I found lots of unanswered or partially answered posts regarding this so I decided to share my experience, as it's actually pretty easy to do.
Depending on your server setup you may have to tweak some aspects, but here's my configuration.
I'm running two separate VPS instances hosted on Linode, both are the cheapest $5/month packages running Ubuntu 16.04. I got my SSL certificate for free from Certbot using their Nginx CLI plugin. For the purpose of this guide I'm assuming an SSL certificate is already set up properly and serving encrypted traffic to requests on port 443.
My first server is running a LEMP stack (installed using EasyEngine) and hosts the website for our station, the domain name is pointed at this server. The second server is running Centova Cast installed with Shoutcast v2 and LiquidSoap. As both servers are deployed in the same location Linode offer (at no cost) the option to obtain local IP addresses for both machines and network them locally within their data centre, which I have done.
On the second server I have enabled the option within Centova to proxy the streams onto port 80. You can set this all up on a single server without doing this if you only have one server to play with, but if you have two then this makes things really easy. Once you have followed the instructions to enable the proxy on port 80 then your second server is almost ready to go.
On the first server your Nginx install needs to have been built with the "--with-http_realip_module" enabled, if you install using EasyEngine then this will already be done for you. It will work without this, but you will have the issues others have reported with the listener stats always showing the IP address of your proxy server instead of the actual listeners IP.
The Centova proxy setup uses variables in the proxy URL to allow you to access any stream you like via the proxy. I only needed a 128 and 320 stream so I changed the settings in the default Centova Nginx config files to suit, but if you look at the originals it's fairly straightforward to figure out if you have an understanding of Nginx, and will only take you 20 minutes of reading Nginx instructions if you dont.
Anyway, in the second server the Nginx location config looks similar to this once you enable the Port 80 proxying option in Centova:
location = /128/ {
proxy_pass
http://127.0.0.1:2198/proxy-redirect/ACCOUNT-USERNAME; proxy_set_header X-MountPoint /stream128;
proxy_redirect off;
proxy_connect_timeout 8;
proxy_read_timeout 15;
proxy_send_timeout 15;
proxy_max_temp_file_size 0;
}
location ~ ^/streamproxy/(.*)$ {
internal;
set $stream_url http://$1;
proxy_buffering off;
proxy_ignore_client_abort off;
proxy_intercept_errors off;
proxy_next_upstream error timeout invalid_header;
proxy_redirect off;
proxy_set_header User-Agent "$http_user_agent [ip:$remote_addr]";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_connect_timeout 8;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_max_temp_file_size 0;
proxy_pass $stream_url;
}
You will find this file at /usr/local/centovacast/etc/web.d/cc-proxy.conf
Edit this file, and inside the server block but before the location blocks you need to add this, replacing PROXY_IP_HERE with the local IP address of server 1:
set_real_ip_from PROXY-IP-HERE;
real_ip_header X-Real-IP;
real_ip_recursive on;
This MUST be outside all of the location blocks. The first line tells server 2 that server 1 is a trusted source for setting the original IP of the visitor, the next two lines provide the header containing the real IP and the method of replacement to use.
Then in server 1 the Nginx config for your site (in /etc/nginx/sites-available/) needs to contain a location block that looks something like this:
location = /streams/128/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_set_header Pragma no-cache;
proxy_set_header Cache-Control no-cache;
proxy_set_header Accept-Encoding */*;
proxy_set_header Accept */*;
proxy_buffering off;
tcp_nodelay on;
proxy_pass
http://SECOND_SERVER_IP:80/128/;}
This is just a basic example, obviously you can add several of these, or use wildcard location matching etc to enable multiple streams or whatever you need to do.
In this example I'm telling server 1 to proxy any requests to
https://www.mydomain.com/streams/128/ to
http://SECOND_SERVER_LOCAL_IP/128/ on port 80 over the local network, while setting some custom headers to forward the real IP of the listener.
That's it. Save your changes, run the Centova fix permissions tool if necessary, restart Nginx on server 1 (nginx -s reload) and reload Centova on server 2 ( /usr/local/centovacast/centovacast stop, /usr/local/centovacast/centovacast start) and you are done.
https://www.mydomain.com/streams/128/ should now connect and stream via port 443, padlock in address bar, no mixed content warnings, no firewall issues due to non standard ports and correct listener stats within Centova.
Shoutcast over HTTPS