Blocking Country with nginx GeoIP
Posted By : Shubham Maurya | 29-Aug-2022
Introduction:
Globalization has made cyberattacks much easier, unfortunately, you may not want certain countries to visit your website or product page if you mainly get malicious traffic from specific countries that overload your server and slow it down. In this blog, we will be configuring nginx to use the latest GeoIP database and blocking a custom list of countries from accessing your site using MaxMind GeoIP databases.
Nginx GeoIP Database Installation:
This blog assumes you already have nginx installed on your system and have root user access.
GeoIP database :- A GeoIP database is a database of IP addresses with their locations tagged. Geo IP databases are used to perform geolocation using an IP address.
Install the necessary GeoIP database, GeoIP library and nginx GeoIP module on the system and run following command-
- sudo apt-get install geoip-database-extra libgeoip1 libnginx-mod-http-geoip -y
After installing these packages we can update the MaxMind GeoIP databases to be the latest GeoIP2 data packaged in the GeoIP database format who keeps them updated. you can use following command given below-
- cd /usr/share/GeoIP
- mv GeoIP.dat GeoIP.dat.bak
- wget https://dl.miyuru.lk/geoip/maxmind/country/maxmind.dat.gz
- gunzip maxmind.dat.gz
- mv maxmind.dat GeoIP.dat
- mv GeoIPCity.dat GeoIPCity.dat.bak
- wget https://dl.miyuru.lk/geoip/maxmind/city/maxmind.dat.gz
- gunzip maxmind.dat.gz
- mv maxmind.dat GeoIPCity.dat
To tell nginx where the GeoIP databases are located you need to add these lines into /etc/nginx/nginx.conf in your http { block
- geoip_country /usr/share/GeoIP/GeoIP.dat;
- geoip_city /usr/share/GeoIP/GeoIPCity.dat;
I put it at the top here,
#WP-Bullet.com nginx configuration
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
multi_accept on;
}
http {
# GeoIP databases
geoip_country /usr/share/GeoIP/GeoIP.dat;
geoip_city /usr/share/GeoIP/GeoIPCity.dat;
...
Now we can block some countries,
The first thing we are going to do is make a list of the countries to block, you can put this in your http { block. The full list of MaxMind GeoIP country codes in 2 letter format can be
# map the list of denied countries
map $geoip_country_code $allowed_country {
default yes;
# Pakistan
PK no;
# Ukraine
UA no;
# Russia
RU no;
# China
CN no;
}
Now we can block the country with this if statement,
# block the country
if ($allowed_country = no) {
return 444;
}
If you want to add a custom HTTP header to show the country you can do so with this snippet in the nginx server block,
add_header X-Country $geoip_country_code;
As usual after you finish making any of these modifications you should test your nginx configuration
nginx -t
If the syntax is OK then reload nginx
service nginx reload
Cookies are important to the proper functioning of a site. To improve your experience, we use cookies to remember log-in details and provide secure log-in, collect statistics to optimize site functionality, and deliver content tailored to your interests. Click Agree and Proceed to accept cookies and go directly to the site or click on View Cookie Settings to see detailed descriptions of the types of cookies and choose whether to accept certain cookies while on the site.
About Author
Shubham Maurya
Shubham is a highly efficient DevOps Engineer with specialized expertise in Continuous Integration/Continuous Delivery (CI/CD) practices. He possesses in-depth knowledge and hands-on experience working with cloud platforms such as AWS and GCP. Shubham is well-versed in automation techniques, containerization technologies, and proficient in monitoring and logging systems. He has successfully contributed to a diverse range of projects, including Mymandi, musical-school, odoo-infrastructure, Bhaasha, and Tro-platform. With his comprehensive skill set, Shubham is well-prepared to overcome the challenges associated with modern software development and delivery processes.