anthonyeden/icecast_config_sample.xml

## icecast_config_sample.xml
<mount>
  <mount-name>/mountname</mount-name>
  <password>hackme</password>

  <!-- Geo-blocking can be added to any mount, but not relays -->
  <authentication type="url">
    <option name="listener_add" value="http://example.com/icecast_geoblock.php?mount=mountmame" />
    <option name="auth_header" value="icecast-auth-user: 1" />
  </authentication>
</mount>

## icecast_geoblock.php
<?php
// This script allows you to restrict Icecast listeners to a specific geolocation
// Sample provided by http://mediarealm.com.au/

require('icecast_geoblock_addresses.php');

function cidr_match($ip, $range) {
  // From http://stackoverflow.com/questions/594112/matching-an-ip-to-a-cidr-mask-in-php-5
  list ($subnet, $bits) = explode('/', $range);
  $ip = ip2long($ip);
  $subnet = ip2long($subnet);
  $mask = -1 << (32 - $bits);
  $subnet &= $mask; # nb: in case the supplied subnet wasn't correctly aligned
  return ($ip & $mask) == $subnet;
}

if(!isset($_POST['ip'])) {
  $_POST['ip'] = "";
}

if(!isset($_POST['agent'])) {
  $_POST['agent'] = "UNDEFINED AGENT";
}

if(!isset($_GET['mount'])) {
  $_GET['mount'] = "UNDEFINED MOUNT";
}

foreach($allowedSubnets as $subnet) {
  if (cidr_match($_POST['ip'], $subnet) == true) {
    // This listener is allowed - send the acceptance header to Icecast
    header("icecast-auth-user: 1");

    // Log this allowed request
    $fp = fopen('icelog_allowed.txt', 'a');
    fwrite($fp, str_pad(date("Y-m-d H:i:s") . " " . $_GET['mount'], 35) . " | " . $_POST['ip'] . "\r\n");
    fclose($fp);

    // End script execution
    die();
  }
}

// Log all blocked requests
$fp = fopen('icelog_blocked.txt', 'a');
fwrite($fp, str_pad(date("Y-m-d H:i:s") . " " . $_GET['mount'], 35) . " | " . str_pad($_POST['ip'], 20) . " " . $_POST['agent'] . "\r\n");
fclose($fp);

// Send the rejection headers back to Icecast
header("icecast-auth-user: 0");
header("icecast-auth-message: geo-blocked");


## icecast_geoblock_addresses.php
<?php
// This is a list of allowed IP addresses, obtained from the MaxMind GeoLite2 database
// Insert your own list here - https://dev.maxmind.com/geoip/geoip2/geolite2/

// Use standard CIDR notation

$allowedSubnets = array(
  '1.0.0.0/24',
  '1.0.4.0/22',
  '1.1.1.0/24',
  '1.4.0.0/24',
  '1.10.10.0/24',
  '1.40.0.0/14',
  '1.44.0.0/16',
  '1.120.0.0/13',

  ///..SNIP...

  '1.128.0.0/11'
);
	<mount>
	<mount-name>/mountname</mount-name>
	<password>hackme</password>

	<!-- Geo-blocking can be added to any mount, but not relays -->
	<authentication type="url">
	<option name="listener_add" value="http://example.com/icecast_geoblock.php?mount=mountmame" />
	<option name="auth_header" value="icecast-auth-user: 1" />
	</authentication>
	</mount>
	<?php
	// This script allows you to restrict Icecast listeners to a specific geolocation
	// Sample provided by http://mediarealm.com.au/

	require('icecast_geoblock_addresses.php');

	function cidr_match($ip, $range) {
	// From http://stackoverflow.com/questions/594112/matching-an-ip-to-a-cidr-mask-in-php-5
	list ($subnet, $bits) = explode('/', $range);
	$ip = ip2long($ip);
	$subnet = ip2long($subnet);
	$mask = -1 << (32 - $bits);
	$subnet &= $mask; # nb: in case the supplied subnet wasn't correctly aligned
	return ($ip & $mask) == $subnet;
	}

	if(!isset($_POST['ip'])) {
	$_POST['ip'] = "";
	}

	if(!isset($_POST['agent'])) {
	$_POST['agent'] = "UNDEFINED AGENT";
	}

	if(!isset($_GET['mount'])) {
	$_GET['mount'] = "UNDEFINED MOUNT";
	}

	foreach($allowedSubnets as $subnet) {
	if (cidr_match($_POST['ip'], $subnet) == true) {
	// This listener is allowed - send the acceptance header to Icecast
	header("icecast-auth-user: 1");

	// Log this allowed request
	$fp = fopen('icelog_allowed.txt', 'a');
	fwrite($fp, str_pad(date("Y-m-d H:i:s") . " " . $_GET['mount'], 35) . " \| " . $_POST['ip'] . "\r\n");
	fclose($fp);

	// End script execution
	die();
	}
	}

	// Log all blocked requests
	$fp = fopen('icelog_blocked.txt', 'a');
	fwrite($fp, str_pad(date("Y-m-d H:i:s") . " " . $_GET['mount'], 35) . " \| " . str_pad($_POST['ip'], 20) . " " . $_POST['agent'] . "\r\n");
	fclose($fp);

	// Send the rejection headers back to Icecast
	header("icecast-auth-user: 0");
	header("icecast-auth-message: geo-blocked");
	<?php
	// This is a list of allowed IP addresses, obtained from the MaxMind GeoLite2 database
	// Insert your own list here - https://dev.maxmind.com/geoip/geoip2/geolite2/

	// Use standard CIDR notation

	$allowedSubnets = array(
	'1.0.0.0/24',
	'1.0.4.0/22',
	'1.1.1.0/24',
	'1.4.0.0/24',
	'1.10.10.0/24',
	'1.40.0.0/14',
	'1.44.0.0/16',
	'1.120.0.0/13',

	///..SNIP...

	'1.128.0.0/11'
	);