How to Block Foreign IPs in Nginx Using the ngx_http_geoip2 Module
This guide walks you through installing the ngx_http_geoip2 module, upgrading Nginx, downloading the GeoLite2 database, configuring Nginx to detect foreign IPs, and applying rules that return a 404 response for non‑Chinese visitors, complete with command‑line examples and verification steps.
Overview
The article explains how to prevent foreign IP addresses from accessing a website by using Nginx's ngx_http_geoip2 module. It covers installing dependencies, downloading the module, upgrading Nginx, configuring the GeoIP database, and adding conditional rules to block non‑Chinese traffic.
1. Install GeoIP2 Dependency
yum install libmaxminddb-devel -y2. Download ngx_http_geoip2_module
git clone https://github.com/leev/ngx_http_geoip2_module.git3. Place Module in Desired Directory
Move the cloned module to /usr/local (or another preferred location).
mv ngx_http_geoip2_module/ /usr/local/4. Upgrade Nginx and Add the Module
The original Nginx version (1.16) is upgraded to 1.18 because the module requires at least version 1.18.
Download Nginx 1.18 source package.
Extract and configure with the additional module:
tar -xf nginx-1.18.0.tar.gz
cd nginx-1.18.0/
./configure --with-http_stub_status_module \
--prefix=/usr/local/nginx \
--user=nginx --group=nginx \
--with-http_ssl_module --with-stream \
--add-module=/usr/local/ngx_http_geoip2_module
make
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx1.16 # backup old binary
cp objs/nginx /usr/local/nginx/sbin/ # replace with new binary
pkill nginx
/usr/local/nginx/sbin/nginx5. Download the GeoLite2 Database
Create an account on www.maxmind.com, download the latest GeoLite2-Country (or GeoLite2-City) GZIP file, and extract it to /usr/share/GeoIP/.
cd /usr/share/GeoIP/
ll6. Configure Nginx
Backup the existing nginx.conf and edit it to add GeoIP2 settings.
cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf-bak
vim /usr/local/nginx/conf/nginx.confIn the http block add:
geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
auto_reload 5m;
$geoip2_data_country_code country iso_code;
}
map $geoip2_data_country_code $allowed_country {
default yes;
CN no;
}In the desired
serverlocationblock add the rule:
if ($allowed_country = yes) {
return 404;
}7. Test the Configuration
Check the syntax and reload Nginx:
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reloadFrom an overseas server (e.g., a Korean IP), request the site; the response should be a 404 error, confirming that foreign IPs are blocked.
Conclusion
By integrating the ngx_http_geoip2 module and configuring appropriate GeoIP rules, Nginx can effectively deny access from non‑Chinese IP addresses, enhancing site security and reducing unwanted traffic.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.