Silently fails to run on port 443

[essboyer]

Hello!

First: Thanks for everything you're doing to breathe some fresh life into icecast! I'm certainly playing along at home now.

After configuring and building 2.5b3 from tar (configured to disable yp, otherwise vanilla), i configured a pretty stock setup, recreating my running 2.4.4 server config. It runs, but it silently fails to run on port 443. In the list of listen ports it appears with instead of family: INET, I get error, and the server does not listen on it, however, all my other ports work just fine including 8443 (tls config is good). I ended up using nginx to rev proxy 443 to 8443 for now, which works.

I'm running it with systemd and the original service unit.

I've probably messed something in my config. Here it is below:

<icecast>
    <location>...</location>
    <admin>...</admin>
    <hostname>...</hostname>

    <limits>
        <clients>100</clients>
        <sources>2</sources>
        <queue-size>524288</queue-size>
        <client-timeout>30</client-timeout>
        <header-timeout>15</header-timeout>
        <source-timeout>10</source-timeout>
        <burst-size>65535</burst-size>
    </limits>

    <authentication>
        <source-password></source-password>
        <relay-password>hackme</relay-password>
        <admin-user>manager</admin-user>
        <admin-password></admin-password>
    </authentication>

    <shoutcast-mount>/stream</shoutcast-mount>

    <listen-socket>
        <port>443</port>
        <tls>1</tls>
        <shoutcast-mount>/stream</shoutcast-mount>
    </listen-socket>
    <listen-socket>
        <port>8443</port>
        <tls>1</tls>
    </listen-socket>    
    <listen-socket>
        <port>8000</port>
        <shoutcast-mount>/stream</shoutcast-mount>
    </listen-socket>

    <http-headers>
        <header type="cors" name="Access-Control-Allow-Origin" />
        <header type="cors" name="Access-Control-Allow-Headers" />
        <header type="cors" name="Access-Control-Expose-Headers" />
    </http-headers>

    <paths>
        <basedir>/usr/local/share/icecast</basedir>
        <logdir>/var/log/icecast</logdir>
        <webroot>/usr/local/share/icecast/web</webroot>
        <adminroot>/usr/local/share/icecast/admin</adminroot>
        <reportxmldb>/usr/local/share/icecast/report-db.xml</reportxmldb>
        <pidfile>/var/log/icecast/icecast.pid</pidfile>
    </paths>

    <logging>
        <accesslog>access.log</accesslog>
        <errorlog>error.log</errorlog>
        <loglevel>information</loglevel> <!-- "debug", "information", "warning", or "error" -->
        <logsize>10000</logsize>
    </logging>

    <security>
        <chroot>false</chroot>
        <tls-context>
            <tls-key>...</tls-key>
            <tls-certificate>...</tls-certificate>
        </tls-context>

        <prng-seed type="read-write" size="1024">/var/cache/icecast.prng-seed</prng-seed>
        <prng-seed type="profile">linux</prng-seed>
    </security>
</icecast>

[phschafft]

This sounds like your operating system (I guess you are using a linux as you use the linux PRNG profile) refuses Icecast to bind to that port because it's a privileged port.

If that's the case it really depends on your operating system how to get this working. You could try to set the permissions for Icecast to bind to that port anyway (for Linux see capabilities(7)), start the process as root and do a change user later (per Icecast config; this is something I would avoid), or use a network level redirect (iptables target REDIRECT, see iptables-extensions(8)). There might be more options.

Using a reverse proxy is not recommended as they tend to break things (but often seem to work at initial testing) and are super hard to correctly configure for this usecase.

If this problem is not a permission problem it would be very nice if you could open a ticket in the official ticket system.