How to Restrict Access by Country Using Nginx GeoIP Module

This article explains how to use the GeoIP module to restrict website access by user region in nginx. You need to compile nginx with the –with-http_geoip_module parameter.

1. First, check if nginx was compiled with the GeoIP module

nginx -V

If you see –with-http_geoip_module in the output, it means nginx has already been compiled with the GeoIP module.

2. Next, install the GeoIP database
On Debian/Ubuntu systems, run the following command to install it:

apt-get install geoip-database libgeoip1

 

CentOS installation method:  yum -y install geoip-devel

After installation, the GeoIP database will be located at /usr/share/GeoIP/GeoIP.dat.

This GeoIP.dat is the GeoIP database file. If installed via apt-get, this file may not be the latest. You can download the newest GeoIP database file from http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz .

mv /usr/share/GeoIP/GeoIP.dat /usr/share/GeoIP/GeoIP.dat_bak

cd /usr/share/GeoIP/
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
gunzip GeoIP.dat.gz

3. Now configure the nginx.conf file

vi /etc/nginx/nginx.conf

Add the following content into the http {} block, and place it before any include statements.

geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
FK no;
FM no;
EH no;
}

The statements above allow users from all regions except FK, FM, and EH.

You can also allow only users from specific regions:

geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default no;
FK yes;
FM yes;
EH yes;
}

The statements above deny access to users from all regions except FK, FM, and EH.

The above statements only set an $allowed_country variable. To actually block users from the designated regions, we need to evaluate the $allowed_country variable.
Add the following inside the server {} block:

if ($allowed_country = no) {
return 403;
}

You can also restrict access for a specific URL:

location /special {
if ($allowd_country = no) {
return 403;
}
}

 

 

To configure Chinese users to access a different directory in Nginx, add the following configuration in the relevant places:

# vi /etc/nginx/nginx.confhttp {...geoip_country /home/vpsee/GeoIP.dat;fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;...}server {...        location / {            root   /home/vpsee/www;            if ($geoip_country_code = CN) {                root /home/vpsee/cn;            }            ...        }...}

This way, when an IP from China accesses the site, it automatically serves the intended page from /home/vpsee/cn. There are many other useful applications for Nginx + GeoIP, such as building a simple CDN — automatically directing visits from China to domestic servers, and visits from the US to US-based servers. MaxMind also provides IP information for cities worldwide; you can download city-level IP databases to handle traffic based on different cities.

 

4. Restart Nginx

/etc/init.d/nginx reload

This way, we have implemented the functionality of restricting access to users from a specific region in Nginx.

 

 

Original article: http://www.dnsdizhi.com/post-175.html

Leave a Comment

Your email address will not be published.