Using port 80 for streaming servers


Can I set up a stream to run directly on port 80?


Under Linux, only processes running as 'root' can bind to ports below 1024, and that includes port 80. Due to the significant security concerns involved in running a SHOUTcast/IceCast server as root, Centova Cast does not support this. (Yes, we are aware that users often do so, but it is a very bad practice from a security standpoint.)

Instead, we recommend one of the following options. Note that these suggestions are provided for your convenience only, and Centova Technologies cannot provide support for, nor assistance with setting up any of the following solutions. In descending order from "best" to "worst":

  • Use the port 80 proxy. This is the easiest and most reliable solution. Refer to this article for details.

  • If your Linux kernel version is 2.6.24 or newer, you may be able to use the setcap utility to allow your SHOUTcast/IceCast application binary to bind to ports below 1024. To try this, you can run:

    setcap 'cap_net_bind_service=+ep' /usr/bin/icecast

    Replace /usr/bin/icecast with your actual path to IceCast (or sc_serv). Then simply configure your stream in Centova Cast to listen on port 80 and if it worked, your streaming server should be able to bind to port 80.

    More information on POSIX capabilities is available here and here.

  • Use authbind if supported by your Linux distribution.

  • Configure the stream on a standard, unprivileged port number and set up port redirection using iptables firewall rules. You should ask a qualified systems administrator to do this for you as it does require experience with iptables, and could cause significant problems if done incorrectly.

    The command to do so looks something like:

    iptables -A PREROUTING -t nat -p tcp -d IPADDR --dport 80 -j REDIRECT --to-port ACTUALPORT

    Or, if that doesn't work (depending on how your iptables is configured) you might need to use this instead:

    iptables -A PREROUTING -t nat -p tcp -d IPADDR --dport 80 -j DNAT --to IPADDR:ACTUALPORT

    Replace IPADDR with the IP address you want to use, and ACTUALPORT with the stream's "actual" port number.

    Note that when using this option, all of the tune-in links generated by Centova Cast will still reference the original port number rather than port 80.

I really want to just make sc_serv run as root. How?

Again, this is unsupported and cannot be done if you are using Centova Cast. Even if you managed to make it run as root and don't care about security, Centova Cast would be unable to communicate with your sc_serv process (because POSIX signals cannot be sent by an unprivileged user account to a root-owned process) and all of the logs and files it created would be owned by root, and thus could not be processed or rotated by Centova Cast. This simply cannot be done reliably.