How to Block Foreign IPs in Nginx Using the GeoIP2 Module
This step‑by‑step guide shows how to install the GeoIP2 library, upgrade Nginx, compile the ngx_http_geoip2 module, download the MaxMind GeoLite2 database, configure nginx.conf to detect non‑Chinese IPs, and return a 404 response to block foreign visitors.
After noticing many malicious foreign requests in the Nginx access log, the author decided to block non‑Chinese IPs using the ngx_http_geoip2 module.
① Install GeoIP2 dependency
yum install libmaxminddb-devel -y② Download ngx_http_geoip2_module
git clone https://github.com/leev/ngx_http_geoip2_module.git③ Extract module to a specific path
The module is moved to /usr/local/:
mv ngx_http_geoip2_module/ /usr/local/④ Upgrade Nginx and compile with the module
The existing Nginx version is 1.16; the tutorial upgrades to 1.18 because the module requires at least that version.
# Download Nginx 1.18 source
# tar -xf nginx-1.18.0.tar.gz
# cd nginx-1.18.0/
# ./configure --with-http_stub_status_module \
--prefix=/usr/local/nginx \
--user=nginx --group=nginx \
--with-http_ssl_module --with-stream \
--add-module=/usr/local/ngx_http_geoip2_module
# make
# cp /usr/loca/nginx/sbin/nginx /usr/loca/nginx/sbin/nginx1.16 # backup
# cp objs/nginx /usr/local/nginx/sbin/ # replace
# pkill nginx
# /usr/local/nginx/sbin/nginx # restartVerify the new version:
/usr/local/nginx/sbin/nginx -V⑤ Download the latest GeoIP database
Create a MaxMind account, download the GeoLite2‑Country GZIP file, and extract it to /usr/share/GeoIP/:
# cd /usr/share/GeoIP/
# ll
# (files include GeoIP.dat, GeoIPv6.dat, GeoLite2-Country.mmdb)⑥ Configure nginx.conf
Backup the original configuration and edit /usr/local/nginx/conf/nginx.conf:
# cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf-bak
# vim /usr/local/nginx/conf/nginx.confAdd the following in the http block to load the database and define a map that allows only China (CN):
geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
auto_reload 5m;
$geoip2_data_country_code country iso_code;
}
map $geoip2_data_country_code $allowed_country {
default yes;
CN no;
}In the server’s location block, add a condition that returns 404 for foreign IPs:
if ($allowed_country = yes) {
# return https://www.baidu.com;
# return /home/japan;
return 404;
}⑦ Test the configuration
Check the syntax and reload Nginx:
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reloadFrom an overseas server (e.g., Korea) request the site; the response is a 404 error, confirming that foreign IPs are blocked.
Log entry example:
13.125.1.194 - - [14/Aug/2020:16:15:51 +0800] "GET /favicon.ico HTTP/1.1" 404 548 "https://www.fxkjnj.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36"Thus, the tutorial demonstrates a complete process for blocking foreign IP addresses on a website using Nginx and the GeoIP2 module.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.