BestHub
Sign in
Operations 8 min read

Block Foreign IPs in Nginx with the GeoIP2 Module – Step‑by‑Step Guide

This guide explains how to install the ngx_http_geoip2 module, upgrade Nginx, download the MaxMind GeoIP2 database, configure geoip2 directives and map rules, and finally block non‑Chinese IP addresses by returning a 404 response.

Java High-Performance Architecture
Java High-Performance Architecture
Java High-Performance Architecture
Block Foreign IPs in Nginx with the GeoIP2 Module – Step‑by‑Step Guide

Introduction

After noticing many malicious foreign IP requests in the Nginx access log, I decided to block all non‑Chinese IPs using the ngx_http_geoip2 module.

Install geoip2 dependencies

# yum install libmaxminddb-devel -y

Download ngx_http_geoip2_module

# git clone https://github.com/leev/ngx_http_geoip2_module.git
# mv ngx_http_geoip2_module/ /usr/local/

Upgrade Nginx and compile with the module

My current Nginx version is 1.16, which does not support the module, so I upgraded to 1.18 and added the module during compilation.

# yum install libmaxminddb-devel -y
# tar -xf nginx-1.18.0.tar.gz
# cd nginx-1.18.0
# ./configure --with-http_stub_status_module \
    --prefix=/usr/local/nginx \
    --user=nginx --group=nginx --with-http_ssl_module --with-stream \
    --add-module=/usr/local/ngx_http_geoip2_module
# make
# cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx1.16   # backup
# cp objs/nginx /usr/local/nginx/sbin/                         # replace
# pkill nginx
# /usr/local/nginx/sbin/nginx                                 # restart

Verify Nginx version and modules

# /usr/local/nginx/sbin/nginx -V

Download the latest GeoIP2 database

Log in to www.maxmind.com , create an account, and download the GeoLite2‑Country (or City) GZIP file, then extract it to /usr/share/GeoIP/.

# cd /usr/share/GeoIP/
# ll   # shows GeoIP.dat, GeoIP‑initial.dat, GeoLite2‑Country.mmdb, etc.

Configure nginx.conf

Backup the original configuration file first.

# cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf-bak
# vim /usr/local/nginx/conf/nginx.conf

Add the following directives inside the http block:

geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
    auto_reload 5m;
    $geoip2_data_country_code country iso_code;
}
map $geoip2_data_country_code $allowed_country {
    default yes;
    CN no;
}

Then inside the desired

server
location

block add:

if ($allowed_country = yes) {
    return 404;
}

Test the configuration

Reload Nginx and verify the syntax.

# /usr/local/nginx/sbin/nginx -t
# /usr/local/nginx/sbin/nginx -s reload

Access the site from a foreign IP (e.g., a Korean IP) and observe a 404 response. Check the access log to confirm the request was blocked:

"13.125.1.194 - - [14/Aug/2020:16:15:51 +0800] "GET /favicon.ico HTTP/1.1" 404 548 "https://www.fxkjnj.com/"

With these steps, the website now denies traffic from non‑Chinese IP addresses using Nginx and the GeoIP2 module.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

linuxgeoip2IP blockingServer Security
Java High-Performance Architecture
Written by

Java High-Performance Architecture

Sharing Java development articles and resources, including SSM architecture and the Spring ecosystem (Spring Boot, Spring Cloud, MyBatis, Dubbo, Docker), Zookeeper, Redis, architecture design, microservices, message queues, Git, etc.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment