Setting up SSL Shoutcast2 radio streaming on a single CentOS server using Nginx

Read 7424 times
This is an issue we've been dancing around for years, but Chrome forced us to find a solution due to their recent changes.
For the record, we were able to configure Icecast for secure streaming some time ago, but that required our customers to make changed on their end - always a challenge - and they are just more comfortable with Shoutcast.

There is a post here from 2 years ago that outlines this process using 2 Ubuntu servers, but that requires passing all the traffic between them, and in our case that's a lot of bandwidth.  It did however help me down this road and could be useful for background info.


(works on both 6.9 and 7.7)

   - Obtain UserID and License from Shoutcast (We purchased the Premium package: https://www.shoutcast.com/Pricing)
   - Obtain and install Valid SSL certificate (we have a wildcard cert from TrustWave already installed for Centovacast)
   - You'll need 2 (or more) public IP addresses (centova [SRCIP] and nginx [NGINX-IP] each needs their own)
   - Shoutcast2 config:
      ○ srcip and dstip dedicated for ports in use on centovacast
      ○ Add to the server.conf file for each stream:
         sslcertificatefile=/path/to/certifcate.pem
         sslcertificatekeyfile=/path/to/private.key
         userid=[shoutcast user id]
         licenceid=[shoutcast licence]
      ○ Enable port 80 proxy: https://centova.com/en/faq/cast3/information/does_centova_cast_include_a_proxy_for_streaming_on_port_80
         § /usr/local/centovacast/sbin/setproxy on
         § Edit /usr/local/centovacast/etc/web.d/cc-proxy.conf
            □ Add SRCIP to line: listen   80;  --> listen [SRCIP]:80;
            □ Add under "server {" outside location directives:
               #Nginx Proxy setup
               set_real_ip_from [NGINX-IP];
                   real_ip_header X-Real-IP;
                   real_ip_recursive on;
            □ Initially I got it working by modifying the location directives for a specific stream, but would have had to duplicate them for each stream.  Leaving the defaults works with all my streams.
               
         § Restart centovacast
         § Each stream needs proxy.conf
            □ /usr/local/centovacast/var/vhosts/[STREAMNAME]/etc/proxy.conf
            □ With: http://[SRCIP]:[PORT#]%MOUNT%
      
      ○ Stop and start the stream in Centovacast
   - Point Audio encoder to Centovacast FQDM:PORT# as normal (unsecure stream can still be heard there)
   - Install Nginx:
      ○ https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#prebuilt_redhat
   - Nginx config:
      ○ Edit /etc/nginx/conf.d/default.conf (or add your own filename.conf)
      ○ For each stream:
      server {
          listen [NGINX-IP]:[PORT#] ssl;
          server_name         [Centovacast FQDN];
          ssl_certificate     /path/to/certificate.crt;
          ssl_certificate_key /path/to/private.key;
          ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
          ssl_ciphers         HIGH:!aNULL:!MD5;
      
          location = /[MOUNTPOINT] {
                  proxy_set_header Host $host;
                  proxy_set_header X-Real-IP $remote_addr;
                  proxy_set_header X-Forwarded-Proto https;
                  proxy_set_header X-Forwarded-For $remote_addr;
                  proxy_set_header X-Forwarded-Host $remote_addr;
                  proxy_set_header Pragma no-cache;
                  proxy_set_header Cache-Control no-cache;
                  proxy_set_header Accept-Encoding */*;
                  proxy_set_header Accept */*;
                  proxy_buffering off;
                  tcp_nodelay on;
                  proxy_pass http://[SRCIP]:[PORT#];
              }
      }
      ○ There is likely a way to use variables and regular expressions, but I didn't have time to explore it.
   - Start or restart nginx
   - Listen on https://[NGINX-FQDN]:[PORT#]/[MOUNTPOINT]
   
   
This is my recollection from a mad push last month to get it working, so there could be holes or the order may not be ideal, but it will at least get you most of the way there.