TechQA.

Only allow certain countries traffic access specific page

13.4k views Asked by At

I am using --with-http_geoip_module for identify traffic. There are some pages that I only want certain country to access. Here is configuration:

For http

 http{
    geoip_country  /usr/share/GeoIP/GeoIP.dat; # the country IP database
    map $geoip_country_code $allowed_country {
            default 0;
            US 1;
            UK 1;
            HK 1; 

     }

  }

The location directive:

location = /testing {
            if ($allowed_country = 0) {

                    return 301 ;
              }
    }

The problem is when I using US/HK IPs, I get a 404 error. What did I done wrong?

UPDATE

Here is my complete conf file:

http {
include       /etc/nginx/mime.types;
default_type  application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

geoip_country  /usr/share/GeoIP/GeoIP.dat; # the country IP database

map $geoip_country_code $allowed_country {
        default 0;
        US 1;
        UK 1;
        HK 1; 

 }
sendfile        on;
#tcp_nopush     on;

#keepalive_timeout  0;
keepalive_timeout  65;

#gzip  on;

index   index.html index.htm;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

server {
    listen       80 default_server;
    server_name  localhost;
    root         /var/www/html;

    include /etc/nginx/default.d/*.conf;

    location / {
        index index.php index.cgi index.pl index.html index.xhtml index.htm index.shtml;
        try_files $uri $uri/ /index.php?$args;
    }

    # redirect server error pages to the static page /40x.html
    #
    error_page  404              /404.html;
    location = /40x.html {
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }

    #ban specifc country
    location = /testing {
        if ($allowed_country = 0) {

                return 301 ;
          }
     }


    location ~ \.php$ {
        ### SET GEOIP Variables ###
        fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
        fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
        fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
        return 404;

        }
            try_files $uri $uri/ /index.php?$args;
        fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
            fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi.conf;
            include conf/site.conf;
    } 

}
 }

Basically I want only visitor from US, UK and HK access /testing page.

nginx server geoip system-administration
Original Q&A
1

There are 1 answers

4
ITChristian On BEST ANSWER

Let's do it from beginning. As you didn't said what is your OS, all steps below will be separated for both Debian/Ubuntu and CentOS/Fedora/RHEL.

1. CONNECT TO SERVER:

First of all, connect to your server by terminal/console (in linux - ssh username@server_ip) or Putty (in windows).

2. VERIFY GEOIP MODULE:

As you have already installed NGINX check if it is compiled with the HttpGeoipModule:

CentOS/Fedora/RHEL and Debian/Ubuntu:

 nginx -V

And then try to find --with-http_geoip_module. If it exists then you can continue, else it means you have't compiled NGINX with GeoIP Module.

3. INSTALL GEOIP DATABASE:

Debian/Ubuntu:

sudo apt-get install geoip-database libgeoip1

CentOS/Fedora/RHEL:

It is in EPEL repository, so you should enable it first:

CENTOS 4:

32bit:

rpm -Uvh http://download.fedoraproject.org/pub/epel/4/i386/epel-release-4-10.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-4.rpm

64bit:

rpm -Uvh http://download.fedoraproject.org/pub/epel/4/x86_64/epel-release-4-10.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-4.rpm

CENTOS 5:

32bit:

rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm

64bit:

rpm -Uvh http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm

CENTOS 6:

32bit:

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

64bit:

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

CENTOS 7:

64bit:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

Then:

yum install geoip geoip-devel -y

4. Update GeoIP Database

After installing GeoIP Module, the database will be stored in /usr/share/GeoIP/GeoIP.dat but it could be outdated. So, let's update:

mv /usr/share/GeoIP/GeoIP.dat /usr/share/GeoIP/GeoIP.dat_bk

cd /usr/share/GeoIP/

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

gunzip GeoIP.dat.gz

Or, alternatively, you can download manually the database from http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz, extract on you computer and upload in /usr/share/GeoIP/ as GeoIP.dat. Don't forget to make a backup of old GeoIP.dat if you want to make as here.

5. Configuring NGINX with GeoIP

Open /etc/nginx/nginx.conf (Ubuntu/Debian) or /etc/nginx/conf/nginx.conf (CentOS/Fedora/RHEL) and place this inside http {}, before any include:

geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
    default no;
    US yes;
    UK yes;
    HK yes;
}

This doesn't block countries. We only set $allowed_country.

Now, please open your virtualhost to configure (/etc/nginx/conf.d/YOURDOMAINHERE.conf) - place this inside server {}:

location /testing/ {
    if ($allowed_country = no) {
        return 403;
    }
}

/testing/ is your website path which is accessible from US, UK and HK.

6. Restarting NGINX

/etc/init.d/nginx reload

It was tested on both CentOS and Debian VPS and it is working.

Hope this will help you.

Related Questions in NGINX

Related Questions in SERVER

Related Questions in GEOIP

Related Questions in SYSTEM-ADMINISTRATION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions