Old 18th November 2021, 17:59   #1
HubuFM
Member
 
HubuFM's Avatar
 
Join Date: Feb 2017
Location: Germany
Posts: 58
Perfect (SSL) Shoutcast Server

Hey there,

I want help you to create your perfect SSL Shoutcast Server. This works with "free" version too.
If it's not allowed - delete this thread.

All actions require root persmissions ("su" or "sudo").

1) Operation System
Debian 9 to 11 (minimal, 64bit recommend) works great! Install it (VPS/VDS/Dedicated)

1.1) Ping a domain/subdomain to your server address (A-Record)
By your domain provider, for example stream.myradio.com A 86400 127.0.0.1
Add or edit it. TTL can be 3600 or 86400 (seconds) | (replace 127.0.0.1 to your server IP)

2) ulimit Files / Hostname
If you expect more than 300 listeners it's highly recommend to increase your open file limits, like below:
code:
nano /etc/security/limits.conf

And add following content:
Quote:
* hard nofile 1024000
* soft nofile 1024000
root hard nofile 1024000
root soft nofile 1024000
nginx hard nofile 1024000
nginx soft nofile 1024000
www-data hard nofile 1024000
www-data soft nofile 1024000
shoutcast hard nofile 1024000
shoutcast soft nofile 1024000
3) Hostname (optional)
Setup hostname in server to your domain where you broadcast - for example "stream.myradio.com"
code:
nano /etc/hostname --> Delete preset value, replace with your domain
nano /etc/hosts --> Replace 127.0.0.1 parts with your domain, for example: 127.0.0.1 stream.myradio.com stream
hostname XXX (your domain)



4) Reboot server

5) Create user for shoutcast (NOT ROOT for security reasons)
code:
adduser shoutcast

Follow the instruction on screen (2x password, other values can be empty)

6) Upload Shoutcast files to /home/shoutcast/*
After that, make them owned by shoutcast user and executable:
code:
chown shoutcast:shoutcast sc_serv
chown shoutcast:shoutcast sc_serv.conf



7) Install additional software
code:
(sudo) apt install nginx certbot letsencrypt lib32z1 htop fail2ban clamav screen


8) Create SSL certificates for free
code:
service nginx stop
certbot certonly --standalone --agree-tos --preferred-challenges http -d stream.myradio.com


IMPORTANT PART:
Follow instructions on screen and make sure you get a SUCCESS feedback from certbot.
If not you should wait until your domain provider updated most DNS server about your IP change to your stream server! Only by success feedback you can go ahead.


9) Start DNAS with your config
Login via termial to your non-root "shoutcast" user by:
code:
su shoutcast
cd /home/shoutcast
screen -S MyStation
./sc_serv


[Press CTRL+A and CTRL+D to exit screen session (without killing it)
In this example the DNAS port is 8000 (standard). Check by access via IP:PORT if you see a DNAS interface. If yes, everything is ok!
See below for a small script, if your DNAS crashing by segmentation fault (yes this happening sometimes, thanks to Radionomy!)

*** login as root again by "exit" as shoutcast user ***

10) Connect Stream
Connect your stream by your favorite broadcast tool via IP:PORT config like in your sc_serv.conf above.

11) Enable SSL via nginx proxy
You need create your nginx.conf like the example below. Delete existing nginx.conf (nano /etc/nginx/nginx.conf)

HTML Code:
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 1024000;
thread_pool shoutcast threads=8 max_queue=1024000; # BOOST YOUR ACCESS TIME IN FIRST PLAY! :)
events {worker_connections  1024000;}
http {
aio threads=shoutcast;
proxy_cache_path /tmp/cache keys_zone=cache:10m levels=1:2 inactive=600s max_size=1G; # REDUCE CPU USAGE
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
add_header rt-Fastcgi-Cache $upstream_cache_status;
fastcgi_param HTTP_IF_NONE_MATCH $http_if_none_match;
fastcgi_param HTTP_IF_MODIFIED_SINCE $http_if_modified_since;
sendfile on;
tcp_nopush on;
default_type application/octet-stream;
keepalive_timeout 35;
add_header X-XSS-Protection "1; mode=block";
server_tokens off;
        ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # BEST COMPATIBILITY
        ssl_session_cache    builtin:5000     shared:SSL:30m; # REDUCE CPU USAGE BY CACHING SSL CERTS
        ssl_session_timeout  30m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
server {
        listen 80;
        listen 443 ssl http2;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        listen [::]:443 ssl http2;
        ssl_certificate /etc/letsencrypt/live/XXX/fullchain.pem; # <-- REPLACE YOUR DOMAIN HERE (XXX), for example .../stream.myradio.com/...
        ssl_certificate_key /etc/letsencrypt/live/XXX/privkey.pem;  # <-- REPLACE YOUR DOMAIN HERE (XXX), for example .../stream.myradio.com/...
        server_name shoutcast.hubu.fm www.shoutcast.hubu.fm 179.61.232.195;
        #root /var/www/;
        #index index.html;
location / {
                  proxy_set_header Host $host;
                  proxy_set_header X-Real-IP $remote_addr; # FORWARDING IP ADDRESS FROM PROXY
                  proxy_set_header X-Forwarded-Proto https;
                  proxy_set_header X-Forwarded-For $remote_addr; # FORWARDING IP ADDRESS FROM PROXY
                  proxy_set_header X-Forwarded-Host $remote_addr; # FORWARDING IP ADDRESS FROM PROXY
                  proxy_set_header Pragma no-cache;
                  proxy_set_header Cache-Control no-cache;
                  proxy_set_header Accept-Encoding */*;
                  proxy_set_header Accept */*;
                  proxy_buffering off;
                  tcp_nodelay on;
                  proxy_pass http://localhost:8000;} # IF YOUR PORT IS -NOT- 8000, CHANGE IT HERE!
location ~ /.well-known {allow all;} # IMPORTANT FOR SSL RENEW-HOOKS
}}
Take a look to the # COMMENTS! You need edit correct SSL directory (domain name) in SSL certificate lines! (server {} section)

11.1) Start nginx
Check config by 'nginx -t'. It is working as expected and you get an "OK"? So:
code:
service nginx start

12) Renew-SSL Hooks
Create a cronjob by typing 'crontab -e'. Select nano (recommend)
Add this line:
code:
30 03 * * * root certbot -q renew --post-hook="systemctl reload nginx"


13) DONE
Now you are able to access your stream via your domain in http AND https. If not: Check the steps again or let me know. Maybe I can help you.


--- PIMP YOUR STABILITY ---
Sometimes DNAS crying and need holidays.
In this case you can create a sh script as root in the following directory:
code:
cd /home/shoutcast
nano sc.sh


-> Now add following code:
HTML Code:
#!/bin/bash
while true
do
sleep 1
exec ./sc_serv
done
-> Make it executable and owned by shoutcast user:
code:
chmod +x sc.sh
chown shoutcast:shoutcast sc.sh



-> Login again as shoutcast (su shoutcast), enter your /home/shoutcast/ directory.

--------- v optional below v ---------
DNAS instance already started?
Stop it like this:
code:
screen -r
CTRL+C
exit

--------- ^ optional above ^ ---------


-> Start your AWESOME "neverdead" script (lol)
code:
screen -S MyStation-Loop
./sc.sh

Exit screen by CTRL+A and CTRL+D.

Now the party begins and you can stream without any off times (ok, max 1-2 seconds in worst case). AND SSL, wohoo! Welcome to 2021...
HubuFM is offline   Reply With Quote
Old 19th November 2021, 18:25   #2
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: No longer on the streets of Kings County, CA.
Posts: 3,181
You can also do SSL enabled reverse proxy to SHOUTcast with Apache if you already have it installed. Did it on my Windows machine.
thinktink is online now   Reply With Quote
Old 19th November 2021, 23:57   #3
HubuFM
Member
 
HubuFM's Avatar
 
Join Date: Feb 2017
Location: Germany
Posts: 58
Quote:
Originally Posted by thinktink View Post
You can also do SSL enabled reverse proxy to SHOUTcast with Apache if you already have it installed. Did it on my Windows machine.
Yes, but in my test nginx was faster (micro caching) and need less resources. But both methods will work.
HubuFM is offline   Reply With Quote
Old 24th January 2022, 19:13   #4
nitromix
Member
 
Join Date: Jun 2005
Location: Romania
Posts: 85
Send a message via Yahoo to nitromix
So much effort when SHOUTcast have to support native and free SSL
nitromix is offline   Reply With Quote
Old 25th January 2022, 09:15   #5
LStratmann
Senior Member
 
LStratmann's Avatar
 
Join Date: Dec 2019
Location: Germany
Posts: 418
In the meantime SHOUTcast offers this, at that time it was chargeable.
LStratmann is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Shoutcast > Shoutcast Technical Support

Tags
crash, dnas, freemium, shoutcast, ssl

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump