Since the GeoLite legacy database has been discontinued, we now have to use the GeoLite2 database to get new updates to the database. This will be a followup article from the post i made about the legacy database. As the new GeoLite2 database uses a new format (maxminddb) we couldn’t just switch to the new database. Nginx also needed to be compiled with the geoip2 modul. And with Aptalca’s pull request on the alpine repo added it will just be a matter of a minor update to the nginx.conf file!
GeoLite2 database
As of 12/30/19 you have to sign up to Maxmind to be able to download the database. https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/
Create an account and go to your account page to download the database.
Download the database and extract the .mmdb file to the folder of you choice. I’ll be using /config/geolite2/ for my setup.
NGINX
In your nginx.conf file add the following in the http {block
geoip2 /config/geolite2/GeoLite2-City.mmdb {
auto_reload 1d;
$geoip2_data_country_code country iso_code;
}
# LOCAL IP ALLOW GEO BLOCK
geo $lan-ip {
default no;
192.168.1.0/24 yes;
}
# GEO IP BLOCK SITE 1
map $geoip2_data_country_code $allowed_country {
default no;
<YOUR-COUNTRY-CODE> yes; # e.g US for United States
}Instead of <YOUR-COUNTRY-CODE> add your own country code from this list. This will block all other countries than the one you choose. You can also add more than one country if you want.
US yes;
CA yes;
GB yes;The geo $lan-ip is for allowing you to access the domain on your LAN.
Check out https://www.aelius.com/njh/subnet_sheet.html if you are wondering what your CIDR notation is. Most often it will be /24 (netmask 255.255.255.0)
To find your netmask run ipconfig /all on windows or ifconfig | grep netmask on linux.
Note: The
geo $lan-ippart is only needed if you set default tono
For it to actually block you need to add this in your server block:
# LOCAL IP ALLOW GEO BLOCK
if ($lan-ip = yes) {
set $allowed_country yes;
}
# COUNTRY GEO BLOCK
if ($allowed_country = no) {
return 444;
}Here is an example:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name unifi.*;
include /config/nginx/ssl.conf;
#LOCAL IP ALLOW GEO BLOCK
if ($lan-ip = yes) {
set $allowed_country yes;
}
#COUNTRY GEO BLOCK
if ($allowed_country = no) {
return 444;
}
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_unifi unifi;
proxy_pass https://$upstream_unifi:8443;
}
location /wss {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_unifi unifi;
proxy_pass https://$upstream_unifi:8443;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_ssl_verify off;
}
}3. If you host several websites and want a different country block just add another with a different variable ($allowed_country2):
# COUNTRY GEO BLOCK 2
if ($allowed_country2 = no) {
return 444;
}As defaultis set to yes it will allow every country except the country codes set to no
# GEO IP BLOCK DOMAIN 2
map $geoip2_data_country_code $allowed_country2 {
default yes;
CN no; #China
RU no; #Russia
HK no; #Hong Kong
IN no; #India
IR no; #Iran
VN no; #Vietnam
TR no; #Turkey
EG no; #Egypt
MX no; #Mexico
JP no; #Japan
KR no; #South Korea
KP no; #North Korea :)
PE no; #Peru
BR no; #Brazil
UA no; #Ukraine
ID no; #Indonesia
TH no; #Thailand
}I made this list based on the Spamhaus statistics and Aakamai’s state of the internet report.
Blocked
You can test if it worked with a VPN or do a performance test from a location that is blocked here https://www.webpagetest.org/
TIP! This database gets updated!
By setting up a cronjob you can easily automate the update process.
I use the Unraid User Scripts plugin and set a cronjob to run every day but the GeoLite2 Country and City databases are updated on the first Tuesday of each month, so choose whatever suits your needs.
Click on Add New Script → Enter the name → Click on the name of the script and then Edit Script
Warning
Go to the licence keys page and create a license key.
Select no when asked if you want to use the key with geoupdate.
Replace XXXXXXXXXX with your license key.
#!/usr/bin/env bash
licensekey="XXXXXXXXXXXXX"
wget -O /tmp/GeoLite2-City.tar.gz "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=${licensekey}&suffix=tar.gz"
tar -xvf /tmp/GeoLite2-City.tar.gz -C /tmp/ --wildcards "*.mmdb" --strip 1
mv /tmp/GeoLite2-City.mmdb /mnt/user/appdata/letsencrypt/geolite2/
chown 911:911 /mnt/user/appdata/letsencrypt/geolite2/GeoLite2-City.mmdbSet the schedule to Schedule Daily or whenever you’d like.
Click Run In Background and then Apply
Cloudflare
If you use Cloudflare you will need to add the following in nginx so that it won’t block the Cloudflare IP but the actual IP of the visitor. If you don’t do this you will get false positives.
Add the following section to your nginx.conf file found in appdata/letsencrypt/nginx/
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header X-Forwarded-For;You can set it up as an include like this too:
##
# CF Real IP
##
include /config/nginx/cf_real-ip.conf;
real_ip_header X-Forwarded-For;After that you need to restart the letsencrypt container for the changes to take effect.
Automatically updating the cf_real-ip.conf
Tronyx over at the discord forums graciously shared his script for updating the Cloudflare ip list. This list is not static and Cloudflare updates it once in a while.
The script below will update the list with any changes in the list of IPs from CF
#!/usr/bin/env bash
curl -s 'https://www.cloudflare.com/ips-v4' > /tmp/cf.txt
curl -s 'https://www.cloudflare.com/ips-v6' >> /tmp/cf.txt
sed 's/^/set_real_ip_from /' /tmp/cf.txt > /tmp/cf2.txt
sed -e 's/$/;/' /tmp/cf2.txt > /home/letsencrypt/config/nginx/cf_real-ip.confI use unraid so I will use the User Scripts plugin to setup a cronjob that will run once a week.
- Go to Settings > User Scripts and click
Add New Script - Give it a name and a description if you want
- Click edit script and add it inside the box.
- You will need to update the path in the last line to you nginx appdata folder
- Set the schedule to weekly and click apply and done.
#!/bin/bash
curl -s 'https://www.cloudflare.com/ips-v4' > /tmp/cf.txt
curl -s 'https://www.cloudflare.com/ips-v6' >> /tmp/cf.txt
sed 's/^/set_real_ip_from /' /tmp/cf.txt > /tmp/cf2.txt
sed -e 's/$/;/' /tmp/cf2.txt > /mnt/user/appdata/letsencrypt/nginx/cf_real-ip.conf
If you need any extra help join the Discord server!
Souce:
https://github.com/leev/ngx_http_geoip2_module
https://dev.maxmind.com/geoip/legacy/install/country/
http://dev.maxmind.com/geoip/legacy/codes/iso3166/
https://www.howtoforge.com/nginx-how-to-block-visitors-by-country-with-the-geoip-module-debian-ubuntu
https://www.spamhaus.org/statistics/botnet-cc/
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q3-2017-state-of-the-internet-security-report.pdf
