NGINX – Restrict access to Geographical Locations using GeoIP module

In this post I’ll try to explain how NGINX GeoIP module can be used to restrict access to your web-portal/website only to a specific geographical region.

Begin by verifying NGINX GeoIP module is installed on the server which can be done via

nginx -V

if you can see –with-http_geoip_module in the output you are ready to use the GeoIP database with NGINX but if not you can install it on the server using the following command (for ubuntu)

apt-get install geoip-database libgeoip1

this will install GeoIP database usually at the following location  /usr/share/GeoIP/GeoIP.dat.

Other NGINX blogs you might find useful

  1. NGINX – Load Balancing your application made simple
  2. NGINX – Redirecting traffic between www and non-www domain
  3. NGINX – Redirecting HTTP to HTTPS
  4. NGINX – Disable direct access (via http and https) to a website using IP address
  5. NGINX – Easiest way to setup SSL on using .pfx files
  6. NGINX – Understanding and Setting up a reverse proxy server

Go ahead and re-configure your nginx.conf file, usually located inside /etc/nginx/ folder based on your installation, by adding following instructions inside http {} block

geoip_country /usr/share/GeoIP/GeoIP.dat;

map $geoip_country_code $allowed_country {
 default no;
 US yes;
}

this sets $allowed_country to yes if your webportal/website is being accessed from USA. For all other locations trying to access your server the default value will be used which is no.

Now you can configure your virtual server configurations by adding the following instructions inside server {} block.

if ($allowed_country = no) {
 return 403;
}

and this will block all the traffic, except for USA, to your virtual server by returning the 403 status code.

As the blocking is done based on the information of IP addresses available inside the GeoIP database it’d make sense to update the database at regular intervals which can be easily done using a cron job. You can use the following script (geoIP-update.sh) to make it happen

#!/bin/bash
cd /usr/share/GeoIP
echo =============== updating database===============
wget "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" -P /YOUR/PATH/HERE || { echo 'Cannot download database, exiting.' ; exit 1; }
gunzip /YOUR/PATH/HERE/GeoIP.dat.gz
mv -f /YOUR/PATH/HERE/GeoIP.dat /usr/share/GeoIP/

and schedule a job via

crontab -e

by adding the following

* 12 * * 3 /usr/share/GeoIP/geoIP-update.sh

Make sure to modify * 12 * * 3 according to your update interval requirements.

knoldus-advt-sticker

Written by 

Sidharth is a Lead Consultant, having experience of more than 4.5 years. He has started working on Scala and Clojure and is actively involved in other developmental work. He enjoys working in a team and believes that knowledge is something that should be shared openly and on a large scale. As an avid gamer and passionate player, he likes to be involved in both indoor and outdoor activities.

6 thoughts on “NGINX – Restrict access to Geographical Locations using GeoIP module

Leave a Reply

%d bloggers like this: