Block Foreign IPs Using NGINX ngx_http_geoip2 Module
This step‑by‑step guide shows how to install the libmaxminddb library, compile NGINX with the ngx_http_geoip2 module, download the latest GeoLite2 database, configure geoip2 directives, and verify that foreign IP addresses are blocked with a 404 response.
Overview
Goal: block non‑Chinese IP addresses using NGINX and the ngx_http_geoip2 module.
Prerequisites
NGINX ≥ 1.18 (originally 1.16, upgraded)
Root access on a Linux distribution (yum‑based example)
libmaxminddb development library
1. Install libmaxminddb development package
yum install libmaxminddb-devel -y2. Obtain the ngx_http_geoip2 module
git clone https://github.com/leev/ngx_http_geoip2_module.git3. Place the module in a permanent location
mv ngx_http_geoip2_module /usr/local/4. Compile NGINX with the module
Download the NGINX 1.18 source tarball, extract, and configure with the additional module.
tar -xf nginx-1.18.0.tar.gz
cd nginx-1.18.0
./configure \
--with-http_stub_status_module \
--prefix=/usr/local/nginx \
--user=nginx --group=nginx \
--with-http_ssl_module \
--with-stream \
--add-module=/usr/local/ngx_http_geoip2_module
make
# Backup the existing binary
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.16
# Replace with the newly built binary
cp objs/nginx /usr/local/nginx/sbin/
pkill nginx
/usr/local/nginx/sbin/nginx # restartVerify the version:
/usr/local/nginx/sbin/nginx -V5. Download the GeoLite2 Country database
Create a free MaxMind account, download the GeoLite2-Country.mmdb GZIP file, and extract it to /usr/share/GeoIP/.
cd /usr/share/GeoIP/
tar -xzf GeoLite2-Country.mmdb.gz # or unzip if already .mmdb
ls -l6. Configure NGINX
Backup the current configuration and edit /usr/local/nginx/conf/nginx.conf.
cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
vim /usr/local/nginx/conf/nginx.confAdd the following directives inside the http block to load the database and map country codes:
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
auto_reload 5m;
$geoip2_data_country_code country iso_code;
}
map $geoip2_data_country_code $allowed_country {
default yes; # allow by default
CN no; # deny China (or reverse logic as needed)
}Inside the desired server block, add a conditional that returns 404 for disallowed countries:
if ($allowed_country = yes) {
return 404;
}7. Test and reload
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reloadFrom a non‑Chinese IP (e.g., a Korean server) request the site; the response should be 404 Not Found. Verify the access log shows the 404 status.
Key considerations
Only recompile NGINX; do not run make install to avoid overwriting the entire existing installation.
Check existing compile‑time modules with /usr/local/nginx/sbin/nginx -V before adding new ones.
The auto_reload directive refreshes the database every 5 minutes, so updates to the GeoLite2 file are applied without restarting NGINX.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.