# Sample: Hosted Icecast 1. [Home](https://www.agilicus.com/) 2. Sample: Hosted Icecast ![music](https://www.agilicus.com/www/547343f6-music.svg)Audio Streaming Via Agilicus AnyX --- ## **Hosted Icecast** In this example, we will show setting up an "Icecast" audio streaming system [CONTACT](/contact-us/) ## Overview In this example, we will show setting up an "Icecast" audio streaming system, and force users to be authenticated via OpenID Connect. We will also show Authorisation: a set of "viewers" who can stream the music, and an Administrator. For this example we will use an onsite connector as a means of reaching the Icecast server. Go through the steps to [install](https://www.agilicus.com/anyx-guide/agilicus-connector/) this now (or use one already installed). First, let us open the "New Application" menu. We will do this manually (without a template) to demonstrate. [![](https://www.agilicus.com/www/c4ed3c57-image.png)](https://www.agilicus.com/www/c4ed3c57-image.png)Give the application a name. This must be a valid hostname (it will be part of the URL a user will use, e.g. `https://.`. You may describe the application and give it a category, these are just used for reporting purposes. [![](https://www.agilicus.com/www/950db2f0-image.png)](https://www.agilicus.com/www/950db2f0-image.png)You have a choice: you can supply your own domain name (in which case you must put a CNAME in your DNS pointing to our domain \_\_REGION\_DOMAIN\_NAME\_\_), or you may use a name from the CNAME you set up when you created the organisation initially. [![](https://www.agilicus.com/www/cd35e726-image.png)](https://www.agilicus.com/www/cd35e726-image.png)Now we indicate how the upstream *Icecast* application is accessed. We will do this via the onsite connector. [![](https://www.agilicus.com/www/e1abbf61-image.png)](https://www.agilicus.com/www/e1abbf61-image.png)Select the specific connector (which we previously created and installed). [![](https://www.agilicus.com/www/2d7652f4-image.png)](https://www.agilicus.com/www/2d7652f4-image.png)You now have 2 choices. You may have a full web application firewall with fine-grained (e.g. per transaction) audit logs, or you may have a perfect TLS session end to end transparent (in which case the private key will be solely on your site: we will have no access). For this demonstration, we will use the Enhanced Web Application Firewall. [![](https://www.agilicus.com/www/f8f42442-image.png)](https://www.agilicus.com/www/f8f42442-image.png)We now enter the coordinates (in the private network, e.g. as would be reachable by that onsite connector) for the *Icecast* server. [![](https://www.agilicus.com/www/b1a20ad7-image.png)](https://www.agilicus.com/www/b1a20ad7-image.png)We wish to have the OpenID Connect Proxy handle authentication and authorisation. We can also enter a URL that, when fetched, will force a logout. [![](https://www.agilicus.com/www/144e934f-image.png)](https://www.agilicus.com/www/144e934f-image.png)We are later going to have 2 types of users (viewers, admins). You might choose an "auto-create" user type for the viewer, allowing anonymous but attributable access. [![](https://www.agilicus.com/www/01db9f3b-image.png)](https://www.agilicus.com/www/01db9f3b-image.png)At this stage we are done creating the application, we will now set up the identity aware web application firewall authorisation. ## Create Authorisation Roles, Firewall Rules On the "Define" screen we can fine tune. First add a "viewer" role, then an "admin" role which includes viewer. Make the default role "viewer". [![](https://www.agilicus.com/www/253457eb-image-1024x701.png)](https://www.agilicus.com/www/253457eb-image.png)Now let us set up the firewall. We will allow 'viewer' to GET anything except /admin. We will allow administrators to do any (GET/PUT/POST/...) on /admin/ tree. [![](https://www.agilicus.com/www/23ec7eab-image-1024x654.png)](https://www.agilicus.com/www/23ec7eab-image.png)At this stage we can open up our *Icecast server (https://APPLICATION.DOMAIN), we will be challenged to provide credentials, after that, single sign-on*, we are streaming our sweet music.