How to Block Visitors by Country with the GeoIP Module in NGINX

The GeoIP database helps in representing diagrammatically the IP network address assignments to geographical locales that is quite helpful in recognizing the physical location with which an IP host address is linked on a relatively granular level.

The guideline below illustrates how to block visitors by country with the help of GeoIP module in nginx. This can only be done by the GoeIP database which locates users’ IP addresses to country by country. In order to use the GeoIP database, nginx must be written with the HttpGeoipModule accordingly. In order to verify whether your nginx was compiled with that module or not, you need to run;

nginx -V

If “with-http_geoip_module is visible in the output section, you are allowed to use the GeoIP database with nginx:

root@server1:~# nginx -V
nginx version: nginx/1.2.1
TLS SNI support enabled
configure arguments: –prefix=/etc/nginx –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-client-body-temp-path=/var/lib/nginx/body –http-fastcgi-temp-path=/var/lib/nginx/fastcgi –http-log-path=/var/log/nginx/access.log –http-proxy-temp-path=/var/lib/nginx/proxy –http-scgi-temp-path=/var/lib/nginx/scgi –http-uwsgi-temp-path=/var/lib/nginx/uwsgi –lock-path=/var/lock/nginx.lock –pid-path=/var/run/nginx.pid –with-pcre-jit –with-debug –with-http_addition_module –with-http_dav_module
–with-http_geoip_module –with-http_gzip_static_module –with-http_image_filter_module –with-http_realip_module –with-http_stub_status_module –with-http_ssl_module –with-http_sub_module –with-http_xslt_module –with-ipv6 –with-sha1=/usr/include/openssl –with-md5=/usr/include/openssl –with-mail –with-mail_ssl_module –add-module=/build/buildd-nginx_1.2.1-2.1-amd64-fMGfEu/nginx-1.2.1/debian/modules/nginx-auth-pam –add-module=/build/buildd-nginx_1.2.1-2.1-amd64-fMGfEu/nginx-1.2.1/debian/modules/nginx-echo –add-module=/build/buildd-nginx_1.2.1-2.1-amd64-fMGfEu/nginx-1.2.1/debian/modules/nginx-upstream-fair –add-module=/build/buildd-nginx_1.2.1-2.1-amd64-fMGfEu/nginx-1.2.1/debian/modules/nginx-dav-ext-module
root@server1:~#

Instructions

  • 1

    How to install The GeoIP Database

    On Debian/Ubuntu, the GeoIP database can be installed as follows:

    apt-get install geoip-database libgeoip1

    This will keep the GeoIP database in /usr/share/GeoIP/GeoIP.dat.

    There is a chance that it might be obsolete. So, we have to download the latest version of it as a second option from the GeoIP website:

    mv /usr/share/GeoIP/GeoIP.dat /usr/share/GeoIP/GeoIP.dat_bak

    cd /usr/share/GeoIP/

    wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

    gunzip GeoIP.dat.gz

  • 2

    How to configure NGINX

    Open /etc/nginx/nginx.conf...

    vi /etc/nginx/nginx.conf

    ... and place this in the http {} block, before any include lines:

    [...]

    geoip_country /usr/share/GeoIP/GeoIP.dat;

    map $geoip_country_code $allowed_country {

    default yes;

    FK no;

    FM no;

    EH no;

    }

    [...]





    This won’t block any country, it just creates the $allowed_country variable. In order to block countries, you have to open your vhost configuration and write the following code in the server {} container.

    [...]

    if ($allowed_country = no) {

    return 444;

    }

    [...]

    This will display the 444 error code to anyone who visits the website from a blocked country. What actually happened is it shut down the connection without transferring any header.

    Reload nginx after you are done with this.

    /etc/init.d/nginx reload

Leave a Reply

Your email address will not be published. Required fields are marked *


2 × one =