Making Icecast SSL - ssl

So I have just finished setting up Icecast on a Centos 7 VPS and everything is working perfectly fine, but i was needing my stream to be SSL...
However i'm not entirely sure how to do it, I looked at Icecast's website and found this page which says it can be done.
http://icecast.org/docs/icecast-2.4.1/config-file.html
However I ain't entirely sure where i'm putting the part as I pretty much just followed a tutorial online how to set it up so i'm not very familiar how it works, i do have a SSL certificate all set up and what not working with my site I just wanted the stream to be SSL too.
Any help would be great thanks!
<!-- LIMITS -->
<limits>
<clients>100</clients>
<sources>10</sources>
<threadpool>5</threadpool>
<queue-size>524288</queue-size>
<client-timeout>30</client-timeout>
<header-timeout>15</header-timeout>
<source-timeout>10</source-timeout>
<burst-on-connect>1</burst-on-connect>
<burst-size>65535</burst-size>
</limits>
<!-- GENRIC -->
<authentication>
<source-password>password</source-password>
<admin-user>admin</admin-user>
<admin-password>password</admin-password>
</authentication>
<hostname>MyHost/IP</hostname>
<listen-socket>
<port>8000</port>
</listen-socket>
<fileserve>1</fileserve>
<!-- PATHES -->
<paths>
<basedir>/opt/icecast/latest/share/icecast</basedir>
<webroot>/opt/icecast/latest/share/icecast/web</webroot>
<adminroot>/opt/icecast/latest/share/icecast/admin</adminroot>
<logdir>/var/log/icecast</logdir>
<pidfile>/var/run/icecast/icecast.pid</pidfile>
<alias source="/" dest="/status.xsl"/>
</paths>
<!-- LOG -->
<logging>
<accesslog>access.log</accesslog>
<errorlog>error.log</errorlog>
<playlistlog>playlist.log</playlistlog>
<loglevel>1</loglevel>
<logsize>10000</logsize>
<logarchive>1</logarchive>
</logging>
<!-- SECURITY -->
<security>
<chroot>0</chroot>
<changeowner>
<user>icecast</user>
<group>icecast</group>
</changeowner>
</security>

You have nothing referring to SSL.
Try replacing this
<!-- GENRIC -->
<authentication>
<source-password>password</source-password>
<admin-user>admin</admin-user>
<admin-password>password</admin-password>
</authentication>
<hostname>MyHost/IP</hostname>
<listen-socket>
<port>8000</port>
</listen-socket>
<fileserve>1</fileserve>
With this
<!-- GENRIC -->
<authentication>
<source-password>password</source-password>
<admin-user>admin</admin-user>
<admin-password>password</admin-password>
</authentication>
<listen-socket>
<port>8000</port>
<bind-address>127.0.0.1</bind-address>
</listen-socket>
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
<fileserve>1</fileserve>

Related

Let webservice use SSL

With WildFly 8.2.1, I am trying to make existing webservice (JAX-WS) use SSL, but I haven't seen any use of SSL in quickstarts and the information I was able to google is limited. So far I've added this to web.xml:
<security-constraint>
<display-name>Foo security</display-name>
<web-resource-collection>
<web-resource-name>FooService</web-resource-name>
<url-pattern>/foo/FooService</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
and this is in my standalone.xml:
<subsystem xmlns="urn:jboss:domain:webservices:1.2">
<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
<endpoint-config name="Standard-Endpoint-Config"/>
<endpoint-config name="Recording-Endpoint-Config">
<pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
<handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
</pre-handler-chain>
</endpoint-config>
<client-config name="Standard-Client-Config"/>
</subsystem>
but apparently that's not enough; when I look into standalone/data/wsdl/foo.ear/foo.war/FooService/Bar.wsdl I see:
<service name="FooService">
<port binding="foowsb:FooBinding" name="FooBinding">
<soap:address location="http://localhost:8080/foo/FooService"/>
</port>
</service>
Note that in the EAR/WAR, the soap:address.location is filled just with a placeholder (I suppose that the value is ignored).
I've found some info about setting up security realm, and creating the self-signed certificate using keytool (which I did), but I completely miss how this should be linked together.
I've also tried to setup wsdl-uri-scheme=https, but this is supported only in later versions of CXF.
Seems that the soap:address.location value is not ignored when it's being replaced, since changing that from REPLACE_WITH_ACTUAL_URL to https://REPLACE_WITH_ACTUAL_URL did the trick - now the service got exposed on https://localhost:8443.
There is a couple of more steps I had to do in standalone.xml: in undertow, add https-listener:
<https-listener name="secure" socket-binding="https" security-realm="SslRealm"/>
define the SslRealm:
<security-realm name="SslRealm">
<server-identities>
<ssl>
<keystore path="foo.keystore" relative-to="jboss.server.config.dir" keystore-password="foo1234" alias="foo" key-password="foo1234"/>
</ssl>
</server-identities>
<authentication>
<truststore path="foo.truststore" relative-to="jboss.server.config.dir" keystore-password="foo1234"/>
</authentication>
</security-realm>
Note that I reuse the same keystore for server and clients here. And since my clients are ATM in the same WF node during development, I had to setup the client-side part there, too:
<system-properties>
<property name="javax.net.ssl.trustStore" value="${jboss.server.config.dir}/foo.keystore"/>
<property name="javax.net.ssl.trustStorePassword" value="foo1234"/>
<property name="org.jboss.security.ignoreHttpsHost" value="true"/>
</system-properties>
The last property should be replaced in WF 9+ with cxf.tls-client.disableCNCheck.

Accessing Multiple web applications on Jboss7 or Wildfly

I know we can deploy multiple web applications on JBoss 7 or Wildfly. But how can we access different web application with a different port? Where do we set that port for a web application?
For example,
application1 is accessible on x.x.x.x:8080
application2 is accessible on x.x.x.x:30000
application3 is accessible on x.x.x.x:35000
In your standalone you have to set up a different server and host for each application.
<subsystem xmlns="urn:jboss:domain:undertow:1.2">
<server name="server1">
<http-listener name="default" socket-binding="http-server1"/>
<host name="webapp1" default-web-module="webapp1.war" alias="webapp1.com">
</host>
</server>
<server name="server2">
<http-listener name="default" socket-binding="http-server2"/>
<host name="webapp2" default-web-module="webapp2.war" alias="webapp2.com">
</host>
</server>
<!-- Other Settings -->
</subsystem>
For the socketbinding:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="http-server1" port="${jboss.http.port:8080}"/>
<socket-binding name="http-server2" port="${jboss.http.port:8081}"/>
<!-- Other ports -->
</socket-binding-group>
And then finally, you can have your .war files in the deployments directory but for configurations like this I sometimes find it easier to set the runtime names explicitly:
<deployments>
<deployment name="webapp1" runtime-name="webapp1.war">
<fs-archive path="/path/to/webapp1.war" />
</deployment>
<deployment name="webapp2" runtime-name="webapp2.war">
<fs-archive path="/path/to/webapp2.war" />
</deployment>
</deployments>

gzip Cannot enable in Wildfly 8?

I want to enable gzip compression in wildfly server. I used the following tutorial. Tutorial
This is the gzip enabling code I included in the standalone.xml
<subsystem xmlns="urn:jboss:domain:undertow:1.0">
<buffer-caches>
<buffer-cache name="default" buffer-size="1024" buffers-per-region="1024" max-regions="10"/>
</buffer-caches>
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content" />
**<filter-ref name="gzipFilter" predicate="path-suffix['.css'] or path-suffix['.js']" />**
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default" default-buffer-cache="default" stack-trace-on-error="local-only">
<jsp-config/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content" directory-listing="true"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="Wildfly 8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow 1"/>
<gzip name="gzipFilter"/>
</filters>
</subsystem>
But When I used this code in the Ubuntu 14.04.1 LTS, It works perfectly. But when I installed the application in CentOS Linux release 7.0.1406. It doesn't work. I used the same settings. But I could not figure out the problem so far. I'm very grateful someone can provide your valuable idea.
I recommend you to test upgrade to wildfly 8.2
I has the new undertow 1.1.0 interated which has solved a couple of issues around filters.
I assume your issue is also this:
UNDERTOW-331

Infinispan Initial State Transfer Hangs and times out

I'm trying to cluster a pair of servers with a shared Infinispan cache (Replicated Asynchronously). One always starts successfully, and registers itself properly with the JDBC database. When the other starts, it registers properly with the database, and I see a bunch of chatter between them, then, while waiting on a response from the second server, I get
`org.infinispan.commons.CacheException: Initial statue transfer timed out`
I think it's just an issue of configuration, but I'm not sure how to debug my configuration issues. I've spent several days configuring and re-configuring my Infinispan XML, and my JGroups.xml:
Infinispan:
<?xml version="1.0" encoding="UTF-8"?>
<infinispan xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:infinispan:config:6.0"
xsi:schemaLocation="urn:infinispan:config:6.0 http://www.infinispan.org/schemas/infinispan-config-6.0.xsd
urn:infinispan:config:remote:6.0 http://www.infinispan.org/schemas/infinispan-cachestore-remote-config-6.0.xsd"
xmlns:remote="urn:infinispan:config:remote:6.0"
>
<!-- *************************** -->
<!-- System-wide global settings -->
<!-- *************************** -->
<global>
<shutdown hookBehavior="DEFAULT"/>
<transport clusterName="DSLObjectCache">
<properties>
<property name="configurationFile" value="jgroups.xml"/>
</properties>
</transport>
<globalJmxStatistics enabled="false" cacheManagerName="Complex.com"/>
</global>
<namedCache name="ObjectCache">
<transaction transactionMode="TRANSACTIONAL" />
<locking
useLockStriping="false"
/>
<invocationBatching enabled="true"/>
<clustering mode="replication">
<async asyncMarshalling="true" useReplQueue="true" replQueueInterval="100" replQueueMaxElements="100"/>
<stateTransfer fetchInMemoryState="true" />
</clustering>
<eviction strategy="LIRS" maxEntries="500000"/>
<expiration lifespan="86400000" wakeUpInterval="1000" />
</namedCache>
<default>
<!-- Configure a synchronous replication cache -->
<locking
useLockStriping="false"
/>
<clustering mode="replication">
<async asyncMarshalling="true" useReplQueue="true" replQueueInterval="100" replQueueMaxElements="100"/>
<stateTransfer fetchInMemoryState="true" />
</clustering>
<eviction strategy="LIRS" maxEntries="500000"/>
<expiration lifespan="86400000" wakeUpInterval="1000" />
<persistence>
<cluster remoteCallTimeout="60000" />
</persistence>
</default>
</infinispan>
Jboss.xml:
<config xmlns="urn:org:jgroups"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:org:jgroups http://www.jgroups.org/schema/JGroups-3.0.xsd">
<!-- Default the external_addr to #DEADBEEF so we can see errors coming through
on the backend -->
<TCP
external_addr="${injected.external.address:222.173.190.239}"
receive_on_all_interfaces="true"
bind_addr="0.0.0.0"
bind_port="${injected.bind.port:12345}"
conn_expire_time="0"
reaper_interval="0"
sock_conn_timeout="20000"
tcp_nodelay="true"
/>
<JDBC_PING
datasource_jndi_name="java:jboss/datasources/dsl/control"
/>
<MERGE2 max_interval="30000" min_interval="10000"/>
<FD_SOCK
external_addr="${injected.external.address:222.173.190.239}"
bind_addr="0.0.0.0"
/>
<FD timeout="10000" max_tries="5"/>
<VERIFY_SUSPECT timeout="1500"
bind_addr="0.0.0.0"
/>
<pbcast.NAKACK use_mcast_xmit="false"
retransmit_timeouts="300,600,1200,2400,4800"
discard_delivered_msgs="true"/>
<UNICAST3 ack_batches_immediately="true"
/>
<RSVP ack_on_delivery="true"
throw_exception_on_timeout="true"
timeout="1000"
/>
<pbcast.STABLE stability_delay="1000" desired_avg_gossip="50000"
max_bytes="400000"/>
<pbcast.GMS print_local_addr="true" join_timeout="5000"
view_bundling="true" view_ack_collection_timeout="5000"/>
<FRAG2 frag_size="60000"/>
<pbcast.STATE_SOCK
bind_port="54321"
external_addr="${injected.external.address:222.173.190.239}"
bind_addr="0.0.0.0"
/>
<pbcast.FLUSH timeout="1000"/>
</config>
I've tried, frankly, every configuration option I can think of, and I'm not sure why the replication keeps timing out. All communication between these servers is wide open. Sorry to just dump so much XML, but I'm not even sure how to collect more information.
Continued exploration indicated that Infinispan was pushing logs to the server.log, but - due to my configuration, this was not duplicated on the console. Further inspection revealed that I left a single element in my cache objects unserializable - making it impossible for it to be written to the wire and transferred. The logs are very specific, making this actually a very easy problem to track down once I realized where the logs were being written.
If you come here from the future, my advice is to just tail every single log you can on the working server, and see what comes up.

what trustlevel must I use?

I am launching my first website. I have published it and I am getting this error.
The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
What trustlevel should I use now the site is online?
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal"/>
</securityPolicy>
</system.web>
are there any other web.config settings I must be aware of now I am putting the site online? Like changing the connectionstring?
Fixed it by using
<trust level="Full" />
inside <system.web>
Depending on your host provider, you may need to take out the compilers as well.
In my experience with GoDaddy I had to comment out my compilers and put trust level="Full".
Set your custom errors to On or RemoteOnly so end users do not see any error messages a.k.a "the yellow screen of death".
<system.web>
<trust level="Full" />
<customErrors mode="On" />
..... other settings in system.web ...
</system.web>
<system.codedom>
<compilers>
<!-- <compiler language="..." /> -->
<!-- <compiler language="..." /> -->
</compilers>
</system.codedom>