I will guide you how to to install GeoIP on nginx to restrict IP with GeoIP database. By default, when you install modules from yum, nginx will not come with GeoIP module (This is module: HttpGeoipModule), so we will install from source and the active the module.
If you have installed nginx on your server, using
nginx-V
to see if GeoIP module is enabled or not. For example:
[root@localhost sbin]# ./nginx -V nginx version: nginx/1.4.7 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) configure arguments: --prefix=/etc/nginx --sbin-path=/etc/nginx/sbin/nginx --conf-path=/etc/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/ninx.lock --user=nobody <strong>--with-http_geoip_module</strong> --with-http_gzip_static_module --with-http_secure_link_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module [root@localhost sbin]#
Note: Tutorial on CentOS 6.4 x64
1. Installing GeoIP library
– Install GeoIP library via yum
yum install geoip geoip-devel -y
If you get this error:
Setting up Install Process No package geoip available. No package geoip-devel available. Error: Nothing to do
The fixis as follows:
For Centos 5.x:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm
For Centos 6.x:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
And yum install GeoIp again, output:
<em>Userid : EPEL (6) <epel@fedoraproject.org> Package: epel-release-6-8.noarch (installed) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Warning: RPMDB altered outside of yum. Installing : GeoIP-1.4.8-1.el6.x86_64 1/2 Installing : GeoIP-devel-1.4.8-1.el6.x86_64 2/2 Verifying : GeoIP-devel-1.4.8-1.el6.x86_64 1/2 Verifying : GeoIP-1.4.8-1.el6.x86_64 2/2
Installed: GeoIP.x86_64 0:1.4.8-1.el6 GeoIP-devel.x86_64 0:1.4.8-1.el6 Complete!</em>
After successful installation, the library will be stored in: /usr/share/GeoIP/GeoIP.dat
For the latest updates can be downloaded at: http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
2. Compiling nginx with GeoIP module
– First install require package for compiling:
yum install gcc-c++ pre pcre-devel zlib zlib-devel --y
– Download and untar nginx for compiling:
wget http://nginx.org/download/nginx-1.4.7.tar.gz && tar -xvf nginx-1.4.7.tar.gz && cd nginx-1.4.7
This is my config:
./configure --prefix=/etc/nginx \ --sbin-path=/etc/nginx/sbin/nginx \ --conf-path=/etc/nginx/conf/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/ninx.lock \ --user=nobody \ --with-http_geoip_module \ --with-http_gzip_static_module \ --with-http_secure_link_module \ --without-mail_pop3_module \ --without-mail_imap_module \ --without-mail_smtp_module \ --without-http_ssi_module
make && make install
– Since installing from source, so we do not have the init file (/etc/init.d/nginx). We’ll start by /etc/nginx/sbin/nginx or creates service the following files:
vi /etc/init.d/nginx
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemin
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /usr/local/nginx/conf/nginx.conf
# pidfile: /usr/local/nginx/logs/nginx.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
nginx="/etc/nginx/sbin/nginx"
prog=$(basename $nginx)
NGINX_CONF_FILE="/etc/nginx/conf/nginx.conf"
lockfile=/var/lock/subsys/nginx
start() {
[ -x $nginx ] || exit 5
[ -f $NGINX_CONF_FILE ] || exit 6
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
configtest || return $?
stop
start
}
reload() {
configtest || return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
}
force_reload() {
restart
}
configtest() {
$nginx -t -c $NGINX_CONF_FILE
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart|configtest)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
exit 2
esac
chmod 0700 /etc/init.d/nginx && chkconfig nginx on
Conduct start nginx
service nginx restart
[root@localhost sbin]# service nginx restart nginx: the configuration file /etc/nginx/conf/nginx.conf syntax is ok nginx: configuration file /etc/nginx/conf/nginx.conf test is successful Stopping nginx: [ OK ] Starting nginx: [ OK ] [root@localhost sbin]#
To check nginx was not successfully installed, you access the IP of the server, if the returned results Welcome to nginx!
ie, you have successfully installed.
3. Configure nginx
– Configure on main file:
vi /etc/nginx/conf/nginx.conf
http {
[...]
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
CN no;
}
[...]
}
– Configure the virtualhost:
server {
[...]
if ($allowed_country = no) {
return 444;
# # This means the server will stop processing, returns error 444 (The connection was reset),
# # And ignore always sending the response header.
# # Replace 444 by 403 if you want
}
[...]
}
– Restart the service to update configuration.
Note:
– The above configuration will accept all IP and banned only from China IP (CN).
– Ip access from China will appear The connection was reset error.
– About Code of the country in GeoIP database you can refer here: http://dev.maxmind.com/geoip/legacy/codes/iso3166/
