Nginx – GeoIP: configuration

   -     -   (0)  -    3 minutes

In this new tutorial dedicated to Nginx, I will explain to you how to configure GeoIP in order to be able to set filters (restrictions) based on the country of your visitors.

GeoIP will allow us to determine the country (see city) of a visitor based on their IP address, for this we will rely on a database provided by MaxMind.

Knowing the country of our visitor then allows us to define actions how:

  • Block the user and not provide content for example, often used in business to “protect” applications
  • Redirect user to a nearby server for a better experience
  • Provide different content

In this tutorial, I will mainly cover “blocking”.

  1. Prerequisites
  2. Installing the libmaxmindddb and geoipuodate components
  3. Maxmind configuration and testing
  4. Configuration de Nginx pour utiliser la GeoIP

Prerequisites

Before starting, you must check that the GeoIP2 module is present on Nginx, to do this enter the following command and search in the list: http-geoip2

nginx -V

If the module is not present, you have several solutions:

  • Reinstall Nginx with extra modules
  • Compile the module and add it

In order to download the Maxmind database, it is necessary to have a (free) account and a token.

Installing the libmaxmindddb and geoipuodate components

In order to download and update the database, we will install the following components:

  • libmaxmindddb
  • geoipuodate

To do this we will add a deposit:

sudo add-apt-repository ppa:maxmind/ppa

Update packages:

sudo apt update

Install necessary components:

sudo apt install libmaxminddb0 libmaxminddb-dev mmdb-bin geoipupdate -y

Maxmind and geoipupdate are installed.

Maxmind configuration and testing

You must now configure Maxmind with the identifier and license key.

You must now configure Maxmind with the identifier and license key.

sudo nano /etc/GeoIP.conf

Modify the AccountID and LicenseKey lines then save the file.

Now, we will download the databases, which will allow us to test the correct license configuration.

Enter the command below:

sudo geoipupdate -v

The database files (mmdb) are located in the /usr/share/GeoIP folder.

To test the correct one, we will use the mmdblookup command.

sudo mmdblookup --file /usr/share/GeoIP/GeoLite2-Country.mmdb --ip 1.1.1.1

We can see the different countries recognized for the IP address 1.1.1.1

We will now be able to configure Nginx to use the basics of GeoIP.

Configuration de Nginx pour utiliser la GeoIP

To begin, we will edit the /etc/nginx/nginx.conf file, where we will tell Nginx and the geoip2 mod the database to load.

Before modifying the nginx.conf file, remember to make a backup.

Open filer /etc/nginx/nginx.conf :

sudo nano /etc/nginx/nginx.conf

In the http{} block, add the following lines to load the country database:

##
# Geoip2 Settings
##
        
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
    $geoip2_data_country_iso_code country iso_code;
}

Save the file, then test the configuration with the following command:

sudo nginx -t

If there is no problem, reload the configuration:

sudo systemctl reload nginx

Now, we will see how to use GeoIP at the virtualhosts level, we have two ways to proceed:

  • Blacklist: allow all traffic and block certain countries
  • Whitelist: block all traffic and allow certain countries and IP addresses

In this tutorial, I will give you an example of each

Below is an example of a virtualhost file, which allows all traffic and blocks IPs from Russia and Vietnam.

Below is an example of virtualhost, which blocks all traffic (default no;) and then allows the traffic.

You now know how to configure GeoIP with Nginx and secure access to websites based on the visitor’s country.

Like all geographic limitations, they can be bypassed using a VPN.

Leave a Comment

 
© 2024 - 247-IT