I've been figuring out how to block or redirect web traffic in Nginx based on the country geoIP.
NOTES
* You need the package nginx-extras for this because this package has the geoIP Nginx plugin.
* I used Japan (JP) in these examples, so change the country code to whatever you wish.
APPROACH #1 - BASIC
This uses a locally-downloaded GeoIP database.
I. This goes in the HTTP block. It basically flags traffic from countries you specify.
# DETECT JAPAN TRAFFIC
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allow_visit {
default yes;
JP no;
}
II. This goes in the SERVER block. It sets the action you want on the country IP flag you set.
# BLOCK ACCESS FROM JAPAN
if ($allow_visit = no) {
deny all ;
}
** Alternatively, you could redirect the traffic somewhere instead of outright blocking it...
# REDIRECT JAPAN TRAFFIC
if ($allow_visit = no) {
return 301 https://www.japanatron.com/ ;
}
APPROACH #2 - ADVANCED
This approach allows you to set exceptions, like for whitelisted IP addresses.
I. This goes in the HTTP block:
# DETECT JAPAN TRAFFIC
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
JP no;
}
geo $exclusions {
default 0;
111.222.333.444/32 1;
}
II. This goes in the SERVER block:
# REDIRECT JAPAN TRAFFIC
if ($allowed_country = yes) {
set $exclusions 1;
}
if ($exclusions = "0") {
return 301 https://www.japanatron.com ;
}
APPROACH #3 - CLOUDFLARE IP COUNTRY HEADER
If you use Cloudflare's reverse proxy / CDN service, you can read the geoIP information from Cloudflare's headers. This is my favorite approach because it doesn't require locally downloading and maintaining a geoIP database.
I. This goes in the HTTP block:
# DETECT JAPAN TRAFFIC (CLOUDFLARE HEADER)
map $http_cf_ipcountry $allowed_country {
default yes;
JP no;
}
geo $exclusions {
default 0;
111.222.333.444/32 1;
}
II. This goes in the SERVER block:
# REDIRECT JAPAN TRAFFIC
if ($allowed_country = yes) {
set $exclusions 1;
}
if ($exclusions = "0") {
return 301 https://www.japanatron.com ;
}
Related Articles
UnRAID - Creating and Mounting...
Here's how to create and mount an encrypted unassigned device in UnRAID. 1) Make sure the unassigned devices plugin is installed in UnRAID. :-) 2) Wipe the de...
Joomla Running on Nginx and Ub...
What follows is an outline I compiled while researching how to tighten security on a Nginx web server. NOTE 1: Ubuntu 14.04 LTS was used for this. NOTE 2: This ...
Windows - How to Run Add Print...
I had an end user that wanted to install their home printer drivers on their office laptop. I took remote control of their PC, but to my chagrin the user lacke...
How to Fix the Windows Managem...
A corrupt WMI repository can mess up things like the Symantec management agent and its ability to deploy software. If you check properties of "WMI Control" in ...