CWP SHOUTcasters Stream Ultimate Guide: Implementing SSL

SHOUTcasters guide to implementing SSL on your audio stream


Web browsers have increased security measures on content and streaming audio now requires SSL, absolutely crucial to be able to stream on any browser and not limit your exposure. Although CWP can create SSL for websites it does not automatically secure SHOUTcast audio streams. Command lines and configuration of files are required to be able to secure a stream in CWP. It has been done based on comments and crosstalk between techs who know the Linux framework, but no input for layman assistance has been offered. I have yet to find a complete LINE-LINE walk-through for this SSL implementation. So I'm putting this together as part Journal and part "hey ya help me out" Maybe I can get pointed to the right resources I need to look into.

STUNNEL seems most promising with fewer steps for those not too comfortable with line code and file modification. I saw a couple post on this forum referencing stunnel. the following link breaks down the STUNNEL fix

I have not implemented, i am still in the gatherin information phase and not sure if the code changed any

https://forums.winamp.com/forum/shoutcast/shoutcast-discussions/314734-stunnel-and-shoutcast-https-ssl-streaming-setup

Posted 2 March 2020, 03:06

I just discovered Stunnel and using it with Shoutcast for https (SSL) streaming without having to have a Shoutcast for Business (Premium) account. Basically, Stunnel takes the Shoutcast server and makes it https (SSL) without having to make any changes to the Shoutcast DNAS config itself. It turned out to be a lot easier than I thought it would be. The biggest hurdle I faced was finding up to date directions. This was done on a dedicated server with: CentOS 6. Also, Shoutcast DNAS and Stunnel were already installed and the port I used for https (SSL) streaming was already open and NOT used by another service.


1. Login to the server as root using SSH.

2. Follow the instructions to create a Let's Encrypt SSH key for Stunnel to use (even if you don't have a Shoutcast for Business account). When I did this, I had several dependencies that needed to be installed before I could actually run the certbot-auto command: https://help.shoutcast.com/hc/en-us/...rver-Software-

3. Go to the Stunnel directory (cd /etc/stunnel/)

4. Create stunnel.conf file (nano stunnel.conf). Add the following lines and save (CTRL - X):
accept=port that https (SSL) stream should go out on
connect=current domain and port of where your current Shoutcast server is (mine is on the same server which is why I use localhost
cert and key=replace your domain name used in step #2

code:


client=no

[shoutcast]

accept=8000

connect=localhost:8000

cert = /etc/letsencrypt/live/yourdomainhere.com/fullchain.pem

key = /etc/letsencrypt/live/yourdomainhere.com/privkey.pem

5. Start Stunnel (/usr/bin/stunnel)

6. Go to https://yourdomain.com:<port used for Stunnel> and you should see your Shoutcast v2 page if everything worked correctly.


(PS: I hope that the Shoutcast admins will not remove this post post, especially for us with very limited budgets trying to reach the largest audience possible.)

a followup post said this:

If you can't bind to a port, it indicates that port is already in use. You're probably already using port 443 with a webserver or other service. You don't need to change anything in shoutcast's configs, keep all those the same. The HTTPS work here is being done by stunnel. All the info you need is in the original post..

> accept=port that https (SSL) stream should go out on;
I suggest you try port 8443 here instead, i.e.
accept=8443

> connect=current domain and port of where your current Shoutcast server
If you're running default configs and streaming on port 8000, as above put localhost:8000 (or whatever domain is serving your stream; yourradiostation.com:8000), otherwise change the port number to whatever you're using.

Start stunnel.

Open up http://yourradiostation.com:8000 (or wherever your admin pages are located).
Open up https://yourradiostation.com:8443 and you should see your admin pages proxied through SSL/TLS.

Now just change your stream urls from http:// to https:// and the port from 8000 to 8443. Job done

--------------------------------------------------------------------------
I feel my Partner HUBUFM when he said there are no up-to-date instructions and that this implementation is for those on limited budgets. That's why I'm here on CWP.

-------------------------------------------------------------------------
OTHER Potential Resources with LINE CODE steps.

I have yet to review all links to be able to compare differences in steps and code the guide above provides the most context to the process and procedure.

all links should be reviewed to get a broader view of the process and issues that others had with SSL implementation with STUNNEL. this is my process and how I can post the fixes that I put a lot of research into.

https://www.radioforge.com/faqs/stunnel-ssl-to-shoutcast/
https://support.aivahthemes.com/forums/topic/setup-ssl-streams-for-shoutcast/
https://www.interserver.net/tips/kb/using-stunnel-to-add-ssl-to-shoutcast-or-any-service-that-does-not-have-ssl/
https://community.letsencrypt.org/t/using-stunnel-to-add-ssl-to-shoutcast-in-ovh-vps-help/35266
https://www.stunnel.org/mailman3/hyperkitty/list/stunnel-users@stunnel.org/thread/FVKQIQNVODQ757HFWPU4GPEOVLPFHAHR/
https://www.reddit.com/r/linuxadmin/comments/c7ovsv/anyone_here_using_stunnel/?rdt=36990

Posted: 18 November 2021, 16:59: https://forums.winamp.com/forum/shoutcast/shoutcast-technical-support/315804-perfect-ssl-shoutcast-server


I will continue to edit this post with relevant information about FORUM SUPPORTS LINKS and others.
This post will also be updated with my line code and my results.

 If you have implemented SSL with Stunnel for the SHOUTcast stream please share your STEP BY STEP LINE CODE and tips for implementation.

Thanks a million on behalf of CWP SHOUTcasters

Thumbs up to OVERSEER!! He referenced a fix SANDEEP provided in the ALPHAGNU forum. Never heard of ALPHAGNU So I went over there to see if someone dropped some knowledge and Sandeep dropped a bomb Again with this TIDBIT for SSL stream configuration that opened up MY the considerations for SSL stream implementation. Sandeep posted the following navigation path and a short walk through.

https://www.alphagnu.com/topic/126-https-for-shoutcast/#comment-259

you need to create reverse proxy with apache or nginx in cwp you can achieve this in webserver domain config >> select the domain name >>create config >>  select nginx + apache + port option add 1500 port there and save and rebuild vhost

I use Apache Only WebServer because it supports Redirects through CWP USER GUI without editing any files on the server that nginx requires.

Sticking to LAYMAN fixes, this sounds like a great potential fix but would potentially break my easy domain redirect via APACHE ONLY webserver.

Using Sandeep's Streeam over HTTPS fix would break my APACHE ONLY redirect via CWP USER GUI. If I can easily domain redirect using nginx+apache config like my current Apache-only domain redirection using USER GUI, I'll change my webserver config to nginx+apache.

Thanks for sharing! I've got a client that is going to want some shoutcast capabilities, so this info will be helpful.

LMAO..... YO, I broke the Matrix and got SSL for Shoutcast CWP to work.

 Finally got one of my SSL Shoutcast Streams to work but I broke all my other sites, they are not resolving after the process. Maybe need to reset the webserver domain config for the other domains. Only did the webserver domain config for the two domains I was using to try out this fix. Will fix my other domain so they resolve and come back with a thorough HOW-TO guide, at least the best to my recollection.

I am putting together my notes for posting and sharing, so ya can grovel at my feet. Holla At Yo Boy!

Check out one of my NON-SSL domain REDIRECT to SSL SHOUTCAST STREAM

http://vivarockradio.com/

SINCERELY YOURS
THE SHOUTCAST GURU

All websites are plugged into the MATRIX again and are resolving fine.

My SSL SHOUTcast stream was made possible by incorporating a couple of solutions referenced in this FORUM, along with SANDEEPS configuration, appreciate Overseer for referencing sources in his Troubleshooting suggestions, Sandeep being one of them. It was this shared that will make this step-by-step guide possible, what has taken me roughly 3 years of research on, it was the OVERSEERER's share that connected me to the resource for this SSL IMPLEMENTATION. Fist Bump OVERSEERER! We all grow when we share our resources and fixes. No need to be petty and not share if you figure some shit out on your own. Please share!

 This SSL fix was done with very little line code and mostly done through GUI settings in USER and ADMIN PANELS.

All references will be part of my notes and step-by-step guide, I will try to incorporate some tangent information that is relevant to my case and maybe yours too.

I WILL BE BROADCASTING MY CWP SHOUTCAST SSL/HTTPS SECURE STREAM GUIDE SOON SO STAY TUNED. LOL, YES, PUN INTENDED

Running test on audio encoder with updated domain in settings to attempt a secure https: stream into the SHOUTcast directory.

-The SHOUTcast Guru

CENTOS7 + APACHE ONLY <-- ENVIRONMENT I STARTED WITH


THIS IS MY NOTES ON A GUIDE I CREATED TO  IMPLEMENT SSL VIA A REVERSE PROXY. I WOULD ALSO SAY THAT I WOULD CONSIDER THIS ONLY A TEMPORARY SOLUTION TO GETTING A SSL STREAM.

THE RESULT IS THAT REVERSE PROXY MESSES UP YOUR GEODATA FOR TRACKING ACCESS TO YOUR STREAM, GEOMAPPING. On my GEOMAP, all connections are showing to come from my server IP and city. in the shoutcast admin URL, it shows you two IPS, My server IP as a main IP and a second IP in parentheses which is the one connecting to my shoutcast server, but defaults to show my server IP as main IP, thus showing my server IP and City for all incoming connections into my stream, before reverser proxy i would be able to identify IPs and their international cities for all incoming connections to my stream. I am unable to properly get the correct GEOdata of incoming connections. I believe this will also throw off properly distributing "ad inserts" that catered to local markets based on this geodata.  I WILL BE SEEKING ANOTHER SSL SOLUTION BUT THIS WOULD BE SOMETHING "EASY" TO GET GOING. I WILL SERIOUSLY TAKE A LOOK AT STUNNEL FOR SSL STREAM. IF ANYONE HAS A STUNNEL WALKTHROUGH PLEASE SHARE.   
________________________________________________________________________________________
So I decided to implement Sandeeps walkthrough with nginx + apache + Proxy Port

I read somewhere that after a 2018 update, APACHE redirects would work with the nginx+apache server configuration.

( i repeated these steps a couple of times, so I'm not sure

I read


after changing the default web servers from APACHE ONLY to NGINX + APACHE, my sites and redirects were not resolving. Research led to the following code implementation.

Fafache posted the following line code regarding 503 Service Unavailable Issue after changing server,  So I decided to implement some of the following line code.

https://forum.centos-webpanel.com/php-selector/php-fpm-not-working-(503-service-unavailable)/msg33268/#msg33268
Fafache:
hello

I have the same problem

when I config apache<-varnish<-nginx with php-fpm the website go down (with php-cgi it's ok)

finaly I try two things and now it's working (but I don't know why)

1) in "user accounts -> fix permissions" for user nobody, I fix permissions from 644 to 755 php files (maybe it's not that)

2) I think it's that, after compil all php-fpm in "php setting -> php selector 2" and also "php setting -> php-fpm selector" I compil the php x.x.x
and go back to "webserver setting -> select webserver" check about the good php-fpm for apache and nginx (select the version on down) and select "only apache

click on save & rebuild, check if your website go back, if ok, use a terminal with a "top" command and go back to click on your website to make the user working, here you can see if the user use php-cgi or php-fpm

let's go back to nginx->varnish->apache->php-fpm (check again with "top" command and clicks on your website, if it's all right) you have the best config

if that help you, a thank is good, if you find something else or the "why", say it here


hope that help you

-------------------------------------------------------------------------------------

I couldn't understand his instructions completely but here are MY STEPS not sure if all are required because I'm no Linux guru and don't know any better but.... I hope all my steps are complete to my recollection, started working without taking notes of all stops but they should be as follows.


****replicating all actions starting with the configuration of Setup Default Web Servers From APACHE-NGINX --TO-> Apache-Varnish-Nginx (I believe I selected a default PHP-FPM version for APACHE and NGINX) & (check Force Apache to Use PHP FPM selector)

***************************START CWP ADMIN PANEL*********************

MY STEP 1 - Webserver settings -> Select Webservers -> Set Nginx-Varnish-Apache; Set default APACHE php-fpm Version 8.1 -> Set default Apache/Nginx version 7.4 -> (CheckYES) FORCE Apache to Use PHP-FPM Selector.

SAVE AND REBUILD CONFIGURATION
---------------------------------------------------------------------
MY STEP 2 FOLLOWS FAFECHE GUIDE

user accounts -> fix permissions" for user nobody, fix permissions (checkYES) from 644 to 755 php files
,
then Fafache Step 2, I waited for each to compile one at at time; wait for PHP-SELECTOR-2 and PHP-FPM to finish by viewing status/log, Once those were finished.

---Finished with Fafache Line Code Fix for sites not resolving post default server change from APACHE SERVER TO APACHE-NGINX-VARNISH SERVER---
----------------------------------------------------------------------------------------------------------------------------

MY STEP 3
Webserver setting->Webserver Main Config->

Set the following config options Then Save Changes

APACHE CONFIGURATION:

APACHE Vhost Temp Type = php-FPM
APACHE default Vhost Template= Default
APACHE default PHP-FPM Version = X.X (version # based on my WordPress site requirements)
APACHE default PHP-FPM Template = All Methods

PHP-FPM SERVICE CONFIGURATION:

PHP-FPM default template = default
Apache Force PHP-FPM = (CHECK) FORCE APACHE TO USE PHP-FPM
Additional Options: (CHECK) Rebuild All Vhosts on save

SAVE CHANGES
----------------------------------------------------------------------------------------------------------------

************** OPEN CWP USER PANEL********************
MYSTEP 4 Create a Redirect URL for subdomain created "live.RadioDomain.com" for sharing that hides port number on URL and hides your Shoutcast Server Status/Login Page because it redirects to a Simple Media Player

************** END CWP USER PANEL********************

*************OPEN CWP Admin Panel****************

MY STEP 5 -> Implement Sandeeps Domain Configuration Settings without DEFAULT SERVER CHANGE.

Webserver Settings -> WEBSERVER DOMAIN CONFIG-> SELECT USERNAME ->SELECT *****DOMAIN FOR SHOUCAST PORT STREAM (8000 DEFAULT SHOUTCAST PORT)-->CREATE OR VIEW/EDIT CONFIGURATION.


Set following:

Pleae Select: APACHE->PROXY->(CUSTOM PORT)
Apache default vhost template type: PROXY
Apache default vhost template: ALL_MEHTODS
Additional Options: (CHECK) REBUILD WEBSERVERS CONF FOR DOMAIN ON SAVE
Custom Port: 8000          (Your SHOUTcast stream port*Example is default port 8000)
IP:  127.0.0.1     (IP points to self, did not change, this was already set, was not modified by me)

SAVE CHANGES



*****((((someone correct me if wrong but choosing this domain seems to bind the domain/subdomain to SHOUTcast PORT #))))
*****When I choose radio station main domain for MYSTEP 4, the proxy setting redirects to Shoutcast Service URL, the "shoutcast stream status" page. Seem it will bypass any redirects settings and any WEBPAGE won't show. So use a Dedicated domain/subdomain, I decided to(MYSTEP4) create a subdomain before implementing MYSTEP 5. I created a subdomain "LIVE"  example: Live.RadioDomain.com


*************End CWP Admin Panel****************



************** OPEN CWP USER PANEL********************
APACHE REDIRECT VIA USER PANEL WORKS WITH 2018 UPDATE ON NGINX + VARNISH + APACHE

DOMAINS->REDIRECT->ADD NEW REDIRECT

TYPE: TEMPORARY 302
HTTPS:// WWW.?: LIVE.RADIODOMAIN.COM
Path: Default folder for "LIVE.RADIODOMAIN.COM" subdomain
REDIRECTS TO: https://live.radiodomain.com/stream      (add "/stream" to subdomain url to show a player without exposing shoutcast stream status/login page)

****************END CWP USER PANEL************************************

POST CONFIGURATION CHANGE FROM APACHE ONLY WEBSERVER --> NGINX+VARNISH+APACHE WEBSERVER MAY BREAK WEBSITES.

 MYSTEP 6 Final Step to Resolve broken sites. how i accomplished it...

IN ADMIN PANEL

WEBSERVER SETTINGS-->WEBSERVER DOMAIN CONF--->SELECT USERNAME--->SELECT DOMAIN(S)-***((WHICH WOULD BE ALL DOMAINS SINCE THEY WERE CREATED WITH APACHE ONLY WEBSERVER)

SET FOLLOWING CONFIGURATIONS


Web server Configuration (per domain)

Please Select:
apache -> php-fpm

Apache Configuration
Apache default vhost template type:
php-fpm
Apache default vhost template:
all_methods
PHP-FPM Service Configuration
PHP-FPM version: ****8.1
Additional Options:(CHECK) REBUILD WEBSERVERS CONF FOR DOMAIN ON SAVE.


**** PHP-fpm VERSION: WAS PREVIOUS SET TO 7.4 BUT I HAD PREVIOUSLY INSTALLED 8.1 BECAUSE OF WORPRESS REQUIREMENTS. THIS SITE WORK FINE WITH VERSION 7.4 ON MY APACHE-ONLY WEBSERVER BUT NOW REQUIRES 8.1. I REBUILD WITH 8.1 AND SITES STARTED RESOLVING SO I LEFT IT AT 8.1. YOU CAN BATCH EDIT ALL OF THEM BY SELECTING ALL DOMAINS AND "CUSTOM CONFIG ALL SELECTED" WITH THE PROVIDED SETTINGS. I TRIED APPLYING THIS SETTINGS ON THE "WEBSERVERS MAIN CONF" BUT IT DID NOT TAKE, IT WOULD NOT RESOLVE UNTIL I DID A BATCH SELECT ALL VIA "WEBSERVER DOMAIN CONF".

*************END OF ADMIN PANEL**************


Congratulation you now have "**A" ssl/https secure stream

**- I say "A" ssl stream because I believe the stream is being read by the shoutcast directory server as unsecured. Will change audio encoder setting with domain we setup proxy with. --> I tried modifying the URL on the encoder but it does not stream secured into SHOUTcast directory.

AFTER THOUGHTS:

 I wish I did not have to do the subdomain bypass, Can anyone show me what needs to happens to use main domain for proxy+port and be able to have a website hosted and SSL reverse proxy on stream port to be able to use: Radiodomain.com/STREAM for audio stream and Radiodomain.com for website hosted, instead of live.radiodomain.com redirect to live.radiodomain.com/stream for audio stream and radiodomain.com for website hosting.


GEOMAP NO LONGER WORKS WITH REVERSE PROXY, WILL TRY STUNNEL FOR SSL TO SEE IF I CAN RESTORE THE GEOLOCATING FEATURE LOST WITH REVERSE PROXY. ALL CONNECTIONS SHOW TO COME FROM THE SHOUTCAST SERVER IP.  NOT SURE IF THIS THROWS OFF PROPER "AD TRIGGER INSERTS" AS IT USES GEOLOCATION FOR DISTRIBUTING LOCAL ADS.

I started into this process having centos 7 + Apache Only,

I started out by setting my new default server settings, I followed a guide to configure the APACHE-NGINX-VARNISH server because w/recent updates Apache and NGINX can run simultaneously and independently, allowing the Apache-Only server redirects to work via USER PANEL GUI under apache-nginx-varnish server configuration, you'll have to manually set each "apache-only" domain to use apache server with settings explained in the guide above.

Then I configured a reverse proxy to create an SSL stream.
**after successfully creating the reverse proxy I noticed sites were no resolving, so I went back and manually set every domain that was created under the previous "apache-only" server and set those domain to use apache as their defaut server setting. I did this for every domain one by one. Batch edit of all domains did not work for me.

I am currently looking into getting Stunnel implemented to restore the GEOMAPPING of connections for the SHOUTcast radio streams.