Welcome to Centmin Mod Community
Become a Member

GeoIP Country Block

Discussion in 'Install & Upgrades or Pre-Install Questions' started by cloud9, Mar 22, 2022.

  1. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    3:19 AM
    1.25.3
    10.6.x
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.21.6
    • PHP Version Installed: 8.0.16
    • MariaDB MySQL Version Installed: 10.3.xx
    • When was last time updated Centmin Mod code base ? :today
    • Persistent Config:
      Code:
      #### Installed by Centminmod##############
      MARCH_TARGETNATIVE='n'
      ##########################################
      
      #####################################################
      # CSF FIREWALL
      # PORTFLOOD Configuration
      # https://community.centminmod.com/threads/14708/
      # Setting CSFPORTFLOOD_OVERRIDE='y' allows you to
      # override default CSF Firewall PORTFLOOD values set
      # by Centmin Mod initial install. If end user made
      # custom changes to PORTFLOOD values, the override
      # will not work. Override only works if end user has
      # not made custom changes to PORTFLOOD values to ensure
      # end users customisations do not get overwritten
      CSFPORTFLOOD_OVERRIDE='y'
      # max hit count value allowed is 20
      PORTFLOOD_COUNT=20
      # lowering interval in seconds allows for more
      # port flood hits against default TCP port 21
      PORTFLOOD_INTERVAL=300
      #####################################################
      
      # enable letsencrypt ssl certificate + dual RSA+ECDSA ssl certs https://centminmod.com/acmetool/
      # https://community.centminmod.com/threads/official-acmetool-sh-testing-thread-for-centmin-mod-123-09beta01.8290/
      LETSENCRYPT_DETECT='y'
      DUALCERTS='y'
      
      # Add custom curl to update curl to 8.x latest
      # https://community.centminmod.com/threads/update-addons-customcurl-sh-custom_curlrpm-y-routine-in-123-09beta01.17503/
      CUSTOM_CURLRPM=y
      
      # Force SSL to only using TLSv1.2 or TLSv1.2 + TLSv1.3 (when using OpenSSL 1.1.1 or BoringsSSL)
      #https://community.centminmod.com/threads/add-ssl_protocol_modern-variable-in-123-09beta01.19715/#post-83781
      SSL_PROTOCOL_MODERN='y'
      
      # Enable Rclone and Dropbox to enable sharing Logs
      #https://community.centminmod.com/threads/centmin-mod-nginx-1-21-5-pcre2-beta-testing.22326/#post-91386
      RCLONE_ENABLE='y'
      DROPBOX_SEND='y'
      
      #replace older PCRE2 8.x library with 10.x library
      #https://community.centminmod.com/threads/centmin-mod-nginx-1-21-5-pcre2-beta-testing.22326/#post-91354
      NGINX_PCRE_TWO='y'
      
      # dynamically tune nginx ssl_session_cache in /usr/local/nginx/conf/ssl_include.conf based on system detected memory
      # https://community.centminmod.com/posts/76615/
      NGINX_SSLCACHE_ALLOWOVERRIDE='y'
      
      # override Nginx default OCSP response cache refresh time 1h (3600 seconds) to 24hrs (86400 seconds)
      # https://community.centminmod.com/threads/19515/
      #NGINX_STAPLE_CACHE_OVERRIDE='y'
      #NGINX_STAPLE_CACHE_TTL='86400'
      
      # SET_DEFAULT_MYSQLCHARSET='utf8mb4' to override MariaDB MySQL
      # default characterset and collation from default utf8 to utf8mb4
      # https://community.centminmod.com/threads/17949/
      SET_DEFAULT_MYSQLCHARSET='utf8mb4'
      
      # enable nginx backlog override https://community.centminmod.com/threads/17620/
      #AUTOHARDTUNE_NGINXBACKLOG='y'
      
      # enable zstd compressed logrotation for nginx & php-fpm https://community.centminmod.com/threads/16374/
      ZSTD_LOGROTATE_NGINX='y'
      ZSTD_LOGROTATE_PHPFPM='y'
      
      # enable ECC 256bit ECDSA self-signed SSL certificate generation https://community.centminmod.com/posts/82177/
      #SELFSIGNEDSSL_ECDSA='y'
      
      # COMMENTED OUT DEFAULT - enable nginx zero downtime on the fly nginx binary upgrades https://community.centminmod.com/threads/8000/
      # NGINX_ZERODT='y'
      
      # COMMENTED OUT - REQUIRES CENTOS KERNEL 5.1 or ABOVE - CHECK VERSION FIRST WITH uname -r
      # CARE WHEN UPGRADING KERNEL - BEST NOT TO DO ON A LIVE SERVER
      # SEE https://community.centminmod.com/threads/add-nginx_iouring_patch-variable-support-in-123-09beta01.18075/#post-76552
      NGINX_IOURING_PATCH='y'
      
      # enable brotli compression https://community.centminmod.com/threads/10688/
      #NGINX_LIBBROTLI='y'
      #NGXDYNAMIC_BROTLI='y'
      
      # php compression extensions https://community.centminmod.com/posts/70777/
      #PHP_BROTLI='y'
      #PHP_LZFOUR='y'
      #PHP_LZF='y'
      #PHP_ZSTD='y'
      
      # php file info
      #PHPFINFO='y'
      
      # enable centmin.sh menu option 22 WordPress Cache Enabler Query String inclusions
      # https://community.centminmod.com/posts/85927/
      # WPCLI_CE_QUERYSTRING_INCLUDED='y'
      
      # Set PHP version
      # PHP versions - https://www.php.net/downloads.php
      # https://community.centminmod.com/threads/php-8-0-0-ga-stable-release.20739/#post-87309
      PHP_VERSION='8.0.16'
      
      # PHP version checks
      # https://community.centminmod.com/threads/add-optional-php-version-check-in-123-09beta01.19334/
      DMOTD_PHPCHECK='y'
      
      # Enable VHost Stats
      # see https://community.centminmod.com/threads/add-ngxdynamic_vhoststats-option-support-for-nginx-module-vts-module.12913/#post-54842
      #NGINX_VHOSTSTATS=y
      
      #Enable Max Mind GeoIP
      #see https://community.centminmod.com/threads/how-to-enable-geoip-2-lite-nginx-module-support.17165/   
      MM_LICENSE_KEY='****************'
      NGINX_GEOIPTWOLITE='y'
      NGXDYNAMIC_GEOIPTWOLITE='y'
      Followed your thread on GeoIP for country blocking, GeoIP appears to be working ok, have blocked RU & CN as per your example yet if I log onto the website on the server from an IP mainland china - I dont get blocked

      This is in my added to nginx conf as per your example


      Code:
      http {
      limit_req_zone $binary_remote_addr zone=xwprpc:10m rate=30r/s;
      
       map_hash_bucket_size 128;
       map_hash_max_size 4096;
       server_names_hash_bucket_size 128;
       server_names_hash_max_size 2048;
       variables_hash_max_size 2048;
      
      #added to deny countries (russian and china)
      #see https://community.centminmod.com/threads/how-to-enable-geoip-2-lite-nginx-module-support.17165/
      map $geoip2_data_country_code $country_code_allowed {
        default allow;
        RU deny;
        CN deny;
      }
      Anything I can check ?
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    12:19 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Check that Chinese IP addresse geo location data if it's up to date at https://www.iplocation.net/ it will test several common geo location database sets including Maxmind and report the location. Could be your Chinese IP geo location data is out of date with Maxmind GeoIP2 Lite database

    From https://community.centminmod.com/threads/how-to-enable-geoip-2-lite-nginx-module-support.17165/

    You can run geoip2db-update.sh script to manually update your installed GeoIP 2 Lite database to be sure
    Code (Text):
    /usr/local/src/centminmod/tools/geoip2db-update.sh

    Also check if Chinese IP has been whitelisted by CSF Firewall CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS
    Code (Text):
    csf -g IPADDRESS
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    12:19 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Also did you add the blocking rule in your Nginx vhost though as outlined at https://community.centminmod.com/th...2-lite-nginx-module-support.17165/#post-72624

     
  4. eva2000

    eva2000 Administrator Staff Member

    53,506
    12,132
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,675
    Local Time:
    12:19 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Also is your web site behind Cloudflare? If so remember to uncomment and remove the hash in front of the cloudflare.conf include line in your Nginx vhost so real visitor IP addresses are restored and seen by Nginx.