Learn about Centmin Mod LEMP Stack today
Register Now

Nginx GeoIP Thread

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by BamaStangGuy, Sep 23, 2014.

  1. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    8:47 PM
    So, I would rather block certain countries at the server level rather than at the software level (with an XenForo add-on).


    I am starting to look into GeoIP but not much came up with the search on here for that. Who all is using this with Nginx to block countries? If so, what are you using for your configuration?
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,672
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Haven't tried this myself. But why not at server level ?

    However, Centmin Mod has a geoip.sh Addon included in /addons folder - see Vultr - How to install Centmin Mod on Vultr.com Guide | Centmin Mod Community to get you the first step ready.

    First, install geoip.sh Addon :)

    If prompted to overwrite database, select yes
    Code:
    cd /usr/local/src/centmin-v1.2.3mod/addons
    chmod +x *.sh
    ./geoip.sh
    Then you need to recompile Nginx with geoip module support. This is easily done via centmin.sh editing NGINX_GEOIP=y centminmod/centmin.sh at master · centminmod/centminmod · GitHub and then centmin.sh menu 4 to recompile Nginx.

    Testing the included geoip.php test page. First need to add to /usr/local/nginx/conf/php.conf include file the following:

    Code:
    # Set php-fpm geoip variables
    fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
    fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
    fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
    fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
    fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
    fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
    fastcgi_param GEOIP_REGION $geoip_region;
    fastcgi_param GEOIP_CITY $geoip_city;
    fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
    fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
    fastcgi_param GEOIP_LATITUDE $geoip_latitude;
    fastcgi_param GEOIP_LONGITUDE $geoip_longitude;
    Then restart both Nginx and PHP-FPM

    Code:
    nprestart
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    Stopping nginx:                                            [  OK  ]
    Starting nginx:                                            [  OK  ]
    Gracefully shutting down php-fpm . done
    Starting php-fpm  done
    Checking if PHP-FPM and Nginx can utilise the GeoIP database

    Code:
    lynx -dump http:/yourhostname.domain.com/geoip.php
       country_code: US
       country_code3: USA
       country_name: United States
       city_country_code: US
       city_country_code3: USA
       city_country_name: United States
       region: CA
       city: Los Angeles
       postal_code: 90017
       city_continent_code: NA
       latitude: 34.0530
       longitude: -118.2642
     
    Last edited: Sep 23, 2014
  3. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,672
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  4. GhoHan

    GhoHan Member

    33
    14
    8
    Jun 1, 2014
    Ratings:
    +14
    Local Time:
    8:47 AM
    Nginx 1.13.X
    MariaDB 10.1.X
    To add GeoIP
    Code:
    cd /usr/local/src/centmin-v1.2.3mod/addons
    chmod +x *.sh
    ./geoip.sh
    
    you must check first your nginx Compiler option using --with-http_geoip_module
    Code:
    # nginx -V
    nginx version: nginx/1.7.5
    built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
    TLS SNI support enabled
    configure arguments: --with-cc-opt='-I/svr-setup/staticlibssl/include -I/usr/include' --with-ld-opt='-L/svr-setup/staticlibssl/lib -Wl,-rpath -lssl -lcrypto -ldl -lz' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_secure_link_module --with-http_flv_module --with-http_realip_module [B]--with-http_geoip_module[/B] --with-openssl-opt=enable-tlsext --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.1 --add-module=../headers-more-nginx-module-0.25 --add-module=../nginx-accesskey-2.0.3 --add-module=../nginx-http-concat-master --with-http_dav_module --add-module=../nginx-dav-ext-module-0.0.3 --with-openssl=../openssl-1.0.1i --with-libatomic --with-pcre=../pcre-8.35 --with-pcre-jit --with-http_spdy_module --add-module=../ngx_pagespeed-release-1.8.31.4-beta
    
    Open /usr/local/nginx/conf/nginx.conf
    Code:
    http {
    include /usr/local/nginx/conf/geoip.conf;
    ## add this line example country to allow
    map $geoip_country_code $allowed_country {
            default no;
            US yes;
            FK yes;
            FM yes;
            EH yes;
    }
    
    and then In /usr/local/nginx/conf/conf.d/yourdomain-name.conf
    Code:
    server {
    ## Add this line Bellow
        if ($allowed_country = no) {
                return 444;
        }
                listen   80;
    
    now restart your nginx
    Code:
    service nginx restart
    
    You are done to block country and allow country may access your domain name

    Regards,
     
  5. GhoHan

    GhoHan Member

    33
    14
    8
    Jun 1, 2014
    Ratings:
    +14
    Local Time:
    8:47 AM
    Nginx 1.13.X
    MariaDB 10.1.X
  6. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,672
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last edited: Sep 23, 2014
  7. GhoHan

    GhoHan Member

    33
    14
    8
    Jun 1, 2014
    Ratings:
    +14
    Local Time:
    8:47 AM
    Nginx 1.13.X
    MariaDB 10.1.X
    yes but before i'm trying not working with edit this option NGINX_GEOIP=y

    i must compile that manual first, but it's ok for next update using centminmod (y)
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,672
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah using NGINX_GEOIP=y much easier than manual compile of the geoip nginx module so should try it out. This forum uses it just because needed part of the GeoIP database for this User Map | Centmin Mod Community :)
     
  9. GhoHan

    GhoHan Member

    33
    14
    8
    Jun 1, 2014
    Ratings:
    +14
    Local Time:
    8:47 AM
    Nginx 1.13.X
    MariaDB 10.1.X
    @eva2000 not working for upgrade/downgrade when edit centmin.sh option to NGINX_GEOIP=y
    when centminmod already installed with Option 1 - Centmin Install
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,672
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    which version .07 stable or .08 beta, both versions have a few bug fixes for various issues in the past month, so you might want to try downloading a more recent copy of .07 stable or .08 beta centos7 one

    doh.. you have to install geoip.sh addon BEFORE nginx recompile with NGINX_GEOIP=y :)

    Code:
     + ngx_pagespeed was configured
    checking for zlib library ... found
    checking for GD library ... found
    checking for GeoIP library ... not found
    checking for GeoIP library in /usr/local/ ... not found
    checking for GeoIP library in /usr/pkg/ ... not found
    checking for GeoIP library in /opt/local/ ... not found
    
    ./configure: error: the GeoIP module requires the GeoIP library.
    You can either do not enable the module or install the library.
    the library is installed by geoip.sh Addon :D
     
    Last edited: Sep 23, 2014
  11. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,672
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  12. GhoHan

    GhoHan Member

    33
    14
    8
    Jun 1, 2014
    Ratings:
    +14
    Local Time:
    8:47 AM
    Nginx 1.13.X
    MariaDB 10.1.X
    which version .07 stable latest i tested not working
    because i'm forget to edit centmin.sh to enable NGINX_GEOIP option and then i try to edit and run Option 4. Ningx Upgrade but when i'm check nginx -V the nginx is not available option --with-http_geoip_module in configure arguments.

    i must done compiler by manual go to cd /svr-setup/nginx-version

    but working fine if not forget to edit centmin.sh for fresh install centminmod with option 1.
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,672
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    latest version of .07 stable took care of that if you forgot NGINX_GEOIP=y, Centmin Mod auto detects if Nginx GeoIP already compiled into Nginx running version and prompts you to select NGINX_GEOIP=Y at Nginx upgrade time via menu option 4 see lines 4 to 12 of inc/nginx_upgrade.inc

    if you forget NGINX_GEOIP=y in centmin.sh and had previous compiled Nginx with geoip module, you'll get this prompt
    Code:
    Nginx Upgrade - Would you like to continue? [y/n] y
    
    Install which version of Nginx? (version i.e. 1.7.5}): 1.7.5
    
    Detected existing Nginx has NGINX_GEOIP=y enabled
    however, you are recompiling Nginx with NGINX_GEOIP=n
    Is this incorrect and you want to set NGINX_GEOIP=y enabled ?
    Answer y or n. Typing y will set NGINX_GEOIP=y [y/n]: 
    just did it

     
  14. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,672
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    hmm wonder if it's better to just enable geoip nginx module and geoip database support by default in Centmin Mod .08+ and higher ?
     
  15. GhoHan

    GhoHan Member

    33
    14
    8
    Jun 1, 2014
    Ratings:
    +14
    Local Time:
    8:47 AM
    Nginx 1.13.X
    MariaDB 10.1.X
    Yeah, I think this is a good idea to enable the geoip module as the default
     
  16. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,672
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    started a new Github branch 123.08geoip to test making Nginx GeoIP support enabled by default (actual first commits). Testing right now :)
     
  17. GhoHan

    GhoHan Member

    33
    14
    8
    Jun 1, 2014
    Ratings:
    +14
    Local Time:
    8:47 AM
    Nginx 1.13.X
    MariaDB 10.1.X
  18. Floren

    Floren Active Member

    148
    77
    28
    Jun 6, 2014
    Ratings:
    +77
    Local Time:
    9:47 PM
    That wont work to filter access for a specific user which belongs to a specific country, period. Not to mention all static files are not included.
     
  19. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,672
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah that is not for blocking it's to setup Nginx GeoIP module first and test to see if it works for PHP-FPM only.
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,672
    Local Time:
    11:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks for the confirmation :D