Perfect (SSL) Shoutcast Server

[HubuFM]

Hey there,

I want help you to create your perfect SSL Shoutcast Server. This works with "free" version too.
If it's not allowed - delete this thread.

All actions require root persmissions ("su" or "sudo").

1) Operation System
Debian 9 to 11 (minimal, 64bit recommend) works great! Install it (VPS/VDS/Dedicated)

1.1) Ping a domain/subdomain to your server address (A-Record)
By your domain provider, for example stream.myradio.com A 86400 127.0.0.1
Add or edit it. TTL can be 3600 or 86400 (seconds) | (replace 127.0.0.1 to your server IP)

2) ulimit Files / Hostname
If you expect more than 300 listeners it's highly recommend to increase your open file limits, like below:

code:
nano /etc/security/limits.conf

And add following content:

Quote:

* hard nofile 1024000
* soft nofile 1024000
root hard nofile 1024000
root soft nofile 1024000
nginx hard nofile 1024000
nginx soft nofile 1024000
www-data hard nofile 1024000
www-data soft nofile 1024000
shoutcast hard nofile 1024000
shoutcast soft nofile 1024000

3) Hostname (optional)
Setup hostname in server to your domain where you broadcast - for example "stream.myradio.com"

code:
nano /etc/hostname  --> Delete preset value, replace with your domain

nano /etc/hosts  --> Replace 127.0.0.1 parts with your domain, for example: 127.0.0.1 stream.myradio.com stream

hostname XXX (your domain)

4) Reboot server

5) Create user for shoutcast (NOT ROOT for security reasons)

code:
adduser shoutcast

Follow the instruction on screen (2x password, other values can be empty)

6) Upload Shoutcast files to /home/shoutcast/*
After that, make them owned by shoutcast user and executable:

code:
chown shoutcast:shoutcast sc_serv

chown shoutcast:shoutcast sc_serv.conf

7) Install additional software

code:
(sudo) apt install nginx certbot letsencrypt lib32z1 htop fail2ban clamav screen

8) Create SSL certificates for free

code:
service nginx stop

certbot certonly --standalone --agree-tos --preferred-challenges http -d stream.myradio.com

IMPORTANT PART:
Follow instructions on screen and make sure you get a SUCCESS feedback from certbot.
If not you should wait until your domain provider updated most DNS server about your IP change to your stream server! Only by success feedback you can go ahead.

9) Start DNAS with your config
Login via termial to your non-root "shoutcast" user by:

code:
su shoutcast

cd /home/shoutcast

screen -S MyStation

./sc_serv

[Press CTRL+A and CTRL+D to exit screen session (without killing it)
In this example the DNAS port is 8000 (standard). Check by access via IP:PORT if you see a DNAS interface. If yes, everything is ok!
See below for a small script, if your DNAS crashing by segmentation fault (yes this happening sometimes, thanks to Radionomy!)

*** login as root again by "exit" as shoutcast user ***

10) Connect Stream
Connect your stream by your favorite broadcast tool via IP:PORT config like in your sc_serv.conf above.

11) Enable SSL via nginx proxy
You need create your nginx.conf like the example below. Delete existing nginx.conf (nano /etc/nginx/nginx.conf)

HTML Code:

worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 1024000;
thread_pool shoutcast threads=8 max_queue=1024000; # BOOST YOUR ACCESS TIME IN FIRST PLAY! :)
events {worker_connections  1024000;}
http {
aio threads=shoutcast;
proxy_cache_path /tmp/cache keys_zone=cache:10m levels=1:2 inactive=600s max_size=1G; # REDUCE CPU USAGE
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
add_header rt-Fastcgi-Cache $upstream_cache_status;
fastcgi_param HTTP_IF_NONE_MATCH $http_if_none_match;
fastcgi_param HTTP_IF_MODIFIED_SINCE $http_if_modified_since;
sendfile on;
tcp_nopush on;
default_type application/octet-stream;
keepalive_timeout 35;
add_header X-XSS-Protection "1; mode=block";
server_tokens off;
        ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # BEST COMPATIBILITY
        ssl_session_cache    builtin:5000     shared:SSL:30m; # REDUCE CPU USAGE BY CACHING SSL CERTS
        ssl_session_timeout  30m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
server {
        listen 80;
        listen 443 ssl http2;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        listen [::]:443 ssl http2;
        ssl_certificate /etc/letsencrypt/live/XXX/fullchain.pem; # <-- REPLACE YOUR DOMAIN HERE (XXX), for example .../stream.myradio.com/...
        ssl_certificate_key /etc/letsencrypt/live/XXX/privkey.pem;  # <-- REPLACE YOUR DOMAIN HERE (XXX), for example .../stream.myradio.com/...
        server_name shoutcast.hubu.fm www.shoutcast.hubu.fm 179.61.232.195;
        #root /var/www/;
        #index index.html;
location / {
                  proxy_set_header Host $host;
                  proxy_set_header X-Real-IP $remote_addr; # FORWARDING IP ADDRESS FROM PROXY
                  proxy_set_header X-Forwarded-Proto https;
                  proxy_set_header X-Forwarded-For $remote_addr; # FORWARDING IP ADDRESS FROM PROXY
                  proxy_set_header X-Forwarded-Host $remote_addr; # FORWARDING IP ADDRESS FROM PROXY
                  proxy_set_header Pragma no-cache;
                  proxy_set_header Cache-Control no-cache;
                  proxy_set_header Accept-Encoding */*;
                  proxy_set_header Accept */*;
                  proxy_buffering off;
                  tcp_nodelay on;
                  proxy_pass http://localhost:8000;} # IF YOUR PORT IS -NOT- 8000, CHANGE IT HERE!
location ~ /.well-known {allow all;} # IMPORTANT FOR SSL RENEW-HOOKS
}}

Take a look to the # COMMENTS! You need edit correct SSL directory (domain name) in SSL certificate lines! (server {} section)

11.1) Start nginx
Check config by 'nginx -t'. It is working as expected and you get an "OK"? So:

code:
service nginx start

12) Renew-SSL Hooks
Create a cronjob by typing 'crontab -e'. Select nano (recommend)
Add this line:

code:
30 03 * * * root certbot -q renew --post-hook="systemctl reload nginx"

13) DONE
Now you are able to access your stream via your domain in http AND https. If not: Check the steps again or let me know. Maybe I can help you.


--- PIMP YOUR STABILITY ---
Sometimes DNAS crying and need holidays.
In this case you can create a sh script as root in the following directory:

code:
cd /home/shoutcast

nano sc.sh

-> Now add following code:

HTML Code:

#!/bin/bash
while true
do
sleep 1
exec ./sc_serv
done

-> Make it executable and owned by shoutcast user:

code:
chmod +x sc.sh

chown shoutcast:shoutcast sc.sh

-> Login again as shoutcast (su shoutcast), enter your /home/shoutcast/ directory.

--------- v optional below v ---------
DNAS instance already started?
Stop it like this:

code:
screen -r

CTRL+C

exit

--------- ^ optional above ^ ---------

-> Start your AWESOME "neverdead" script (lol)

code:
screen -S MyStation-Loop

./sc.sh

Exit screen by CTRL+A and CTRL+D.

Now the party begins and you can stream without any off times (ok, max 1-2 seconds in worst case). AND SSL, wohoo! Welcome to 2021...

[thinktink]

You can also do SSL enabled reverse proxy to SHOUTcast with Apache if you already have it installed. Did it on my Windows machine.

[HubuFM]

Quote:

Originally Posted by thinktink

You can also do SSL enabled reverse proxy to SHOUTcast with Apache if you already have it installed. Did it on my Windows machine.

Yes, but in my test nginx was faster (micro caching) and need less resources. But both methods will work.

[nitromix]

So much effort when SHOUTcast have to support native and free SSL

[LStratmann]

In the meantime SHOUTcast offers this, at that time it was chargeable.

[Techno.RS]

Exactly what I need just a little problem and question:
Can this all be done also with Ubuntu 20.04.5 LTS or must be Debian only?