I started with these instructions for just the icecast part but updated for FreeBSD 12.1. But left out the source client stuff I didn’t need (IceS is too limited features for me) and added the (very impotant imo!) ssl stuff to keep things secure. Install icecast:
pkg install icecast
echo 'icecast_enable="YES"' >> /etc/rc.conf
Start with default config, then edit
cd /usr/local/etc cp icecast.xml.sample icecast.xml
I started with the instructions on certbot’s site and here, however I’m personally using this on an instance that will be spun up and stopped so I won’t bother putting the ssl renewal in cron and just renew manually as needed. When you install certbot, there are better instructions for making renewal automatic, but again I’m not going to do that here. Install certbot:
pkg install py36-certbot
So for me, I just manually obtain a cert for the domain (http needs to be accessible for this, not just https):
sudo certbot certonly --standalone
Then combine the files to create a pem suitable for icecast.
cat /usr/local/etc/letsencrypt/live/DOMAIN/fullchain.pem /usr/local/etc/letsencrypt/live/DOMAIN/privkey.pem > /usr/local/share/icecast/icecast.pem
Go to the
authentication section and change passwords to something unique. I definitely recommend not logging in to admin from a browser until you finish the ssl step. Uncomment the
changeowner section under
security. I would also add values to location and admin to prevent warnings about that. Put the right value in hostname. Go to listen-socket and comment/uncomment/change so that only 443 with ssl on is enabled. Save and exit.
Enable logging by making the right dir with the right ownership:
mkdir /var/log/icecast chown nobody:nogroup /var/log/icecast
service icecast start
If there are warnings you want to tend to, go ahead and re-edit the config file and restart (
service icecast restart).
I used to use nginx with reverse-proxy but this caused some problems like streams crapping out after an hour. icecast might not have as much built-in security measures but it’s special-purpose made for streaming so I think better overall.
I also found, unfortunately, that mixx still doesn’t support ssl as of this writing. But you can always use jack to connect it to something that can. Butt, on the other hand, does work. Simply fill in the url, port 443 and the source username and password works for me.
However I’ve found butt to be very crashy and couldn’t even switch audio source without it freezing in linux. But in looking for alternatives, found something even better! Liquidsoap also supports https icecast2 streaming:
liquidsoap 'output.icecast(%mp3, host="DOMAIN", port=443, password="PASSWORD", mount="radio", protocol="https", mksafe(playlist("playlist.m3u")))'
« Strengths and Weaknesses of Using Haxe for Audio Development
Fixing Issue With SSL Traffic on AT&T Router »