IP Restrict access with GeoIP database on nginx

I will guide you how to to install GeoIP on nginx to restrict IP with GeoIP database. By default, when you install modules from yum, nginx will not come with GeoIP module (This is module: HttpGeoipModule), so we will install from source and the active the module.

If you have installed nginx on your server, using

nginx-V

to see if GeoIP module is enabled or not. For example:

[root@localhost sbin]# ./nginx -V
nginx version: nginx/1.4.7
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
configure arguments: --prefix=/etc/nginx --sbin-path=/etc/nginx/sbin/nginx --conf-path=/etc/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/ninx.lock --user=nobody <strong>--with-http_geoip_module</strong> --with-http_gzip_static_module --with-http_secure_link_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module
[root@localhost sbin]#

Note: Tutorial on CentOS 6.4 x64

1. Installing GeoIP library

– Install GeoIP library via yum

yum install geoip geoip-devel -y

If you get this error:

Setting up Install Process
No package geoip available.
No package geoip-devel available.
Error: Nothing to do

The fixis as follows:
For Centos 5.x:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm

For Centos 6.x:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

And yum install GeoIp again, output:

<em>Userid : EPEL (6) <epel@fedoraproject.org>
 Package: epel-release-6-8.noarch (installed)
 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
 Installing : GeoIP-1.4.8-1.el6.x86_64 1/2
 Installing : GeoIP-devel-1.4.8-1.el6.x86_64 2/2
 Verifying : GeoIP-devel-1.4.8-1.el6.x86_64 1/2
 Verifying : GeoIP-1.4.8-1.el6.x86_64 2/2
Installed:
 GeoIP.x86_64 0:1.4.8-1.el6 GeoIP-devel.x86_64 0:1.4.8-1.el6

Complete!</em>

After successful installation, the library will be stored in: /usr/share/GeoIP/GeoIP.dat
For the latest updates can be downloaded at: http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

2. Compiling nginx with GeoIP module

– First install require package for compiling:

yum install gcc-c++ pre pcre-devel zlib zlib-devel --y

– Download and untar nginx for compiling:

wget http://nginx.org/download/nginx-1.4.7.tar.gz && tar -xvf nginx-1.4.7.tar.gz && cd nginx-1.4.7

This is my config:

./configure 
--prefix=/etc/nginx \
--sbin-path=/etc/nginx/sbin/nginx \
--conf-path=/etc/nginx/conf/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/ninx.lock \
--user=nobody \
--with-http_geoip_module \
--with-http_gzip_static_module \
--with-http_secure_link_module \
--without-mail_pop3_module \
--without-mail_imap_module \
--without-mail_smtp_module \
--without-http_ssi_module
make && make install

– Since installing from source, so we do not have the init file (/etc/init.d/nginx). We’ll start by /etc/nginx/sbin/nginx or creates service the following files:

vi /etc/init.d/nginx
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemin
#
# chkconfig: - 85 15 
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /usr/local/nginx/conf/nginx.conf
# pidfile: /usr/local/nginx/logs/nginx.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0

nginx="/etc/nginx/sbin/nginx"
prog=$(basename $nginx)

NGINX_CONF_FILE="/etc/nginx/conf/nginx.conf"

lockfile=/var/lock/subsys/nginx

start() {
 [ -x $nginx ] || exit 5
 [ -f $NGINX_CONF_FILE ] || exit 6
 echo -n $"Starting $prog: "
 daemon $nginx -c $NGINX_CONF_FILE
 retval=$?
 echo
 [ $retval -eq 0 ] && touch $lockfile
 return $retval
}

stop() {
 echo -n $"Stopping $prog: "
 killproc $prog -QUIT
 retval=$?
 echo
 [ $retval -eq 0 ] && rm -f $lockfile
 return $retval
}

restart() {
 configtest || return $?
 stop
 start
}

reload() {
 configtest || return $?
 echo -n $"Reloading $prog: "
 killproc $nginx -HUP
 RETVAL=$?
 echo
}

force_reload() {
 restart
}

configtest() {
 $nginx -t -c $NGINX_CONF_FILE
}

rh_status() {
 status $prog
}

rh_status_q() {
 rh_status >/dev/null 2>&1
}

case "$1" in
 start)
 rh_status_q && exit 0
 $1
 ;;
 stop)
 rh_status_q || exit 0
 $1
 ;;
 restart|configtest)
 $1
 ;;
 reload)
 rh_status_q || exit 7
 $1
 ;;
 force-reload)
 force_reload
 ;;
 status)
 rh_status
 ;;
 condrestart|try-restart)
 rh_status_q || exit 0
 ;;
 *)
 echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
 exit 2
esac
chmod 0700 /etc/init.d/nginx && chkconfig nginx on

Conduct start nginx

service nginx restart
 [root@localhost sbin]# service nginx restart
nginx: the configuration file /etc/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/conf/nginx.conf test is successful
Stopping nginx: [ OK ]
Starting nginx: [ OK ]
[root@localhost sbin]#

To check nginx was not successfully installed, you access the IP of the server, if the returned results Welcome to nginx!
ie, you have successfully installed.

3. Configure nginx

– Configure on main file:

vi /etc/nginx/conf/nginx.conf
http {
[...]
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
CN no;
}
[...]
}

– Configure the virtualhost:

server {
[...]
if ($allowed_country = no) {
return 444;
# # This means the server will stop processing, returns error 444 (The connection was reset),
# # And ignore always sending the response header.
# # Replace 444 by 403 if you want
}
[...]
}

– Restart the service to update configuration.
Note:
– The above configuration will accept all IP and banned only from China IP (CN).
– Ip access from China will appear The connection was reset error.
– About Code of the country in GeoIP database you can refer here: http://dev.maxmind.com/geoip/legacy/codes/iso3166/

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments