BestHub
Sign in
Operations 8 min read

How to Block Foreign IPs with Nginx and GeoIP2 – Step‑by‑Step Guide

This article walks through installing the libmaxminddb library, downloading and compiling the ngx_http_geoip2 module, upgrading Nginx to version 1.18, adding the latest GeoLite2 database, configuring Nginx to reject non‑Chinese IPs, and verifying the setup with test requests.

Top Architect
Top Architect
Top Architect
How to Block Foreign IPs with Nginx and GeoIP2 – Step‑by‑Step Guide

In this tutorial the author explains why blocking foreign IP addresses can be necessary and demonstrates a practical solution using Nginx’s ngx_http_geoip2 module.

1. Install the GeoIP2 library

yum install libmaxminddb-devel -y

2. Download the ngx_http_geoip2_module source

git clone https://github.com/leev/ngx_http_geoip2_module.git

3. Extract the module to a permanent location

The author moves the cloned directory to /usr/local/ngx_http_geoip2_module and verifies its contents.

4. Upgrade Nginx to a version that supports the module

The current Nginx version is 1.16. Because the GeoIP2 module requires at least 1.18, the author downloads the 1.18 source package, extracts it, and compiles it with the additional --add-module flag.

tar -xf nginx-1.18.0.tar.gz
cd nginx-1.18.0
./configure \
  --with-http_stub_status_module \
  --prefix=/usr/local/nginx \
  --user=nginx --group=nginx \
  --with-http_ssl_module \
  --with-stream \
  --add-module=/usr/local/ngx_http_geoip2_module
make
# backup old binary
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
# replace with new binary
cp objs/nginx /usr/local/nginx/sbin/

5. Download the latest GeoLite2 database

Create a MaxMind account, download the GeoLite2‑Country.mmdb file, and place it under /usr/share/GeoIP/.

cd /usr/share/GeoIP/
# after extracting the .gz file you will see GeoLite2-Country.mmdb

6. Configure Nginx to use the database and block foreign IPs

geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
    auto_reload 5m;
    $geoip2_data_country_code country iso_code;
}

map $geoip2_data_country_code $allowed_country {
    default yes;
    CN      no;
}

server {
    listen 80;
    location / {
        if ($allowed_country = yes) {
            return 404;
        }
        # normal handling for allowed IPs
    }
}

7. Test the configuration

After reloading Nginx ( nginx -s reload) the author accesses the site from a Korean IP address, receives a 404 response, and confirms the request appears in the access log as expected.

nginx -t   # syntax check
nginx -s reload   # apply changes
# Example log entry showing a 404 for a foreign IP

With these steps the server now rejects requests originating from any country other than China, effectively preventing unwanted foreign traffic.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

SecurityNginxserver configurationgeoip2IP blocking
Top Architect
Written by

Top Architect

Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment