To understand from where the user requests data by IP address database of IP list is required. This database can be used in particular situation is Max Mind GeoIP. Create account and download the file GeoLite2 Country archive.
After downloading and unarchive database it should be copied to remove server and database moved to /opt/ directory.
# copy file to remote server$ scp -i ~/.ssh/keyfile path_to_file/GeoLite2-Country.mmdb usename@remote_IP:/home/username # login to remote server$ ssh usename@remote_IP# move file to /opt/sudo mv /home/username/GeoLite2-Country.mmdb /opt/Next step is a proper configuring nginx to manage IPs using GeoIP database. Make sure that you have installed ngnix with the http-geoip2 module by typing:
nginx -VIf you see something like this you are good to go.
# nginx version: nginx/1.22.0 (Ubuntu)# built with OpenSSL 3.0.5 5 Jul 2022# TLS SNI support enabled# configure arguments: --add-dynamic-module=/path_to_nginx/nginx-1.22.0/debian/modules/http-geoip2 ...Using your preferred editor (curently nano) modify nginx.conf file to use database.
$ sudo nano /etc/nginx/nginx.confPaste
http { # GeoIP Blocking geoip2 /opt/GeoLite2-Country.mmdb { auto_reload 60m; $geoip2_data_country_code country iso_code; $geoip2_data_country_name country names en; } map $geoip2_data_country_code $allowed_country { # By default all countries have access to resources default yes; # Select countries to resctict access # Blocking access for Netherlands and France NL no; FR no; } ## # Basic Settings ## ...}List of the codes for countries you can find here.
Run nginx test before go to the next step. If there are no errors everything is fine.
# Runs nginx configuration test$ sudo nginx -t# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok# nginx: configuration file /etc/nginx/nginx.conf test is successfulGlobal configuration is completed. Now you can edit the configuration file of particular website or service to restrict access to. For example:
$ sudo nano /etc/nginx/sites-available/website.confAnd then paste block of code that checks allowed country list.
server { # Allowed countries are specified /etc/nginx/nginx.conf if ($allowed_country = no) { return 444; } ...}After pasting code run test and reload nginx.
# Runs nginx configuration test$ sudo nginx -t# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok# nginx: configuration file /etc/nginx/nginx.conf test is successful# Reload nginx$ sudo nginx -s reloadIf all the steps done right the access from selected countries should be restricted. Thats it.
All described here you do on your own risk and personal responsibility.
Leave a Reply