Blocking Countries on Nginx without the GeoIP Module
Sometimes blocking entire swathes of the world is the way to go if you truly want a defense in depth approach on your web apps, for instance do your administrators truly need to log on from every country on Earth? As website administrators we get a feel for where our legitimate traffic is coming from and where we see nefarious connections from.
So this tutorial will guide you through blocking, and in some cases specifically allowing traffic from various sources. So we will be blocking countries using IP ranges in CIDR range (which Nginx can happily deal with), this is instead of using the GeoIP module. I will give you some examples of configuration examples and if you have any questions feel free to leave a comment!
A couple of words of warning:
- Methods of determining country of origin through IP addresses are not always entirely accurate, country blocking and allowing is not always fool proof
- Putting these measures on your server has an overhead, and dependent on usage it could be a high overhead, you want to give your server the smallest number of checks
After scratching my head for a while and trying to use multiple sources I decided to make it easy, and I’ve created a little site with some Nginx Country IP Blocks. Check it out!
SSH onto your Linux server as usual, I’ll be using Ubuntu for these instructions but the Nginx config should be the same.
We will need to make sure we have unzip installed, it possibly will be:
apt-get install unzip
We will put the files into an appropriate directory, namely in our Nginx configuration tree.
cd /etc/nginx
Create a directory for our country database:
mkdir country-cidr
cd country-cidr
Download the country databases:
wget http://firewalliplists.gypthecat.com/lists/nginx/nginx-countries.conf.zip
Unzip the file:
unzip nginx-countries.conf.zip
You should now have a directory full of some configuration files for nginx, labelled as both allow and deny.
Now we have to decide how we want things to work. Say for instance we have the following configuration for our Nginx virtual server:
server
{
listen 80;
server_name www.companya.com companya.com;
root /webhost/companya.com/httpdocs/;
access_log /webhost/companya.com/logs/access.log combined;
error_log /webhost/tld.co.uk/logs/error.log;
index index.php index.html index.htm;
location /admin/
{
# Do something here
}
location /europe/
{
# Do something here
}
location /mexico/
{
# Do something here
}
location /world/
{
# Do something here
}
}
We have the following use case:
- Admins should only ever log on from Germany
- Users in France, Germany, Spain and Italy are the only ones who should see the content in the Europe directory
- Users in Mexico are the only ones able to view the Mexico directory
- Everyone in the world can view the World directory except for Canada
So if we’ve extracted the files to the directories above our config should look like the following:
server
{
listen 80;
server_name www.companya.com companya.com;
root /webhost/companya.com/httpdocs/;
access_log /webhost/companya.com/logs/access.log combined;
error_log /webhost/tld.co.uk/logs/error.log;
index index.php index.html index.htm;
location /admin/
{
include country-cidr/DE-allow.conf;
deny all;
# Do something here
}
location /europe/
{
include country-cidr/FR-allow.conf;
include country-cidr/DE-allow.conf;
include country-cidr/ES-allow.conf;
include country-cidr/IT-allow.conf;
deny all;
# Do something here
}
location /mexico/
{
include country-cidr/MX-allow.conf;
deny all;
# Do something here
}
location /world/
{
include country-cidr/CA-deny.conf;
allow all;
# Do something here
}
}
Give the Nginx service a restart or a reload:
service nginx reload
And that’s it! These IP files do get updated daily, so you may need to keep an eye on how up to date your versions are, a tutorial on how to automate this process will follow soon.
4 Comments
download link for the list is offline!
Hi Janis,
I’ve just had a try now and it’s working ok from here.
This one? http://firewalliplists.gypthecat.com/lists/nginx/nginx-countries.conf.zip
Gyp
hello, yes I get 404!
That is really strange, I’ve tried it on my home and office connections and it downlods ok. I’ve also tried it on a couple of servers and it works fine there too.
Are you using a proxy or anything like that?
Gyp