BestHub
Sign in
Operations 7 min read

How to Block Foreign IPs with NGINX and the ngx_http_geoip2 Module

This step‑by‑step guide shows how to install the GeoIP2 library, compile NGINX 1.18 with the ngx_http_geoip2 module, download the latest MaxMind GeoLite2 database, configure geoip2 directives, and verify that foreign IP requests are blocked with a 404 response.

Architect's Guide
Architect's Guide
Architect's Guide
How to Block Foreign IPs with NGINX and the ngx_http_geoip2 Module

Install GeoIP2 library

yum install libmaxminddb-devel -y

Obtain the ngx_http_geoip2_module source

git clone https://github.com/leev/ngx_http_geoip2_module.git

Place the module in a permanent directory

mv ngx_http_geoip2_module/ /usr/local/

Upgrade NGINX to version 1.18 (or later) and compile with the GeoIP2 module

Download the NGINX 1.18 source tarball and extract it.

Ensure libmaxminddb-devel is installed (step 1).

Configure the build, adding the module path:

./configure \
    --with-http_stub_status_module \
    --prefix=/usr/local/nginx \
    --user=nginx --group=nginx \
    --with-http_ssl_module \
    --with-stream \
    --add-module=/usr/local/ngx_http_geoip2_module
make
# Backup the existing binary
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
# Replace with the newly built binary
cp objs/nginx /usr/local/nginx/sbin/nginx
# Restart NGINX
pkill nginx
/usr/local/nginx/sbin/nginx

Download the GeoLite2‑Country database

Create a free account at https://www.maxmind.com, download the GeoLite2‑Country GZIP file, and extract it to /usr/share/GeoIP/. The extracted file should be named GeoLite2-Country.mmdb.

MaxMind download page
MaxMind download page

Configure NGINX

Backup the current configuration before editing.

cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
vim /usr/local/nginx/conf/nginx.conf

Add the following directives inside the http block to load the database and map country codes:

geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
    auto_reload 5m;
    $geoip2_data_country_code country iso_code;
}

map $geoip2_data_country_code $allowed_country {
    default yes;
    CN      no;
}

Within the desired server block (e.g., inside a location), block foreign IPs:

if ($allowed_country = yes) {
    return 404;
}

Validate the configuration

/usr/local/nginx/sbin/nginx -t

Reload NGINX: /usr/local/nginx/sbin/nginx -s reload Test from an overseas IP (e.g., a Korean server). The request should return 404 Not Found. Verify the entry in the access log, for example:

13.125.1.194 - - [14/Aug/2020:16:15:51 +0800] "GET /favicon.ico HTTP/1.1" 404 548 "https://www.example.com/" "Mozilla/5.0 ... Chrome/84.0.4147.125 Safari/537.36"
Log entry showing 404
Log entry showing 404

With these steps, NGINX blocks requests originating from non‑Chinese IP addresses using the ngx_http_geoip2 module.

Nginxnginx modulegeoip2Server Securityblock foreign IP
Architect's Guide
Written by

Architect's Guide

Dedicated to sharing programmer-architect skills—Java backend, system, microservice, and distributed architectures—to help you become a senior architect.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment