BestHub
Sign in
Information Security 8 min read

How to Block Foreign IP Addresses in Nginx Using the ngx_http_geoip2 Module

This guide explains step‑by‑step how to install the GeoIP2 library, compile Nginx with the ngx_http_geoip2 module, download the MaxMind GeoLite2 database, configure Nginx to map country codes, and block non‑Chinese visitors by returning a 404 response.

Architect's Guide
Architect's Guide
Architect's Guide
How to Block Foreign IP Addresses in Nginx Using the ngx_http_geoip2 Module

In the introduction the author notes that many foreign IPs were accessing the site and decides to block them using Nginx's ngx_http_geoip2 module.

1. Install GeoIP2 dependency [root@fxkj ~]# yum install libmaxminddb-devel -y 2. Download the module

[root@fxkj tmp]# git clone https://github.com/leev/ngx_http_geoip2_module.git

3. Move the module to a permanent location

[root@fxkj tmp]# mv ngx_http_geoip2_module/ /usr/local/
[root@fxkj local]# ll ngx_http_geoip2_module/

4. Upgrade Nginx to version 1.18 and compile it with the module

# Download and extract Nginx 1.18
[root@fxkj tmp]# tar -xf nginx-1.18.0.tar.gz
[root@fxkj tmp]# cd nginx-1.18.0/
[root@fxkj nginx-1.18.0]# ./configure --with-http_stub_status_module \
    --prefix=/usr/local/nginx \
    --user=nginx --group=nginx --with-http_ssl_module --with-stream \
    --add-module=/usr/local/ngx_http_geoip2_module
[root@fxkj nginx-1.18.0]# make
[root@fxkj nginx-1.18.0]# cp objs/nginx /usr/local/nginx/sbin/
[root@fxkj nginx-1.18.0]# pkill nginx
[root@fxkj nginx-1.18.0]# /usr/local/nginx/sbin/nginx

After compilation, verify the version: [root@fxkj nginx-1.18.0]# /usr/local/nginx/sbin/nginx -V 5. Download the latest GeoLite2 Country database from MaxMind and place it under /usr/share/GeoIP/

[root@fxkj GeoIP]# ll
# shows GeoLite2-Country.mmdb (size 3.9 MB)

6. Configure nginx.conf

Backup the original configuration and edit /usr/local/nginx/conf/nginx.conf:

# cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf-bak
# vim /usr/local/nginx/conf/nginx.conf

Add the following in the http block to load the database and map country codes:

geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
    auto_reload 5m;
    $geoip2_data_country_code country iso_code;
}
map $geoip2_data_country_code $allowed_country {
    default yes;
    CN no;
}

Then, inside the desired

server
location

, add the condition to block foreign IPs:

if ($allowed_country = yes) {
    return 404;
}

7. Test the configuration

# /usr/local/nginx/sbin/nginx -t
# /usr/local/nginx/sbin/nginx -s reload

Access the site from an overseas IP (e.g., from Korea); the request returns a 404 error, and the Nginx access log records the attempt:

"13.125.1.194" - - [14/Aug/2020:16:15:51 +0800] "GET /favicon.ico HTTP/1.1" 404 548 "https://www.fxkjnj.com/" "Mozilla/5.0 ... Chrome/84.0..."

Thus, the guide demonstrates a complete workflow for blocking non‑Chinese visitors using Nginx and the GeoIP2 module.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

ConfigurationlinuxNginxgeoip2IP blockingServer Security
Architect's Guide
Written by

Architect's Guide

Dedicated to sharing programmer-architect skills—Java backend, system, microservice, and distributed architectures—to help you become a senior architect.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment