IP Filtering On Nginx Server

Sometimes there are scenarios in which we want our website to be accessible only by certain countries. For achieving this we need to filter requests on the basis of IP addresses on our server.

In this blog we’ll be discussing, how we can allow access of our website to certain countries and block countries on the basis of IP address on an Nginx server.

We’ll be using GeoIP module for IP filtering.

GeoIp module creates variables based on the client IP address, using the precompiled MaxMind GeoIP databases, for both HTTP and TCP/UDP traffic.

Following steps needs to be followed in order to implement IP Filtering on Nginx server:

Step 1 -> Compile Nginx server

nginx -V

If you see –with-http_geoip_module in the output, you are ready to use the GeoIP database with nginx move to step 3 else continue with step 2.

Step 2 -> Install GeoIp Database

apt-get install geoip-database libgeoip1

GeoIP DB provides us the mapping of IP addresses to its corresponding country code(ex. all IP addresses of India will be mapped to code IN).

It is possible that it is a bit outdated. We can update the database by following command:

1. cd /usr/share/GeoIP/
2. wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
3. gunzip GeoIP.dat.gz

Step 3 -> Configure Nginx.conf

Open /etc/nginx/nginx.conf

vi etc/nginx/nginx.conf

Place the following code in the http{} block:

geoip_country /usr/share/GeoIP/GeoIP.dat;

map $geoip country_code $allowed_country {

        default no;
         US yes;
         IN yes;

This sets the $allowed_country variable to yes if the server is being accessed from US or India. For any other IP address the variable will be set to default value.

NOTE: This code block does not block any country from accessing the website. It simply sets the $allowed_country variable value.

Step 4 -> Configure Virtual Host File

Now to block country we need to update your default conf file.

Open /etc/nginx/sites-available/default

vi /etc/nginx/sites-available/default
And add the following code inside server{} block:
if ($allowed_country = no) {

      return 403;


This will return 403 Forbidden response when a non US or non Indian IP tries to access your server.

Step 5-> Restart Nginx server

Now we just need to restart our Nginx server.

sudo service nginx restart

So, we just saw how we can implement IP filtering on our Nginx server. In my next blog I’ll be explaining, how to make your website accessible to certain IP addresses of countries blocked by our server. Till then enjoy 🙂


This entry was posted in Scala, Web Services and tagged , , , , , , , , . Bookmark the permalink.

4 Responses to IP Filtering On Nginx Server

  1. Ferocia says:

    Do you have article related to IP Filtering in Nginx using other database such as IP2Location LITE? We would like to block the visitors by other information such as ZIP code etcs in the database.

  2. Nitin says:

    Thanks Rishabh. I tried exactly the code above, and tested it by connecting through various countries via my proxy. Seems to work in general, however, even though I’ve only allowed US and IN, I am still able to connect via Canada. Again, for the dozen or so other countries that I tested, it does seem to successfully block and display the 403, but Canada seems to come through … any ideas on why?

    • Nitin says:

      To be more specific, my proxy allows me to connect via CA – Montreal, CA – Toronto, CA – Vancouver. The following GeoIP code allows CA – Toronto and Vancouver, but blocks CA – Montreal. Could there be a bug?

      “geoip_country /usr/share/GeoIP/GeoIP.dat;
      map $geoip_country_code $allowed_country {
      default no;
      US yes;
      IN yes;

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s