NGINX – Restrict access to Geographical Locations using GeoIP module


In this post I’ll try to explain how NGINX GeoIP module can be used to restrict access to your web-portal/website only to a specific geographical region.

Begin by verifying NGINX GeoIP module is installed on the server which can be done via

nginx -V

if you can see –with-http_geoip_module in the output you are ready to use the GeoIP database with NGINX but if not you can install it on the server using the following command (for ubuntu)

apt-get install geoip-database libgeoip1

this will install GeoIP database usually at the following location  /usr/share/GeoIP/GeoIP.dat.

Other NGINX blogs you might find useful

  1. NGINX – Load Balancing your application made simple
  2. NGINX – Redirecting traffic between www and non-www domain
  3. NGINX – Redirecting HTTP to HTTPS
  4. NGINX – Disable direct access (via http and https) to a website using IP address
  5. NGINX – Easiest way to setup SSL on using .pfx files

Go ahead and re-configure your nginx.conf file, usually located inside /etc/nginx/ folder based on your installation, by adding following instructions inside http {} block

geoip_country /usr/share/GeoIP/GeoIP.dat;

map $geoip_country_code $allowed_country {
 default no;
 US yes;
}

this sets $allowed_country to yes if your webportal/website is being accessed from USA. For all other locations trying to access your server the default value will be used which is no.

Now you can configure your virtual server configurations by adding the following instructions inside server {} block.

if ($allowed_country = no) {
 return 403;
}

and this will block all the traffic, except for USA, to your virtual server by returning the 403 status code.

As the blocking is done based on the information of IP addresses available inside the GeoIP database it’d make sense to update the database at regular intervals which can be easily done using a cron job. You can use the following script (geoIP-update.sh) to make it happen

#!/bin/bash
cd /usr/share/GeoIP
echo =============== updating database===============
wget "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" -P /YOUR/PATH/HERE || { echo 'Cannot download database, exiting.' ; exit 1; }
gunzip /YOUR/PATH/HERE/GeoIP.dat.gz
mv -f /YOUR/PATH/HERE/GeoIP.dat /usr/share/GeoIP/

and schedule a job via

crontab -e

by adding the following

* 12 * * 3 /usr/share/GeoIP/geoIP-update.sh

Make sure to modify * 12 * * 3 according to your update interval requirements.

knoldus-advt-sticker

This entry was posted in Devops and tagged , , . Bookmark the permalink.

5 Responses to NGINX – Restrict access to Geographical Locations using GeoIP module

  1. Pingback: NGINX – Load Balancing your application made simple | Knoldus

  2. Pingback: NGINX – Redirecting traffic between www and non-www domain | Knoldus

  3. Pingback: NGINX – Disable direct access (via http and https) to a website using IP address | Knoldus

  4. Pingback: NGINX – Easiest way to setup SSL on using .pfx files | Knoldus

  5. Pingback: NGINX – Redirecting HTTP to HTTPS | Knoldus

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s