How to Block IP By Country in NGINX

Sometimes you may need to restrict access from specific geo-location or country to your website, due to their malicious nature. You can easily do this in NGINX using GeoIP module. In this article, we will look at how to block IP by country. GeoIP maps ip addresses to countries making it easy to block visitors by geo location or country.

How to Block IP by Country in NGINX

Here are the steps to block IP by country in NGINX.


1. Check NGINX for GeoIP module

It is essential that your NGINX server is compiled with GeoIP module. You can check this by running the following command in terminal.

$ nginx -V

If you see –with-http_geoip_module in the output, it means your NGINX server supports GeoIP module. Here are the steps to install nginx with geoip module.

Also read : How to Set Environment Variable in Ubuntu


2. Install GeoIP database

Next, you need to install the GeoIP database with the following command.

$ sudo apt-get install geoip-database libgeoip1

The database will be downloaded to /usr/share/GeoIP/GeoIP.dat

Optionally, if you want to update the database to latest version, just run the following commands.

$ sudo mv /usr/share/GeoIP/GeoIP.dat /usr/share/GeoIP/GeoIP.dat_bak
$ cd /usr/share/GeoIP/
$ sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
$ gunzip GeoIP.dat.gz

Also read : How to Install Webmin in NGINX


3. Update NGINX configuration

Open NGINX configuration file

$ sudo vi /etc/nginx/nginx.conf

Add the following lines in http block to allow access from all countries, except , say, Angola (country code AO). Make sure you place these lines before any include directives. We need to use country codes to specify each country. For our example, we have used the country code of AO to specify Angola. You can find a list of country codes here.

http{
...
   geoip_country /usr/share/GeoIP/GeoIP.dat;
    map $geoip_country_code $allowed_country {
        default yes;
        AO no;
   }
...
}

In the above lines, we use default value as yes to allow traffic from all websites. Then we specify Angola’s country code and assign value as no to block its traffic. So NGINX will allow access from all countries except Angola.

Also read : How to configure iptables in Ubuntu

On the other hand, if you want to block traffic from, say, US, use the following lines.

http{
...
   geoip_country /usr/share/GeoIP/GeoIP.dat;
    map $geoip_country_code $allowed_country {
        default no;
        US yes;
   }
...
}

In this case, we assign default value to be no to block traffic from all countries. Then we specify US country code and mention yes to allow access from United states.

The above lines don’t block any traffic. They basically define the $allows_country variable which contains the list of allowed and disallowed countries, which we will use to block/allow access.

You need to mention this $allowed_country variable in the location or server block where you wish to actually block /allow visitors. Here is an example of a location block that blocks traffic based on $allowed_country defined above.

location / {
...
     if ($allowed_country = no) {
             return 444;         
     }
...
}

Now whenever a user requests home page (/), the country of their IP is checked against the $allowed_country list and allowed/disallowed access.

Also read : How to Use NGINX Reverse Proxy with NodeJS


4. Restart NGINX Server

Restart NGINX server to apply changes

$ sudo nginx -t 
$ sudo systemctl restart nginx

That’s it. Now NGINX will automatically block IP by country or geo location.