I've been figuring out how to block or redirect web traffic in Nginx based on the country geoIP.
NOTES
* You need the package nginx-extras for this because this package has the geoIP Nginx plugin.
* I used Japan (JP) in these examples, so change the country code to whatever you wish.
APPROACH #1 - BASIC
This uses a locally-downloaded GeoIP database.
I. This goes in the HTTP block. It basically flags traffic from countries you specify.
# DETECT JAPAN TRAFFIC
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allow_visit {
default yes;
JP no;
}
II. This goes in the SERVER block. It sets the action you want on the country IP flag you set.
# BLOCK ACCESS FROM JAPAN
if ($allow_visit = no) {
deny all ;
}
** Alternatively, you could redirect the traffic somewhere instead of outright blocking it...
# REDIRECT JAPAN TRAFFIC
if ($allow_visit = no) {
return 301 https://www.japanatron.com/ ;
}
APPROACH #2 - ADVANCED
This approach allows you to set exceptions, like for whitelisted IP addresses.
I. This goes in the HTTP block:
# DETECT JAPAN TRAFFIC
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
JP no;
}
geo $exclusions {
default 0;
111.222.333.444/32 1;
}
II. This goes in the SERVER block:
# REDIRECT JAPAN TRAFFIC
if ($allowed_country = yes) {
set $exclusions 1;
}
if ($exclusions = "0") {
return 301 https://www.japanatron.com ;
}
APPROACH #3 - CLOUDFLARE IP COUNTRY HEADER
If you use Cloudflare's reverse proxy / CDN service, you can read the geoIP information from Cloudflare's headers. This is my favorite approach because it doesn't require locally downloading and maintaining a geoIP database.
I. This goes in the HTTP block:
# DETECT JAPAN TRAFFIC (CLOUDFLARE HEADER)
map $http_cf_ipcountry $allowed_country {
default yes;
JP no;
}
geo $exclusions {
default 0;
111.222.333.444/32 1;
}
II. This goes in the SERVER block:
# REDIRECT JAPAN TRAFFIC
if ($allowed_country = yes) {
set $exclusions 1;
}
if ($exclusions = "0") {
return 301 https://www.japanatron.com ;
}
Related Articles
Linux - How to Mount Clonezill...
Make sure the partclone package is installed.apt-get install partcloneCreate an empty image file.touch image-file.imgRestore the clonezilla files into the image...
The Hunt for the Ultimate Free...
I spent some time researching top-rated, but free antivirus security software for both Mac and Windows. There are far more free antivirus software solutions ou...
Windows - How to Disable Start...
I hate it when a user's PC shuts down ungracefully, and they choose startup recovery at the next boot. The process (albeit "recommended") removes the PC from t...
Linux and NTLMv2 Proxy Authent...
My company's firewall enforces NTLMv2 proxy authentication, which kinda sucks for some Linux hosts since I can't pass that authentication directly on the comman...