Blocking Foreign IP Access in Nginx with the ngx_http_geoip2 Module

After noticing many malicious requests from foreign IP addresses in the Nginx access log, the author decided to block foreign IPs using the ngx_http_geoip2 module.

The article outlines the process of installing the required GeoIP2 library, downloading the ngx_http_geoip2_module source, and placing it in /usr/local.

① Install GeoIP2 development library

[root@fxkj ~]# yum install libmaxminddb-devel -y

② Clone the ngx_http_geoip2_module repository

[root@fxkj tmp]# git clone https://github.com/leev/ngx_http_geoip2_module.git

③ Move the module to the desired path

The author moves the module to /usr/local and lists its contents.

[root@fxkj tmp]# mv ngx_http_geoip2_module/ /usr/local/
[root@fxkj local]# ll ngx_http_geoip2_module/

④ Upgrade Nginx and compile with the module

The current Nginx version is 1.16; the module requires at least 1.18, so the author upgrades to 1.18 and adds the module during compilation.

[root@fxkj ~]# yum install libmaxminddb-devel -y

Compilation steps (no make install to avoid overwriting the running binary):

[root@fxkj tmp]# tar -xf nginx-1.18.0.tar.gz
[root@fxkj tmp]# cd nginx-1.18.0/
[root@fxkj nginx-1.18.0]# ./configure --with-http_stub_status_module \
    --prefix=/usr/local/nginx \
    --user=nginx --group=nginx --with-http_ssl_module --with-stream \
    --add-module=/usr/local/ngx_http_geoip2_module
[root@fxkj nginx-1.18.0]# make
[root@fxkj nginx-1.18.0]# cp /usr/loca/nginx/sbin/nginx /usr/loca/nginx/sbin/nginx1.16   # backup
[root@fxkj nginx-1.18.0]# cp objs/nginx /usr/local/nginx/sbin/   # replace old binary
[root@fxkj nginx-1.18.0]# pkill nginx   # stop old process
[root@fxkj nginx-1.18.0]# /usr/local/nginx/sbin/nginx   # start new version

Verify the new version and compiled modules:

[root@fxkj nginx-1.18.0]# /usr/local/nginx/sbin/nginx -V

⑤ Download the latest GeoIP2 database files

The module expects a database file, typically located in /usr/share/GeoIP/. The author uploads and extracts the GeoLite2-Country.mmdb file there.

[root@fxkj local]# cd /usr/share/GeoIP/
[root@fxkj GeoIP]# ll

⑥ Configure Nginx

First back up the existing nginx.conf and edit it.

# cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf-bak
# vim /usr/local/nginx/conf/nginx.conf

Add the GeoIP2 directive in the http block to load the database and map country codes to an allow/deny variable:

geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
    auto_reload 5m;
    $geoip2_data_country_code country iso_code;
}
map $geoip2_data_country_code $allowed_country {
    default yes;
    CN no;
}

In the server location block, use the variable to return a 404 for foreign IPs:

if ($allowed_country = yes) {
    # return https://www.baidu.com;
    # return /home/japan;
    return 404;
}

Test the configuration and reload Nginx:

# /usr/local/nginx/sbin/nginx -t
# /usr/local/nginx/sbin/nginx -s reload

⑦ Test the setup

Access the site from an overseas server (e.g., a Korean IP) and verify that Nginx returns a 404 and logs the request accordingly.

With these steps, foreign IP access to the website is successfully blocked using Nginx and the ngx_http_geoip2 module.