Only allow certain countries traffic access specific page
I am using --with-http_geoip_module for identify traffic. There are some pages that I only want certain country to access. Here is configuration:
For http
http{
geoip_country /usr/share/GeoIP/GeoIP.dat; # the country IP database
map $geoip_country_code $allowed_country {
default 0;
US 1;
UK 1;
HK 1;
}
}
The location directive:
location = /testing {
if ($allowed_country = 0) {
return 301 ;
}
}
The problem is when I using US/HK IPs, I get a 404 error. What did I done wrong?
UPDATE
Here is my complete conf file:
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
geoip_country /usr/share/GeoIP/GeoIP.dat; # the country IP database
map $geoip_country_code $allowed_country {
default 0;
US 1;
UK 1;
HK 1;
}
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
index index.html index.htm;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
server_name localhost;
root /var/www/html;
include /etc/nginx/default.d/*.conf;
location / {
index index.php index.cgi index.pl index.html index.xhtml index.htm index.shtml;
try_files $uri $uri/ /index.php?$args;
}
# redirect server error pages to the static page /40x.html
#
error_page 404 /404.html;
location = /40x.html {
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
#ban specifc country
location = /testing {
if ($allowed_country = 0) {
return 301 ;
}
}
location ~ \.php$ {
### SET GEOIP Variables ###
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
try_files $uri $uri/ /index.php?$args;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi.conf;
include conf/site.conf;
}
}
}
Basically I want only visitor from US, UK and HK access /testing page.
Answer
Let's do it from beginning. As you didn't said what is your OS, all steps below will be separated for both Debian/Ubuntu and CentOS/Fedora/RHEL.
1. CONNECT TO SERVER:
First of all, connect to your server by terminal/console (in linux - ssh username@server_ip) or Putty (in windows).
2. VERIFY GEOIP MODULE:
As you have already installed NGINX check if it is compiled with the HttpGeoipModule:
CentOS/Fedora/RHEL and Debian/Ubuntu:
nginx -V
And then try to find --with-http_geoip_module. If it exists then you can continue, else it means you have't compiled NGINX with GeoIP Module.
3. INSTALL GEOIP DATABASE:
Debian/Ubuntu:
sudo apt-get install geoip-database libgeoip1
CentOS/Fedora/RHEL:
It is in EPEL repository, so you should enable it first:
CENTOS 4:
32bit:
rpm -Uvh http://download.fedoraproject.org/pub/epel/4/i386/epel-release-4-10.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-4.rpm
64bit:
rpm -Uvh http://download.fedoraproject.org/pub/epel/4/x86_64/epel-release-4-10.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-4.rpm
CENTOS 5:
32bit:
rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm
64bit:
rpm -Uvh http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm
CENTOS 6:
32bit:
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
64bit:
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
CENTOS 7:
64bit:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
Then:
yum install geoip geoip-devel -y
4. Update GeoIP Database
After installing GeoIP Module, the database will be stored in /usr/share/GeoIP/GeoIP.dat but it could be outdated. So, let's update:
mv /usr/share/GeoIP/GeoIP.dat /usr/share/GeoIP/GeoIP.dat_bk
cd /usr/share/GeoIP/
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
gunzip GeoIP.dat.gz
Or, alternatively, you can download manually the database from http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz, extract on you computer and upload in /usr/share/GeoIP/ as GeoIP.dat. Don't forget to make a backup of old GeoIP.dat if you want to make as here.
5. Configuring NGINX with GeoIP
Open /etc/nginx/nginx.conf (Ubuntu/Debian) or /etc/nginx/conf/nginx.conf (CentOS/Fedora/RHEL) and place this inside http {}, before any include:
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default no;
US yes;
UK yes;
HK yes;
}
This doesn't block countries. We only set $allowed_country.
Now, please open your virtualhost to configure (/etc/nginx/conf.d/YOURDOMAINHERE.conf) - place this inside server {}:
location /testing/ {
if ($allowed_country = no) {
return 403;
}
}
/testing/ is your website path which is accessible from US, UK and HK.
6. Restarting NGINX
/etc/init.d/nginx reload
It was tested on both CentOS and Debian VPS and it is working.
Hope this will help you.