt;logsize&gt;10000&lt;/logsize&gt; &lt;!-- Max size of a logfile --&gt;
  50. &lt;/logging&gt;
  51. &lt;security&gt;
  52. &lt;chroot&gt;0&lt;/chroot&gt;
  53. &lt;changeowner&gt;
  54. &lt;user&gt;icecast&lt;/user&gt;
  55. &lt;group&gt;nogroup&lt;/group&gt;
  56. &lt;/changeowner&gt;
  57. &lt;/security&gt;
  58. &lt;/icecast&gt;
  59. </code></pre>
  60. <p>Config pour nginx:</p>
  61. <pre><code>
  62. server {
  63. listen 80;
  64. listen [::]:80;
  65. listen 8000;
  66. listen [::]:8000;
  67. server_name pouet.hacktivis.me;
  68. location / {
  69. return 301 https://$server_name$request_uri;
  70. }
  71. }
  72. server {
  73. listen 443 ssl http2;
  74. listen [::]:443 ssl http2;
  75. server_name pouet.hacktivis.me;
  76. large_client_header_buffers 4 16k;
  77. root /srv/web/pouet.hacktivis.me/;
  78. ssl_certificate certificates/pouet.hacktivis.me.pem;
  79. ssl_certificate_key certificates/pouet.hacktivis.me.key;
  80. ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM'; # or EECDH+CHACHA20:EECDH+AES:DHE+CHACHA20:DHE+AES:+SHA
  81. ssl_prefer_server_ciphers on; # Parceque les clients on une config TLS toute pouritte
  82. ssl_protocols TLSv1.2; # POODLE sur ≤TLS1.1
  83. ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
  84. ssl_stapling on;
  85. ssl_stapling_verify on;
  86. ssl_session_cache shared:SSL:10m;
  87. ssl_session_timeout 10m;
  88. add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; # Garder l’https pendant 6 mois et inclure les sous-domaines
  89. #add_header Public-Key-Pins 'pin-sha256="nL2KrUGakuCVVOeO152WRynVeJs+clhS+02EiIbDrPQ="; pin-sha256="9kgt0my3CzTv4sK5TsYJmEw5FzYLLUrFJr86Vmhbb4k="; max-age=5184000';
  90. add_header X-Frame-Options "DENY"; # Deny framing
  91. add_header X-Content-Type-Options "nosniff";
  92. add_header X-XSS-Protection "1; mode=block";
  93. #add_header Content-Security-Policy "default-src 'none'; script-src 'none'; style-src 'self'; img-src 'self'; media-src 'self';";
  94. add_header Referrer-Policy "no-referrer";
  95. add_header X-Clacks-Overhead "GNU Rémi Fraisse";
  96. location @icecast2 {
  97. proxy_buffering off;
  98. proxy_ignore_client_abort off;
  99. proxy_intercept_errors on;
  100. proxy_next_upstream error timeout invalid_header;
  101. proxy_redirect off;
  102. proxy_set_header X-Host $http_host;
  103. proxy_set_header X-Forwarded-For $remote_addr;
  104. proxy_connect_timeout 60;
  105. proxy_send_timeout 21600;
  106. proxy_read_timeout 21600;
  107. proxy_pass http://localhost:8000;
  108. }
  109. location / {
  110. try_files $uri @icecast2;
  111. }
  112. }
  113. </code></pre>
  114. </article>