Close Menu
    CentOS

    IP Restrict access with GeoIP database on nginx

    No Comments4 Mins Read

    I will guide you how to to install GeoIP on nginx to restrict IP with GeoIP database. By default, when you install modules from yum, nginx will not come with GeoIP module (This is module: HttpGeoipModule), so we will install from source and the active the module.

    If you have installed nginx on your server, using

    nginx-V

    to see if GeoIP module is enabled or not. For example:

    [root@localhost sbin]# ./nginx -V
nginx version: nginx/1.4.7
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
configure arguments: --prefix=/etc/nginx --sbin-path=/etc/nginx/sbin/nginx --conf-path=/etc/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/ninx.lock --user=nobody <strong>--with-http_geoip_module</strong> --with-http_gzip_static_module --with-http_secure_link_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module
[root@localhost sbin]#

    Note: Tutorial on CentOS 6.4 x64

    1. Installing GeoIP library

    – Install GeoIP library via yum

    yum install geoip geoip-devel -y

    If you get this error:

    Setting up Install Process
No package geoip available.
No package geoip-devel available.
Error: Nothing to do

    The fixis as follows:
    For Centos 5.x:

    rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm

    For Centos 6.x:

    rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

    And yum install GeoIp again, output:

    <em>Userid : EPEL (6) <[email protected]>
 Package: epel-release-6-8.noarch (installed)
 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
 Installing : GeoIP-1.4.8-1.el6.x86_64 1/2
 Installing : GeoIP-devel-1.4.8-1.el6.x86_64 2/2
 Verifying : GeoIP-devel-1.4.8-1.el6.x86_64 1/2
 Verifying : GeoIP-1.4.8-1.el6.x86_64 2/2
    Installed:
 GeoIP.x86_64 0:1.4.8-1.el6 GeoIP-devel.x86_64 0:1.4.8-1.el6

Complete!</em>

    After successful installation, the library will be stored in: /usr/share/GeoIP/GeoIP.dat
    For the latest updates can be downloaded at: http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

    2. Compiling nginx with GeoIP module

    – First install require package for compiling:

    yum install gcc-c++ pre pcre-devel zlib zlib-devel --y

    – Download and untar nginx for compiling:

    wget http://nginx.org/download/nginx-1.4.7.tar.gz && tar -xvf nginx-1.4.7.tar.gz && cd nginx-1.4.7

    This is my config:

    ./configure 
--prefix=/etc/nginx \
--sbin-path=/etc/nginx/sbin/nginx \
--conf-path=/etc/nginx/conf/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/ninx.lock \
--user=nobody \
--with-http_geoip_module \
--with-http_gzip_static_module \
--with-http_secure_link_module \
--without-mail_pop3_module \
--without-mail_imap_module \
--without-mail_smtp_module \
--without-http_ssi_module
    make && make install

    – Since installing from source, so we do not have the init file (/etc/init.d/nginx). We’ll start by /etc/nginx/sbin/nginx or creates service the following files:

    vi /etc/init.d/nginx
    #!/bin/sh
#
# nginx - this script starts and stops the nginx daemin
#
# chkconfig: - 85 15 
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /usr/local/nginx/conf/nginx.conf
# pidfile: /usr/local/nginx/logs/nginx.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0

nginx="/etc/nginx/sbin/nginx"
prog=$(basename $nginx)

NGINX_CONF_FILE="/etc/nginx/conf/nginx.conf"

lockfile=/var/lock/subsys/nginx

start() {
 [ -x $nginx ] || exit 5
 [ -f $NGINX_CONF_FILE ] || exit 6
 echo -n $"Starting $prog: "
 daemon $nginx -c $NGINX_CONF_FILE
 retval=$?
 echo
 [ $retval -eq 0 ] && touch $lockfile
 return $retval
}

stop() {
 echo -n $"Stopping $prog: "
 killproc $prog -QUIT
 retval=$?
 echo
 [ $retval -eq 0 ] && rm -f $lockfile
 return $retval
}

restart() {
 configtest || return $?
 stop
 start
}

reload() {
 configtest || return $?
 echo -n $"Reloading $prog: "
 killproc $nginx -HUP
 RETVAL=$?
 echo
}

force_reload() {
 restart
}

configtest() {
 $nginx -t -c $NGINX_CONF_FILE
}

rh_status() {
 status $prog
}

rh_status_q() {
 rh_status >/dev/null 2>&1
}

case "$1" in
 start)
 rh_status_q && exit 0
 $1
 ;;
 stop)
 rh_status_q || exit 0
 $1
 ;;
 restart|configtest)
 $1
 ;;
 reload)
 rh_status_q || exit 7
 $1
 ;;
 force-reload)
 force_reload
 ;;
 status)
 rh_status
 ;;
 condrestart|try-restart)
 rh_status_q || exit 0
 ;;
 *)
 echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
 exit 2
esac
    chmod 0700 /etc/init.d/nginx && chkconfig nginx on

    Conduct start nginx

    service nginx restart
     [root@localhost sbin]# service nginx restart
nginx: the configuration file /etc/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/conf/nginx.conf test is successful
Stopping nginx: [ OK ]
Starting nginx: [ OK ]
[root@localhost sbin]#

    To check nginx was not successfully installed, you access the IP of the server, if the returned results Welcome to nginx!
    ie, you have successfully installed.

    3. Configure nginx

    – Configure on main file:

    vi /etc/nginx/conf/nginx.conf
    http {
[...]
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
CN no;
}
[...]
}

    – Configure the virtualhost:

    server {
[...]
if ($allowed_country = no) {
return 444;
# # This means the server will stop processing, returns error 444 (The connection was reset),
# # And ignore always sending the response header.
# # Replace 444 by 403 if you want
}
[...]
}

    – Restart the service to update configuration.
    Note:
    – The above configuration will accept all IP and banned only from China IP (CN).
    – Ip access from China will appear The connection was reset error.
    – About Code of the country in GeoIP database you can refer here: http://dev.maxmind.com/geoip/legacy/codes/iso3166/

    Share.

    Related Posts

    Subscribe
    Notify of
    guest

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    0 Comments
    Oldest
    Newest Most Voted
    Inline Feedbacks
    View all comments