Sometimes you may need to restrict access from specific geo-location or country to your website, due to their malicious nature. You can easily do this in NGINX using GeoIP module. In this article, we will look at how to block IP by country. GeoIP maps ip addresses to countries making it easy to block visitors by geo location or country.
How to Block IP by Country in NGINX
Here are the steps to block IP by country in NGINX.
1. Check NGINX for GeoIP module
It is essential that your NGINX server is compiled with GeoIP module. You can check this by running the following command in terminal.
$ nginx -V
If you see –with-http_geoip_module in the output, it means your NGINX server supports GeoIP module. Here are the steps to install nginx with geoip module.
Also read : How to Set Environment Variable in Ubuntu
2. Install GeoIP database
Next, you need to install the GeoIP database with the following command.
$ sudo apt-get install geoip-database libgeoip1
The database will be downloaded to /usr/share/GeoIP/GeoIP.dat
Optionally, if you want to update the database to latest version, just run the following commands.
$ sudomv /usr/share/GeoIP/GeoIP.dat /usr/share/GeoIP/GeoIP.dat_bak$cd /usr/share/GeoIP/ $ sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz $ gunzip GeoIP.dat.gz
Also read : How to Install Webmin in NGINX
You can also install GeoIP2, a more advanced version of GeoIP database, with the following commands.
# For Amazon Linux, CentOS, Oracle Linux, and RHEL: $ yum install nginx-plus-module-geoip2 #For Debian and Ubuntu: $ apt-get install nginx-plus-module-geoip2
3. Update NGINX configuration
Open NGINX configuration file
$ sudo vi /etc/nginx/nginx.conf
Add the following lines in http block to allow access from all countries, except , say, Angola (country code AO). Make sure you place these lines before any include directives. We need to use country codes to specify each country. For our example, we have used the country code of AO to specify Angola. You can find a list of country codes here.
http{
...
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
AO no;
}
...
}
In the above lines, we use default value as yes to allow traffic from all websites. Then we specify Angola’s country code and assign value as no to block its traffic. So NGINX will allow access from all countries except Angola.
If you are using GeoIP2 module instead of GeoIP module, then you need to add the following lines above http{…} block.
load_module modules/ngx_http_geoip2_module.so;
load_module modules/ngx_stream_geoip2_module.so;
http {
# ...
}
Also read : How to configure iptables in Ubuntu
On the other hand, if you want to block traffic from, say, US, use the following lines.
http{
...
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default no;
US yes;
}
...
}
In this case, we assign default value to be no to block traffic from all countries. Then we specify US country code and mention yes to allow access from United states.
The above lines don’t block any traffic. They basically define the $allows_country variable which contains the list of allowed and disallowed countries, which we will use to block/allow access.
You need to mention this $allowed_country variable in the location or server block where you wish to actually block /allow visitors. Here is an example of a location block that blocks traffic based on $allowed_country defined above.
location / {
...
if ($allowed_country = no) {
return 444;
}
...
}
Now whenever a user requests home page (/), the country of their IP is checked against the $allowed_country list and allowed/disallowed access.
Also read : How to Use NGINX Reverse Proxy with NodeJS
4. Restart NGINX Server
Restart NGINX server to apply changes
$ sudo nginx -t $ sudo systemctl restart nginx
That’s it. Now NGINX will automatically block IP by country or geo location.
Can you update this article for GeoIP2?
We have updated the article for GeoIP2