为什么Icecast2不想通过https提供流? [英] Why Icecast2 does not want to give the stream through https?

问题描述

在装有Ubuntu 14.04 LTS的服务器上，安装了具有SSL支持的Icecast2 2.4.1.同样在此服务器上工作的HTTPS网站. 我想在页面HTML5播放器上插入，该播放器还将通过SSL接收流(否则-混合内容错误). 该站点具有商业SSL证书Icecast-自签名. Icecast配置文件:

On a server with Ubuntu 14.04 LTS installed Icecast2 2.4.1 with SSL support. Also on this server work HTTPS website. I want insert on the page HTML5-player that will also take the stream through the SSL (otherwise - mixed content error). The site has a commercial SSL certificate, Icecast - a self-signed. Icecast config file:

<icecast>
<location>****</location>
<admin>admin@*************</admin>
<limits>
    <clients>1000</clients>
    <sources>2</sources>
    <threadpool>5</threadpool>
    <queue-size>524288</queue-size>
    <source-timeout>10</source-timeout>
    <burst-on-connect>0</burst-on-connect>
    <burst-size>65535</burst-size>
</limits>
<authentication>
    <source-password>*****</source-password>
    <relay-password>*****</relay-password>
    <admin-user>*****</admin-user>
    <admin-password>*****</admin-password>
</authentication>
<hostname>************</hostname> 
<listen-socket>
    <port>8000</port>
    <ssl>1</ssl>
</listen-socket>
<mount>
    <mount-name>/stream</mount-name>
    <charset>utf-8</charset>
</mount>
<mount> 
    <mount-name>/ogg</mount-name>
    <charset>utf-8</charset>
</mount>
<fileserve>1</fileserve>
<paths>
    <basedir>/usr/share/icecast2</basedir>
    <logdir>/var/log/icecast2</logdir>
    <webroot>/usr/share/icecast2/web</webroot>
    <adminroot>/usr/share/icecast2/admin</adminroot>
    <alias source="/" dest="/status.xsl"/>
    <ssl-certificate>/etc/icecast2/icecast2.pem</ssl-certificate>
</paths>
<logging>
    <accesslog>access.log</accesslog>
    <errorlog>error.log</errorlog>
    <loglevel>4</loglevel>
</logging>
<security>
    <chroot>0</chroot>
    <changeowner>
        <user>icecast2</user>
        <group>icecast</group>
    </changeowner>
</security>
</icecast>

由以下人员生成的Icecast证书(/etc/icecast2/icecast2.pem)

Certificate for Icecast (/etc/icecast2/icecast2.pem) generated by:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout icecast2.pem -out icecast2.pem

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout icecast2.pem -out icecast2.pem

我希望从地址 https://domain.name:8000/stream https://domain.name:8000/ogg 用于通过标签音频插入播放器，但在回应-沉默.因此，带有简单http的地址一切正常. 我不明白同样的错误是什么... 预先感谢您的帮助！

I expect to get the output stream from the addresses https://domain.name:8000/stream https://domain.name:8000/ogg for insertion into the player via tag audio, but in response - silence. Thus the addresses with a simple http everything works fine. I did not understand what all the same mistake... Thanks in advance for your help!

推荐答案

我最近遇到了这个问题，没有太多时间来解决它，也没有看到很多文档来解决这个问题.我认为这不是使用最广泛的icecast配置，所以我只是用nginx代理了我的游戏，效果很好.

I ran into this issue recently and didn't have a lot of time to solve it, nor did I see see much documentation for doing so. I assume it's not the most widely used icecast config, so I just proxied mine with nginx and it works fine.

这是一个示例nginx虚拟主机.一定要更改域，检查路径，并考虑要挂载的代理的位置以及如何处理端口.

Here's an example nginx vhost. Be sure to change domain, check your paths and think about the location you want the mount proxied to and how you want to handle ports.

请注意，这将使您的流在端口443而不是8000上可用.某些客户端(例如facebookexternalhit/1.1)可能会挂在该流上，因为它是一个等待连接的https url.这可能不是您期望或期望的行为.

此外，如果您根本不希望使用HTTP，请确保将bind-address更改回本地主机.例如:

Also, if you want no http available at all, be sure to change bind-address back to the local host. eg:

 <bind-address>127.0.0.1</bind-address>

www.example.com.nginx.conf

server {
  listen 80;
  server_name www.example.com;
  location /listen {
    if ($ssl_protocol = "") {
      rewrite ^   https://$server_name$request_uri? permanent;
    }
  }
}

#### SSL

server {
  ssl on;
  ssl_certificate_key /etc/sslmate/www.example.com.key;
  ssl_certificate /etc/sslmate/www.example.com.chained.crt;

  # Recommended security settings from https://wiki.mozilla.org/Security/Server_Side_TLS
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:
ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA
-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES2
56-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_prefer_server_ciphers on;
  ssl_dhparam /usr/share/sslmate/dhparams/dh2048-group14.pem;
  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:5m;

  # Enable this if you want HSTS (recommended)
  add_header Strict-Transport-Security max-age=15768000;
  listen 443 ssl;
  server_name www.example.com;

  location / {
    proxy_pass         http://127.0.0.1:8000/;
    proxy_redirect     off;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
  }

}

这篇关于为什么Icecast2不想通过https提供流?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！