In this new tutorial dedicated to Nginx, I will explain to you how to configure GeoIP in order to be able to set filters (restrictions) based on the country of your visitors.
GeoIP will allow us to determine the country (see city) of a visitor based on their IP address, for this we will rely on a database provided by MaxMind.
Knowing the country of our visitor then allows us to define actions how:
- Block the user and not provide content for example, often used in business to “protect” applications
- Redirect user to a nearby server for a better experience
- Provide different content
- …
In this tutorial, I will mainly cover “blocking”.
Prerequisites
Before starting, you must check that the GeoIP2 module is present on Nginx, to do this enter the following command and search in the list: http-geoip2
nginx -V
If the module is not present, you have several solutions:
- Reinstall Nginx with extra modules
- Compile the module and add it
In order to download the Maxmind database, it is necessary to have a (free) account and a token.
Installing the libmaxmindddb and geoipuodate components
In order to download and update the database, we will install the following components:
- libmaxmindddb
- geoipuodate
To do this we will add a deposit:
sudo add-apt-repository ppa:maxmind/ppa
Update packages:
sudo apt update
Install necessary components:
sudo apt install libmaxminddb0 libmaxminddb-dev mmdb-bin geoipupdate -y
Maxmind and geoipupdate are installed.
Maxmind configuration and testing
You must now configure Maxmind with the identifier and license key.
You must now configure Maxmind with the identifier and license key.
sudo nano /etc/GeoIP.conf
Modify the AccountID and LicenseKey lines then save the file.
Now, we will download the databases, which will allow us to test the correct license configuration.
Enter the command below:
sudo geoipupdate -v
The database files (mmdb) are located in the /usr/share/GeoIP folder.
To test the correct one, we will use the mmdblookup command.
sudo mmdblookup --file /usr/share/GeoIP/GeoLite2-Country.mmdb --ip 1.1.1.1
We can see the different countries recognized for the IP address 1.1.1.1
We will now be able to configure Nginx to use the basics of GeoIP.
Configuration de Nginx pour utiliser la GeoIP
To begin, we will edit the /etc/nginx/nginx.conf file, where we will tell Nginx and the geoip2 mod the database to load.
Before modifying the nginx.conf file, remember to make a backup.
Open filer /etc/nginx/nginx.conf
:
sudo nano /etc/nginx/nginx.conf
In the http{} block, add the following lines to load the country database:
##
# Geoip2 Settings
##
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
$geoip2_data_country_iso_code country iso_code;
}
Save the file, then test the configuration with the following command:
sudo nginx -t
If there is no problem, reload the configuration:
sudo systemctl reload nginx
Now, we will see how to use GeoIP at the virtualhosts level, we have two ways to proceed:
- Blacklist: allow all traffic and block certain countries
- Whitelist: block all traffic and allow certain countries and IP addresses
In this tutorial, I will give you an example of each
Below is an example of a virtualhost file, which allows all traffic and blocks IPs from Russia and Vietnam.
Below is an example of virtualhost, which blocks all traffic (default no;) and then allows the traffic.
You now know how to configure GeoIP with Nginx and secure access to websites based on the visitor’s country.
Like all geographic limitations, they can be bypassed using a VPN.