Created
August 9, 2016 02:04
-
-
Save anthonyeden/7cc90e4d9fed0a84701d6f36ffb43d05 to your computer and use it in GitHub Desktop.
Icecast Geoblocking Example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<mount> | |
<mount-name>/mountname</mount-name> | |
<password>hackme</password> | |
<!-- Geo-blocking can be added to any mount, but not relays --> | |
<authentication type="url"> | |
<option name="listener_add" value="http://example.com/icecast_geoblock.php?mount=mountmame" /> | |
<option name="auth_header" value="icecast-auth-user: 1" /> | |
</authentication> | |
</mount> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// This script allows you to restrict Icecast listeners to a specific geolocation | |
// Sample provided by http://mediarealm.com.au/ | |
require('icecast_geoblock_addresses.php'); | |
function cidr_match($ip, $range) { | |
// From http://stackoverflow.com/questions/594112/matching-an-ip-to-a-cidr-mask-in-php-5 | |
list ($subnet, $bits) = explode('/', $range); | |
$ip = ip2long($ip); | |
$subnet = ip2long($subnet); | |
$mask = -1 << (32 - $bits); | |
$subnet &= $mask; # nb: in case the supplied subnet wasn't correctly aligned | |
return ($ip & $mask) == $subnet; | |
} | |
if(!isset($_POST['ip'])) { | |
$_POST['ip'] = ""; | |
} | |
if(!isset($_POST['agent'])) { | |
$_POST['agent'] = "UNDEFINED AGENT"; | |
} | |
if(!isset($_GET['mount'])) { | |
$_GET['mount'] = "UNDEFINED MOUNT"; | |
} | |
foreach($allowedSubnets as $subnet) { | |
if (cidr_match($_POST['ip'], $subnet) == true) { | |
// This listener is allowed - send the acceptance header to Icecast | |
header("icecast-auth-user: 1"); | |
// Log this allowed request | |
$fp = fopen('icelog_allowed.txt', 'a'); | |
fwrite($fp, str_pad(date("Y-m-d H:i:s") . " " . $_GET['mount'], 35) . " | " . $_POST['ip'] . "\r\n"); | |
fclose($fp); | |
// End script execution | |
die(); | |
} | |
} | |
// Log all blocked requests | |
$fp = fopen('icelog_blocked.txt', 'a'); | |
fwrite($fp, str_pad(date("Y-m-d H:i:s") . " " . $_GET['mount'], 35) . " | " . str_pad($_POST['ip'], 20) . " " . $_POST['agent'] . "\r\n"); | |
fclose($fp); | |
// Send the rejection headers back to Icecast | |
header("icecast-auth-user: 0"); | |
header("icecast-auth-message: geo-blocked"); | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// This is a list of allowed IP addresses, obtained from the MaxMind GeoLite2 database | |
// Insert your own list here - https://dev.maxmind.com/geoip/geoip2/geolite2/ | |
// Use standard CIDR notation | |
$allowedSubnets = array( | |
'1.0.0.0/24', | |
'1.0.4.0/22', | |
'1.1.1.0/24', | |
'1.4.0.0/24', | |
'1.10.10.0/24', | |
'1.40.0.0/14', | |
'1.44.0.0/16', | |
'1.120.0.0/13', | |
///..SNIP... | |
'1.128.0.0/11' | |
); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment