How to Install the GeoIP2 Module for Tengine/Nginx

GeoIP is an nginx module capable of blocking IP addresses. It requires manual compilation and installation. Once set up, it can block access from specific countries and cities, which is crucial for website security.

 

1. Installing the GeoIP2 Extension Dependency

yum install libmaxminddb-devel -y

#This library is required for the ngx_http_geoip2_module module.

yum -y install epel-release jemalloc pcre* openssl* unzip wget zip

#Install other essential libraries for nginx.

 

2. Downloading the ngx_http_geoip2_module Module

cd /usr/local/src

git clone https://github.com/leev/ngx_http_geoip2_module.git

or

wget http://mirror.cnop.net/web/module/ngx_http_geoip2_module-master.zip && unzip ngx_http_geoip2_module-master.zip

ls ngx_http_geoip2_module-master

3. Compiling Nginx and Verifying Module Installation

It is recommended to choose the latest version of nginx.

useradd www #Add the nginx runtime user

cd /home && wget https://mirror.cnop.net/web/tengine/tengine-2.3.3.tar.gz && tar zxvf tengine-2.3.3.tar.gz && cd tengine-2.3.3

#Compile and install

./configure –user=www –group=www –prefix=/usr/local/nginx –with-http_ssl_module –with-http_flv_module –with-http_stub_status_module –with-http_gzip_static_module –add-module=./modules/ngx_http_upstream_vnswrr_module –add-module=./modules/ngx_http_concat_module –add-module=/usr/local/src/ngx_http_geoip2_module-master

Note: When compiling, you just need to add the –add-module=/usr/local/src/ngx_http_geoip2_module-master parameter (using the actual download path).

You can add a startup script yourself for convenient future management.

Run the ”nginx -m“ command. If you see ”ngx_http_geoip2_module“, it means the installation was successful.

4. Downloading the IP Database: After the module is successfully installed, you need to specify the database in Nginx.

mkdir /usr/share/GeoIP && cd /usr/share/GeoIP && wget http://mirror.cnop.net/web/module/Geoip2.zip && unzip Geoip2.zip && rm -rf Geoip2.zip

 

Note: The four steps above can be completed by using the Tengine one-click installation script from the project below to install both nginx and the GeoIP module. After the one-click installation, you can proceed manually from step 5:

https://gitee.com/cnop/shell

 

5. Adding the Following Code in the HTTP Block:

touch /usr/local/nginx/conf/ip.conf

#Create a whitelist file where you can store IPs later. The GeoIP whitelist supports IP ranges.

vi /usr/local/nginx/conf/nginx.conf

Add the following inside the http ”{ }“ block:

#gzip on;

geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {

$geoip2_data_country_code country iso_code;

}

map $geoip2_data_country_code $allowed_country {

default yes;

CN no;

}

#geoIP white

geo $remote_addr $ip_whitelist {

default 0;

include ip.conf;

}

Add the following code inside the server block of your site to deny access to all non-Chinese IPs:

server

{

listen 80;

server_name 0.0.0.0;

index index.php index.html index.htm default.php default.htm default.html;

root html;

if ($ip_whitelist = 1) {

break;

}

if ($allowed_country = yes)

{ return 403; }

location ~ ^/(/.user.ini|/.htaccess|/.git|/.svn|/.project|LICENSE|README.md)

{

return 404;

}

location ~ .*/.(gif|jpg|jpeg|png|bmp|swf)$

{

expires 30d;

error_log /dev/null;

access_log /dev/null;

}

location ~ .*/.(js|css)?$

{

expires 12h;

error_log /dev/null;

access_log /dev/null;

}

}

Domestic Chinese IPs can access the site, while foreign IPs will directly receive a 403 error.

service nginx restart

This completes the nginx configuration. Access is now restricted by country and city via GeoIP, with whitelist support included.

Installation document, attachment: https://www.cnop.net/uploadfile/2021/1215/20211215175248117.pdf

Leave a Comment

Your email address will not be published.