Add the GeoIP2 module to NGINX.

A simple guide to add the GeoIP2 module to NGINX.

GeoIP Update — MaxMind account.

Start by installing the geoipupdate package and these dependencies from your package manager.

# Arch Linux
sudo pacman -Sy geoip libmaxminddb geoipupdate      

# Ubuntu
sudo add-apt-repository ppa:maxmind/ppa

sudo apt update
sudo apt install geoipupdate libmaxminddb0 libmaxminddb-dev mmdb-bin

You need to create an account on the MaxMind website which provides these databases. I choose to take the Lite version. It’s less precise but it’s free: Sign up for GeoLite2.

After registering on the site, you can now generate new license key in your MaxMind account.

In the /etc/GeoIP.conf file, you can now replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE:

# /etc/GeoIP.conf
# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account
# ID and license key combination associated with your MaxMind account. These
# are available from https://www.maxmind.com/en/my_license_key.
AccountID YOUR_ACCOUNT_ID_HERE
LicenseKey YOUR_LICENSE_KEY_HERE

# Enter the edition IDs of the databases you would like to update.
# Multiple edition IDs are separated by spaces.
EditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country

You will have to change EditionIDs according to the type of license you have.

After that, you will be able to update the geoip database.

sudo geoipupdate

Add a new cron rule to enable a daily update:

sudo crontab -e
# Run GeoIP database update all the thuesday at 02:00
0 2 * * 2 /usr/bin/geoipupdate

GeoIP2 Nginx dynamic module.

You have the GeoIP2 database updated, now we just have to add the GeoIP2 module to Nginx. Start by cloning the github repository of the module.

git clone https://github.com/leev/ngx_http_geoip2_module.git

We will proceed in the same way as we have in the Compiling Modules for NGINX article.

Check your Nginx version installed:

$ nginx -v
nginx version: nginx/VERSION

Download the Nginx corresponding version:

wget http://nginx.org/download/nginx-VERSION.tar.gz
tar zxvf nginx-VERSION.tar.gz
cd nginx-VERSION

Configure and make your module:

./configure --with-compat --add-dynamic-module=../ngx_http_geoip2_module

make modules

Copy the GeoIP2 module in the Nginx directory:

mkdir -p /etc/nginx/modules

cp -vi objs/ngx_http_geoip2_module.so /etc/nginx/modules/

Add the module to your nginx.conf:

load_module modules/ngx_http_geoip2_module.so;

Check the Nginx configurtion

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

GeoIP2 usage example: controlling access by geoip.

In our example we will restrict access to our server to a few countries. Edit your /etc/nginx/nginx.conf:

load_module modules/ngx_http_geoip2_module.so;

[...]

http {
    geoip2 /var/lib/GeoIP/GeoLite2-Country.mmdb {
       $geoip2_data_country_iso_code country iso_code;
    }

    map $geoip2_data_country_iso_code $allowed_country {
       default no;
       FR yes; # France
       BE yes; # Belgium
       DE yes; # Germany
       CH yes; # Switzerland
    }

    server {
       # Block forbidden country
       if ($allowed_country = no) {
           return 444;
       }

       [...]
    }
}

All you have to do is try to access your site through a VPN from a country you have banned.

curl https://aimd.tech
curl: (92) HTTP/2 stream 0 was not closed cleanly: Unknown error code (err 1)

You can now use up-to-date GeoIP2 in your Nginx configurations.

Sources

• MaxMind.com — GeoIPUpdate
• Nginx.com — Compiling and Installing ModSecurity for NGINX Open Source
• Nginx.com — GeoIP2 Documentation
• Nginx.com — Restricting Access by Geographical Location
• Github — ngx_http_geoip2_module

Originally published at https://www.aimd.tech on April 13, 2020.