Blocking Countries on Nginx without the GeoIP Module

Sometimes blocking entire swathes of the world is the way to go if you truly want a defense in depth approach on your web apps, for instance do your administrators truly need to log on from every country on Earth? As website administrators we get a feel for where our legitimate traffic is coming from and where we see nefarious connections from.

So this tutorial will guide you through blocking, and in some cases specifically allowing traffic from various sources. So we will be blocking countries using IP ranges in CIDR range (which Nginx can happily deal with), this is instead of using the GeoIP module. I will give you some examples of configuration examples and if you have any questions feel free to leave a comment!

A couple of words of warning:

• Methods of determining country of origin through IP addresses are not always entirely accurate, country blocking and allowing is not always fool proof
• Putting these measures on your server has an overhead, and dependent on usage it could be a high overhead, you want to give your server the smallest number of checks

After scratching my head for a while and trying to use multiple sources I decided to make it easy, and I’ve created a little site with some Nginx Country IP Blocks. Check it out!

SSH onto your Linux server as usual, I’ll be using Ubuntu for these instructions but the Nginx config should be the same.

We will need to make sure we have unzip installed, it possibly will be:

apt-get install unzip

We will put the files into an appropriate directory, namely in our Nginx configuration tree.

cd /etc/nginx

Create a directory for our country database:

mkdir country-cidr
cd country-cidr

Download the country databases:

wget http://firewalliplists.gypthecat.com/lists/nginx/nginx-countries.conf.zip

Unzip the file:

unzip nginx-countries.conf.zip

You should now have a directory full of some configuration files for nginx, labelled as both allow and deny.

Now we have to decide how we want things to work. Say for instance we have the following configuration for our Nginx virtual server:

server
{
listen 80;
server_name www.companya.com companya.com;
root /webhost/companya.com/httpdocs/;
access_log /webhost/companya.com/logs/access.log combined;
error_log /webhost/tld.co.uk/logs/error.log;
index index.php index.html index.htm;

location /admin/
    {
    # Do something here
    }

location /europe/
    {
    # Do something here
    }

location /mexico/
    {
    # Do something here
    }

location /world/
    {
    # Do something here
    }

}

We have the following use case:

• Admins should only ever log on from Germany
• Users in France, Germany, Spain and Italy are the only ones who should see the content in the Europe directory
• Users in Mexico are the only ones able to view the Mexico directory
• Everyone in the world can view the World directory except for Canada

So if we’ve extracted the files to the directories above our config should look like the following:

server
{
listen 80;
server_name www.companya.com companya.com;
root /webhost/companya.com/httpdocs/;
access_log /webhost/companya.com/logs/access.log combined;
error_log /webhost/tld.co.uk/logs/error.log;
index index.php index.html index.htm;

location /admin/
    {
    include country-cidr/DE-allow.conf;
    deny all;
    # Do something here
    }

location /europe/
    {
    include country-cidr/FR-allow.conf;
    include country-cidr/DE-allow.conf;
    include country-cidr/ES-allow.conf;
    include country-cidr/IT-allow.conf;
    deny all;
    # Do something here
    }

location /mexico/
    {
    include country-cidr/MX-allow.conf;
    deny all;
    # Do something here
    }

location /world/
    {
    include country-cidr/CA-deny.conf;
    allow all;
    # Do something here
    }

}

Give the Nginx service a restart or a reload:

service nginx reload

And that’s it! These IP files do get updated daily, so you may need to keep an eye on how up to date your versions are, a tutorial on how to automate this process will follow soon.