BestHub
Sign in
Information Security 8 min read

How to Block Foreign IP Addresses in Nginx Using the ngx_http_geoip2 Module

This guide explains step‑by‑step how to install the GeoIP2 library, compile Nginx with the ngx_http_geoip2 module, download the MaxMind GeoLite2 database, configure Nginx to map country codes, and block non‑Chinese visitors by returning a 404 response.

Architect's Guide
Architect's Guide
Architect's Guide
How to Block Foreign IP Addresses in Nginx Using the ngx_http_geoip2 Module

In the introduction the author notes that many foreign IPs were accessing the site and decides to block them using Nginx's ngx_http_geoip2 module.

1. Install GeoIP2 dependency

[root@fxkj ~]# yum install libmaxminddb-devel -y

2. Download the module

[root@fxkj tmp]# git clone https://github.com/leev/ngx_http_geoip2_module.git

3. Move the module to a permanent location

[root@fxkj tmp]# mv ngx_http_geoip2_module/ /usr/local/
[root@fxkj local]# ll ngx_http_geoip2_module/

4. Upgrade Nginx to version 1.18 and compile it with the module

# Download and extract Nginx 1.18
[root@fxkj tmp]# tar -xf nginx-1.18.0.tar.gz
[root@fxkj tmp]# cd nginx-1.18.0/
[root@fxkj nginx-1.18.0]# ./configure --with-http_stub_status_module \
    --prefix=/usr/local/nginx \
    --user=nginx --group=nginx --with-http_ssl_module --with-stream \
    --add-module=/usr/local/ngx_http_geoip2_module
[root@fxkj nginx-1.18.0]# make
[root@fxkj nginx-1.18.0]# cp objs/nginx /usr/local/nginx/sbin/
[root@fxkj nginx-1.18.0]# pkill nginx
[root@fxkj nginx-1.18.0]# /usr/local/nginx/sbin/nginx

After compilation, verify the version:

[root@fxkj nginx-1.18.0]# /usr/local/nginx/sbin/nginx -V

5. Download the latest GeoLite2 Country database from MaxMind and place it under /usr/share/GeoIP/

[root@fxkj GeoIP]# ll
# shows GeoLite2-Country.mmdb (size 3.9 MB)

6. Configure nginx.conf

Backup the original configuration and edit /usr/local/nginx/conf/nginx.conf :

# cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf-bak
# vim /usr/local/nginx/conf/nginx.conf

Add the following in the http block to load the database and map country codes:

geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
    auto_reload 5m;
    $geoip2_data_country_code country iso_code;
}
map $geoip2_data_country_code $allowed_country {
    default yes;
    CN no;
}

Then, inside the desired server location , add the condition to block foreign IPs:

if ($allowed_country = yes) {
    return 404;
}

7. Test the configuration

# /usr/local/nginx/sbin/nginx -t
# /usr/local/nginx/sbin/nginx -s reload

Access the site from an overseas IP (e.g., from Korea); the request returns a 404 error, and the Nginx access log records the attempt:

"13.125.1.194" - - [14/Aug/2020:16:15:51 +0800] "GET /favicon.ico HTTP/1.1" 404 548 "https://www.fxkjnj.com/" "Mozilla/5.0 ... Chrome/84.0..."

Thus, the guide demonstrates a complete workflow for blocking non‑Chinese visitors using Nginx and the GeoIP2 module.

ConfigurationLinuxNginxGeoIP2IP blockingServer Security
Architect's Guide
Written by

Architect's Guide

Dedicated to sharing programmer-architect skills—Java backend, system, microservice, and distributed architectures—to help you become a senior architect.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment